In the wake of a data breach, companies must navigate a host of legal, risk, and reputational landmines. However, perhaps nothing influences liability—and drives the appetite of public and private enforcers—more than the first external communication that a company makes about a cyber incident.
For example, offering credit-monitoring and identity-protection services in the wake of a breach has become standard playbook practice. Indeed, consumers and employees often expect these types of services, regardless of the nature or scope of the information that was compromised. This can create tension between legal counsel who are concerned about litigation risk and business/communications professionals who want to protect brand loyalty and demonstrate the company’s commitment to customers or employees.
Interestingly, the mere offering of these services may send an unintended signal—for example, where the breach does not involve Social Security numbers or other data used for identity theft (e.g., medical information). In that situation, a company may face questions such as: “Was more data compromised than the company reported?” or “Does the company have evidence of identity theft attributable to the breach?” or “Are consumers at real risk of identity theft?” This is not to say the scales should tip in favor of foregoing a credit-monitoring remedy. However, a string of cases over the past several years should prompt lawyers to spend more time with their corporate communication colleagues.
- In upholding the plaintiffs’ standing to sue, the Seventh Circuit in Neiman Marcus1 specifically cited to the company’s offer of one year of credit monitoring and ID theft protection to all customers for whom it had contact information and who had shopped at their stores between January 2013 and January 2014. According to the court, it was “unlikely that it did so because the risk is so ephemeral that it can safely be disregarded,” noting that “these credit monitoring services come at a price that is more than de minimis.”2 In other words, the court effectively used Neiman Marcus’s decision to broadly offer free credit monitoring as a concession that plaintiffs faced nonspeculative and imminent risk of harm, warranting their mitigation expenses.
- In the P.F. Chang’s3 case, the Seventh Circuit likewise pointed to what it described as an “implicit” admission that compromised card data could be used to open new cards because P.F. Chang’s “encouraged consumers to monitor their credit reports (in part for new-account activity) rather than simply the statements for existing affected cards.”4 Thus, the company’s cautionary reminder to monitor credit reports—a statement that many states statutorily require companies to include in breach notifications— rendered the plaintiffs’ purchase of a credit-monitoring service and efforts to guard against ID theft reasonable mitigation expenses sufficient for standing purposes.
- In Nationwide Mutual Insurance,5 the Sixth Circuit relied, in part, on Nationwide’s offer to provide credit monitoring as evidence of the reasonableness of mitigation expenses for standing purposes. But the court further noted that Nationwide had recommended that consumers consider putting a freeze on credit reports, explaining that such freezes could impede the ability to obtain credit and that it could cost a fee between $5 and $20 to place and remove such freezes. Notwithstanding that some states require companies to advise consumers about the availability of a credit freeze (e.g., Massachusetts), the Sixth Circuit, in ruling for the plaintiffs, pointed to Nationwide’s credit freeze advice, the associated costs, and Nationwide’s failure to offer coverage for those costs.
This is not to say that lawyers should ring the alarm bells on post-breach notifications. Rather, in our experience, early brainstorming, sharing of case law (such as the cases mentioned above), and coordination can help to reduce the risk that breach notifications catch company stakeholders by surprise when they are later quoted in legal briefs and court orders. In addition, we offer the following lessons learned, which can be included in every lawyer’s next discussion (hopefully over lunch) with her communications colleagues:
- Early Announcements Can Be Risky
The above cases serve as a cautionary tale for making public announcements regarding a security incident before the internal and forensic investigation is complete. To the extent that reputational and other considerations (e.g., leaks) demand early communications, organizations should be very careful in disseminating information too broadly (e.g., sending an email alert to all employees about a potential security incident) or in over-disclosing to external stakeholders.
- One Size May Not Fit All for Precautionary Messages
It is critical to understand the nuances of the state-specific notification requirements. Many states (including Hawaii, Michigan, Missouri, North Carolina, Vermont, Virginia, and Wyoming) explicitly require that the reporting company include specific recommendations to consumers on risk mitigation, including encouragement to monitor credit reports. However, notwithstanding variations across state rules, a commonly accepted practice is for organizations to issue a standard notification that complies with substantially all of the states’ various requirements (except Massachusetts), and supplement certain notifications based on state-specific requirements (e.g., instructions on contacting a specified state agency/regulator). This means that all of the various state-required language and disclosures are often provided to all individuals, even if not entirely applicable. Although they often reflect sound security practices that consumers should follow in any circumstance, organizations should recognize the risk in making risk-mitigation recommendations, and consider whether to provide them only to consumers whose individual state’s law explicitly requires it.
- Carefully Describe Protective Measures
Certain state statutes require disclosure of the measures taken to contain, mitigate, or minimize the incident. For example, Michigan directs that notifications “generally describe what the [company] providing the notice has done to protect data from further security breaches.”6 Wyoming requires a description in general terms of “the actions taken by the individual or commercial entity to protect the system containing the personal identifying information from further breaches.”7 Similar requirements exist in North Carolina, Vermont, Virginia, and elsewhere. However, these types of statements have been used to infer the scope of individuals who were affected. Thus, although statutorily required, these cases demonstrate why organizations should thoughtfully articulate the containment/remedial measures taken in response to an incident.
- Rigorously Analyze Voluntary Notifications
In our experience, even if a cyber incident does not technically trigger a notification requirement, companies often “voluntary” notify affected parties. They do so for a host of different reasons. We see counsel’s role as helping stakeholders to assess the pros and cons of voluntary notification through decision trees that account for downside and upside (e.g., the likelihood that voluntary notice will enable customers to take meaningful self-help steps).
This article has been published in PLI Current: The Journal of PLI Press, Vol. 3, No. 2 (Spring 2019), https://www.pli.edu/PLICurrent
A version of this article has been published in the Course Handbook for PLI’s Twentieth Annual Institute on Privacy and Data Security Law.
1 Remijas v. Neiman Marcus Grp. LLC, 794 F.3d 688 (7th Cir. 2015).
2 Id. at 694.
3 Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016).
4 Id. at 967.
5 Galaria v. Natiowide Mut. Ins. Co., 663 F. App’x 384 (6th Cir. 2016).
6 Mich. Comp. Laws Ann. § 445.72(12)(6)(E).
7 Wyo. Stat. Ann. § 40-12-502(E)(V).