As 2013 comes to an end it is advisable to note that reporting of data breaches this year reached a record high and included a number of high-profile incidents targeting such diverse entities as grocery chain Schnuck Markets, health care provider Kaiser Permanente, Yahoo and LexisNexis. More significantly, 2013 appears to have witnessed an uptick in the number of significant law suits being brought by customers against companies whose security systems have been hacked, compromising personally identifiable information (PII) collected and stored by them. Two notable cases, which deserve to be followed closely next year, are putative class actions filed in the last quarter of 2013 in California federal court by customers against software maker, Adobe Systems, and big-box retailer, Target Corporation. The ultimate resolution of these cases has implications on a global scale: They should certainly be followed by any foreign companies doing business in the U.S. and collecting PII from U.S. residents; moreover, many U.S. companies that collect PII from residents of the European Union seek and obtain Safe Harbor certification. This requires filing with the Department of Commerce, and posting, a Safe Harbor Privacy Policy, which supplements U.S. companies’ regular privacy policies and which must include security-related statements. These statements may, as in the case of the Adobe action, become an important feature of a lawsuit following a security breach.
In the Adobe action, filed in November, a customer and California resident accused Adobe of failing to put in place adequate security measures to guard sensitive PII, which failure resulted in a security breach in October of this year compromising credit and debit card records and affecting 38 million customers. The complaint emphasizes that the General Terms of Use and the EULAs for Adobe software products incorporate Adobe’s Privacy Policy as a term of the contract, and that the Privacy Policy includes a statement that Adobe will “provide reasonable administrative, technical, and physical security controls” to protect PII. The complaint further notes the statement in Adobe’s Safe Harbor Privacy Policy that Adobe uses reasonable physical, electronic and administrative safeguards to protect its customers PII from loss. misuse, unauthorized access, disclosure, alteration or destruction. According to the complaint, these statements form part of Adobe’s obligations under contracts with its customers that were breached by the company’s shoddy security practices.
The complaint against Adobe also alleges that the company violated the California Data Breach Act by failing to provide adequate notification of the security breach, as well as the California Online Privacy Protection Act, which prohibits any company whose website or online service collects PII from California residents from negligently or materially breaching its own posted privacy policy. The complaint further alleges violations of California’s unfair competition laws and breaches of the covenant of good faith and fair dealing. The complaint requests various remedies, including actual, statutory and punitive damages.
The putative class action against Target was filed in California federal court in the last month of this year. The complaint was filed only hours after Target disclosed that hackers compromised PII, including names and credit and debit card information, of approximately 40 million customers. As in the Adobe case, the complaint against Target alleges the company violated state unfair competition laws and data breach reporting laws, as well as the plaintiff’s common-law privacy rights.
As the Adobe and Target cases move forward in 2014, they may shed light on a number of significant issues, most importantly, the specific nature and level of security protection that companies must provide in order to comply with applicable statutory standards (often couched in general and vague terms) and to stay ahead of the ever-increasing sophistication of hackers. These cases will also clarify issues related to California’s Online Privacy Protection and Data Breach Acts – statutes that, given the size of the California market and the global nature of online commerce, may impact companies everywhere. They will also put to the test creative damages theories intended to overcome past difficulties in maintaining data breach claims. We will be following both cases closely in 2014 and commenting on developments. Stay tuned.
Contact Ivan Rothman for further information.