The Blame Game: Cybersecurity Edition
Predicting verdicts in data-breach litigation
This edition of The Blame Game addresses a topic that is rapidly evolving on a daily basis. Protections for personal data, and consumer demand for safeguards are in the news every day. Also frequently in the news are stories about breaches, ransomware attacks, and any number of various types of cyber-related problems. There are multiple ways that cybersecurity issues can result in claims: data breaches, HIPAA (Health Insurance Portability and Accountability Act) breaches, ransomware, disruptionware, and more.
As these issues take center stage, we are likely to see an increasing number of claims result in jury trials. At this point in time, we are much more likely to see settlements than verdict reports. The reasons are obvious—the claims have high exposure, and trial, let alone a jury trial, is excessively risky in a day and age where both government and consumers are demanding more protections, and are increasingly critical of companies that fail to protect private data.
With all of this in mind, below are summaries of three cybersecurity cases that include as much detail as could be obtained from jury verdicts and news reports concerning liability and damages. As each case is reviewed, consider the probable outcomes. Alonzo Johnson, manager, risk management & liability, for the city of North Las Vegas, will chip in and share his assessment of the outcome of each case before the actual verdict is revealed. Let’s play The Blame Game: Cybersecurity Edition!
Case One: Unauthorized Marketing in Oregon
Our first case involves the use of technology in telephone sales. The plaintiff brought suit against a company that marketed weight-loss products, dietary supplements, and energy drinks. The plaintiff alleged that the company engaged in a marketing program consisting of calling phone numbers on the Do Not Call Registry and placing “robo” calls with pre-recorded messages, all without prior express consent.
The plaintiff sought to certify three classes, including a “do-not-call class,” a “robo-call class,” and an “Oregon stop-calling class,” based on allegations of violations of state law. The lawsuit centered on alleged violations of the federal Telephone Consumer Protection Act (TCPA), which makes certain telecommunications unlawful—including telemarketing calls made without consent—to cell phones and residential land lines using artificial or pre-recorded voices, and telemarketing calls made without consent to cell phones using an automatic dial-in system, among other things.
The TCPA creates a private right-of-action that allows plaintiffs to recover actual damages or $500 for each violation, whichever is greater. The damages may be enhanced up to three times to the extent violations are found to be willful and knowing. In this Oregon case, the plaintiff contended she was on the national Do Not Call Registry and that the marketing company engaged in illegal national conduct by making unsolicited phone calls. There were also contentions that the sales representatives were trained to aggressively and actively solicit potential consumers.
The plaintiff sued in a class-action complaint in federal court of Oregon. A class of approximately 800,000 call recipients was certified. The facts included evidence that the lead plaintiff was called four times without consent. There was also evidence that almost two million calls were made to other class members.
Evaluation and Verdict: “According to basic math, the exposure is at around $1 billion for the worst-case scenario ($500 per violation multiplied by two million calls),” says Johnson. “If damages are enhanced by a multiple of three for willful and knowing violation, then the exposure grows to $3 billion. It’s hard to tell from the facts here whether there are any defenses, which would be important to know. The marketing company is probably not going to be a sympathetic defendant, so the defense will need to be prepared for the worst-case scenario. Although the facts indicate that the sales reps are trained to be aggressive, that doesn’t necessarily amount to willfulness. As such, the likely outcome is in the $1 billion range.”
After a three-day jury trial and just two-and-a-half hours of deliberating, the jury returned a verdict in favor of the class. The jury found four phone calls were made to plaintiff personally and 1.85 million calls were made to other class members (a number less than the two million calls alleged). The jury was uncertain about the breakdown between cell phone calls and residential phone calls, which may be an issue for appeal. Given that the statue calls for damages of $500 per violation, total potential damages exceeded $925 million.
The plaintiff moved for enhanced damages based on willful and knowing conduct, which was denied, thus sparing the marketing company from a judgment in the billions, as opposed to the millions. The judge determined enhanced damages were not called for given that the marketing company did not have a history of violations and stopped making unlawful calls after being put on notice. The judge also ruled that the statutory minimum award of $925 million is sufficient to deter future violations by the marketing company. Naturally, appeals are expected in the case.
Case Two: Prisoner Privacy in Pennsylvania
Our next case deals with the use of information technology by local law enforcement in Pennsylvania. The claim was made by an individual who had been arrested and charged with harassment, disorderly conduct, and resisting arrest. The plaintiff had been incarcerated on the date of arrest and then released the next day. The plaintiff then completed a one-year probationary program for nonviolent, first-time offenders, and a judge ordered that his arrest record be expunged.
Several years later, the plaintiff discovered his information had been disseminated when he found his arrest photo on mugshots.com, a commercial site that publishes criminal-history records of people who have been incarcerated. The plaintiff discovered his incarceration information, including his photograph, personal details, and charges were all able to be looked up on the site. As a result, the plaintiff claimed he suffered emotional distress and invasion of privacy.
