How Should In-House Counsel Defend Their Companies Against Data Breaches?

For in-house counsel, there is an ever-increasing need to be diligent about the protection of consumer and employee data. As data breaches increased by nearly 30 percent from 2013 to 2014, numerous companies have found themselves fighting a PR nightmare and fending off lawsuits that have resulted from the attacks. In today’s modern economy, it is imperative that companies take a proactive approach to protecting their data – and have a plan in place in case a data breach does occur.

Munger, Tolles & Olson attorneys Jonathan H. Blavin and Jesse M. King published an article in the Media Law Resource Center’s May 2015 bulletin addressing what in-house counsel should know about protecting their data. “Emerging Themes in Data Breach Litigation: What In-House Counsel Need to Know” lays out five themes regarding data protection and litigation that in-house counsel should keep in mind as they develop their internal data privacy and security programs.

First, in-house counsel should consider that there is no unifying federal law when it comes to breach notification requirements. In other words, in-house counsel must be prepared for the fact that different states will have different requirements for when the public has to be notified that a breach occurs. The good news is that many states have similar requirements. California’s data breach notification laws are the model for many other states’ laws, but there is significant variation between the states when defining what information creates a notification obligation and how notice may be provided.

If a company does experience a breach and subsequent litigation, in-house counsel should be aware that data breach litigation employs a reasonableness standard in many contexts, but that standard is context-dependent and can change from case-to-case. The Federal Trade Commission (FTC) requires that “reasonable and appropriate” security measures be in place to prevent a breach. However, the meaning of “reasonable and appropriate” isn’t clearly defined.

There has been a recent challenge to the FTC’s jurisdiction over data security practices under Section 5 powers. (Section 5 of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.”) While this challenge is still being litigated, the future of FTC enforcement actions is uncertain. Nevertheless, the issue of whether a company took reasonable steps to protect its data will remain an important factor in data breach litigation.

Plaintiffs may have trouble making claims because it may be too difficult for the courts to determine a cognizable harm brought by the breach. Courts often dismiss data breach claims due to the abstract harms alleged, either by finding insufficient standing or failure to state a claim upon which relief can be granted. In-house counsel should focus on first protecting data that can cause immediate harm and then put security measures in place to mitigate unauthorized access to data that could potentially become harmful down-the-road.

It is very important for in-house counsel to track what kinds of data are being collected by the company, because different types of data are treated differently under the law. The reasonableness of how well a company tries to protect its data will, in part, be determined by the type of data it was protecting. More sensitive data, such as Social Security numbers and credit card information, should be protected more closely than less potentially harmful data.

In-house counsel should also keep in mind that data breach insurance is still an evolving field. Insurance companies don’t yet have enough data to create cost models for data breach coverage. Consequently, different insurers will have different coverage and exclusions. If in-house counsel choose to use data breach insurance, the plans should be closely scrutinized.

Based in Munger Tolles’ San Francisco office, Mr. Blavin focuses his practice on high-technology intellectual property disputes, including claims brought under the Copyright and Digital Millennium Copyright Acts, the Lanham Act and state trademark statutes and trade secret laws. He was named to the list of top attorneys under 40 in the field of technology law by Law360 and was chosen to appear on the inaugural list of “50 Intellectual Property Trailblazers & Pioneers” put out by the National Law Journal.

Based in the firm’s Los Angeles office, Mr. King is a litigator whose practice focuses on white collar investigations and technology.