Robert Cosgrove.
‘Somebody’s Watching Me’: trends in cyber security and data privacy breach suits highlighted by US lawyer Robert Cosgrove at London IUA briefing, By James Brewer
Data privacy breach lawsuits in the US are seeing average claims of $350, 000 – plus around $750, 000 per case in legal fees, an insurance market briefing in London hosted by the International Underwriting Association has heard.
Robert Cosgrove, managing partner in the Philadelphia office of law firm Wade Clark Mulcahy, urged underwriters to tighten controls over the writing of policies. He warned: “Cyber cover is being handed out like candy to a baby. Product recall policies, cargo policies, fine art covers – you can charge an extra premium [for cyber cover], but nobody understands what they are doing, and how the product responds.” Insurers were still grappling with understanding the implications of cyber coverage.
He underlined that because people these days transmit personal information almost non-stop, “somebody is [always] watching me, ” as a 1984 Motown hit single written and sung by Kenneth ‘Rockwell’ Gordy, with Michael Jackson in the chorus, had it.
Mr Cosgrove said some big claims involved big companies including major retailers, “but the reality is that this type of claim can impact anybody.” The plaintiff’s bar was eyeing cyber litigation as its ‘next asbestos’.
Robert Cosgrove (left) of Wade Clark Mulcahy and Paul Calvert of the IUA.
Despite cyber attacks on Fortune 500 and other top companies being frequent, and likely to prompt much more of this type of claim and litigation in the years ahead, the picture in the US was an uneven patchwork, with each of the 50 states sovereign in its rules of law. There is no overarching federal regime that covers these claims. “We do not have a system of statutory damages, but I think that is going to change, ” said Mr Cosgrove, a former prosecutor, who is head of the Privacy, Cybersecurity and E-Discovery practice group at Wade Clark Mulcahy, which is a regional litigation firm.
He emphasised: “All data claims have a business aspect. Why – because they are in the Press. The business component of the claim makes it different and unique. It is more akin to a product recall claim than a typical, standard claim.”
Claims relate to what is called “personally identifiable information” or PII for short. This is information or data that allows a person to be identified as a particular individual. In the US, PII includes name, gender, contact information, date of birth, marital status and spoken languages. The US definition is narrower than that of the European Union where PII includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning sex or health life.
A type of claim we were seeing a lot of was based on ‘neglect’ which signified that a data collector (as the entity that gathers the data is called) was said to have failed to act reasonably in ensuring preservation of a person’s data. “We are talking about a reasonable standard of care.” The allegation here would be that safeguards were inadequate and fell below the industry standard of preservation of data. Neglect could be failure to inform someone in a timely manner of a data breach. Claims could also fall under the categories of breach of contract; unsanctioned collection of data; involuntary disclosure; conversion (that is: “I gave you data for a specific purpose to give to a vendor, and you have stolen my data for something else”) Improper benefits (“ you have used the information for something else, and you have to disgorge the profits so obtained”). Another cause of dispute were concerns that personally identifiable information might be involuntarily disclosed.
The concept has been raised in trial, of data breach being a “credible threat” to a person’s wellbeing, that they may suffer damage in the future. This would be a big shift in approach, said Mr Cosgrove, and so far has not been taken up.
Mr Cosgrove said it appeared that the explosion in the volume of data privacy litigation has encouraged the courts to focus more on meritorious adjudication than technical compliance.
The attorney said that in class action litigation, the named plaintiff purporting to represent a class must establish that he or she, personally, has standing to bring the cause of action; if the named plaintiff cannot maintain the action on their own behalf, they may not seek such relief on behalf of the class.
He said that once the PII is collected, the business, agency or entity that does something with the PII becomes the “data processor.” A data processor can include a third-party entity that is given the PII by the data collector to make use of. In the US, the data collector has the ultimate obligation to ensure that PII is not wrongfully disseminated and to ensure that if a breach does occur steps are taken to control the breach.
The “overlooked reality” of PII is that almost any database maintained by any business, agency or entity is going to include such information.
“We like to think of data breaches as rogue hackers breaking into a network under cover of darkness, ” said Mr Cosgrove, “but that is only one type of data breach. A data breach can occur if a smart phone, tablet or laptop (with, for example, medical records) is lost or even if medical records from a personal injury lawsuit are not properly shredded.”
He continued: “As our devices get smaller and faster and our ability to transmit the data through the internet or cell phones grows, the amount of PII collected and stored will only increase. No matter what efforts are taken, it is almost impossible to prevent a data breach.”
President Barack Obama has recently announced his intention to spearhead a federal data privacy initiative centred on a Consumer Privacy Bill of Rights. The Senate is trying to agree a framework for such legislation. Federally standardising data privacy would in some ways relieve plaintiffs of the burden to demonstrate a reasonable level of care in data management.
The reality was that, in some ways, the notion of traditional monetary damages did not fit with data privacy claims. Courts that have navigated these disputes and entertained the issue of damages through the initial pleadings have suggested that other forms of damages would be appropriate.
Plaintiffs exercising a private right of action under federal or state legislation might be entitled to costs, attorneys’ fees or statutory damages on a case-by-case basis. The biggest challenge to cyber litigation in the US was that there was no single privacy framework or law that controls the arena. Most federal action arises out of the Federal Trade Commission, but the scope of the commission’s powers are unclear, said Mr Cosgrove. On the local level, every state has taken a different approach to handling cyber claims and many states are considering redrafting their cyber legislation.
The question was whether Washington was going to create new legislation that pre-empted state law, which appeared to be the intention of the White House.
Most data claims were not specific to a state, for instance in regard to things bought via the web. The responsibility for minimising the damage and ensuring that courts and juries do not overreach themselves rests with the defence bar, concluded Mr Cosgrove.
The meeting was chaired by Paul Calvert, senior market services executive at the IUA.
