U.S. Cybersecurity Laws – What German Companies Doing Business in the United States Should Know
German Practice Alert
November 7, 2019
As the number of cyberattacks is continually and rapidly increasing, companies must be prepared to address several legal issues related to cybersecurity and its regulatory framework. Because of the massive amount of information that companies process in electronic form and the significant costs that flow from data breaches, cybersecurity has become essential, and a breach of cybersecurity may lead to sanctions by U.S. state or federal agencies, private litigation, or class actions, generally associated with substantial costs.
State and Federal Regulation and Enforcement
Every U.S. jurisdiction has its own data breach notification laws requiring businesses to report security breaches involving personal information, and state laws are becoming increasingly comprehensive. New York has recently enacted some of the toughest cybersecurity and privacy and data protection laws in the country, modeled after the European Union’s General Data Protection Regulation and the California Consumer Protection Act (CCPA). Companies must identify which laws are applicable, taking into account that they can collect data from residents of multiple jurisdictions, including where they may not be operating. Although there is no comprehensive federal data privacy law yet, the Federal Trade Commission (FTC) and other federal agencies assert broad authority to regulate data security. The FTC has brought several enforcement actions resulting in injunction orders requiring private companies to safeguard sensitive data and to maintain comprehensive information security programs. Other government agencies that are authorized to pursue federal enforcement action concerning privacy and the protection of personal information include the Securities and Exchange Commission (SEC), Federal Communications Commission (FCC) and Consumer Financial Protection Bureau (CFPB).
For example, in April 2015, AT&T agreed to pay $25 million to settle an FCC investigation into consumer privacy violations, which involved the unauthorized disclosure of almost 280,000 customers’ names, Social Security numbers, and other protected account-related data.
In a different case, the CFPB fined an online payment processing company, Dwolla, Inc., $100,000 and secured a strict five-year consent order requiring the company to implement a written cybersecurity program, though there was no data breach or cybersecurity incident whatsoever. The Bureau based its enforcement action on the allegedly false and misleading statements Dwolla made about its data security practices.
In addition to the regulatory consequences mentioned above, breaches may lead to a variety of private lawsuits, from large class actions to those filed by a single individual. Employees and customers, but also credit card companies and other businesses, may bring individual or class action suits under breach of privacy, breach of contract, or breach of warranty theories, or violations of federal or state statutes. The main question in these kinds of disputes is to prove whether the victims have suffered actual injuries. Despite the plaintiffs’ burden to show concrete injury as a result of breaches, many cases survive motions to dismiss and frequently result in significant legal expenses and costs of settlement for the defendants.
As an example of litigation involving data breach, retailer Target faced a class action by financial institutions seeking damages for their expenses in connection with a malware data breach in 2013 that exposed payment card data of millions of customers. Eventually, Target agreed to pay $39 million and separately settled with Visa for $67 million. Arising from the same breach, Target also reached a settlement with individual consumer plaintiffs for $10 million, and it had to take steps to minimize the risk of a future breach and also to develop a written security policy.
In another example, Yahoo agreed to pay $85 million to a class of approximately 200 million users affected by its breaches in 2013 and 2014, and it separately agreed to pay another $80 million to the shareholders to settle their claims that it misled investors by failing to disclose the breach to the public.
Risk of litigation, regulatory, and other implications should prompt companies to address information security issues on their networks. Once a compliance plan is implemented, a company should monitor its cybersecurity procedures and mechanisms regularly. A system should be in place to report breaches or potential breaches swiftly up the ladder, so that the compliance personnel and responsible management can take swift action in the event of a breach.