Notably, after the suit was filed, the county that was involved removed all inmate mugshots and most arrest information from the website. The plaintiff filed suit against the county officials who oversaw the online technology, alleging that dissemination of the information violated a state criminal records act that allows only state and local police departments to disseminate criminal history record information to non-criminal justice agencies and individuals. If willful, the violation of the act would result in punitive damages.
The judge ruled in favor of class-action status. Counsel for the plaintiff argued that this was an important case about privacy that affected everyone in the state, and that residents have the right to expect local government to follow the law. The county defended on grounds that county officials were not aware that contributing to the website violated any laws, and nobody had reported it as a problem. The class was determined to include 67,000 people who had been booked into the county jail from 1938 to 2013.
Evaluation and Verdict: “Municipalities are being targeted more than ever for these kinds of issues, so government and private businesses must be extra vigilant about the laws and abide by them,” says Johnson. “Hopefully this municipality had insurance that addressed the risks at issue and aided in preparing the response, not to mention defending against the claims. Wise risk managers will make the best case they can to their leadership that the best defense is a good offense, and in this context, that means good insurance.
“Here, the dissemination of private information does not sound willful, and as such, odds are likely low that a jury would find as much,” Johnson continues. “There are many people in this class, and the jury will likely be cognizant of the multiplier effect of any outcome. A likely outcome is a minimum of $500 per violation, and possibly as much as $1,000. This will result in exposure between $33.5 million and $67 million.”
The jury determined that the online tool violated the state statute and that the county willfully violated the act, resulting in punitive damages being awarded to the class. The jury awarded $1,000 for each violation of the act. As such, the total award from the ruling could amount to as much as $67 million, given that almost 67,000 people went through the system and had their information exposed. Mention was not made in the verdict reports about how the actual losses resulting from posting of arrest information was handled, though clearly actual damages was not a feature of the class action.
Case Three: Breach of Privacy in Indiana
Our final case involves claims by an individual against a well-known national drug store chain and a love triangle. The plaintiff was a woman who regularly filled all of her prescriptions, including birth control pills, at the drugstore chain’s pharmacy in Indiana. At some point, a man who was involved in a relationship with the plaintiff —referred to as “the boyfriend” going forward—also began dating a pharmacist at the drugstore. Later, the plaintiff became pregnant with the boyfriend’s child.
At some point, the boyfriend learned he had contracted genital herpes, presumably from the plaintiff. The plaintiff gave birth to a son thereafter. After the birth, the boyfriend advised the pharmacist about the fact that he had a newborn baby and the possibility that he may have exposed the pharmacist to genital herpes. The pharmacist, terrified about the possibility of contracting a sexually transmitted disease, looked at the plaintiff’s profile with the pharmacy to see what information she could find.
Thereafter, the boyfriend sent the plaintiff a number of accusatory text messages and disclosed to the plaintiff that he had a copy of her prescription records, presumably received from the pharmacist. The boyfriend further disclosed personal medical information to the plaintiff’s father, including that the plaintiff used birth control, had herpes, and had stopped taking birth control before becoming pregnant. Additionally, the boyfriend attempted to extort the plaintiff by threatening to release details of her prescription usage to her family unless she abandoned a paternity suit regarding the infant son.
It was later discovered that the pharmacist had accessed the plaintiff’s prescription profile and had disclosed all of the above personal information to the boyfriend. The national drugstore chain confirmed a HIPAA privacy violation had occurred since the records had been reviewed without consent. The pharmacist appears to have gotten off light—she was required to retake a computer training program regarding HIPAA and received a written warning.
The plaintiff, however, filed suit alleging negligence/professional malpractice, invasion of privacy/public disclosure of private facts, and invasion of privacy/intrusion against the pharmacist, as well as claims against the national drug store chain for negligence in the training, supervision, and retention of the pharmacist. She also sued the boyfriend.
Evaluation and Verdict: “Given breaches of HIPAA, general privacy protections, and the overall data breaches here, the violations are serious,” says Johnson. “This will be a costly case for the employer, which most likely will be held responsible even though the ‘twisted love’ situation was to blame, as well. I estimate that the verdict will be in the $2 million range.”
Johnson’s estimate wasn’t such a wild guess. After a four-day jury trial, the jury found that the plaintiff suffered damages in the amount of $1.8 million, with $1.4 million of that to be born jointly by the national drug store chain and the pharmacist, and the rest to be paid by the ex-boyfriend.
Breaking Down the Trends
According to IBM’s “2016 Ponemon Cost of Data Breach Study,” the average cost of a data breach is $4 million. This includes investigation; customer notification and incident response; regulatory fines and penalties; and legal and class-action costs. A solid approach requires a multidisciplinary team including a cross-section of corporate, technology transactions, health care, financial services, intellectual property, labor and employment, and litigation. In each of the above cases, we can see failures that touched on these core areas that a multi-disciplinary approach might have prevented. We also see that jury verdicts were decidedly above the average, suggesting that settling these cases, when possible, will be the most productive course.