DENVER (Legal Newsline) - David Willson, a retired Army officer, attorney and now owner of Titan Info Security Group, travels the country, educating CEOs and executives on how to protect their companies from data breaches, which have become increasingly common in recent years.
His No. 1 piece of advice to companies: implement what he calls “reasonable security.”
That means making sure basic standards -- i.e. updating software, turning on firewalls, adding intrusion protection, etc. -- are in place.
“I recently wrote a paper looking at 13 class action lawsuits and negligence lawsuits filed,” Willson told Legal Newsline. “I found that in all of these suits, no one was meeting that standard of reasonable security.
“I don’t feel bad for companies when they’re not doing the basics.”
Willson spent 20 years in the Army and served in the Army’s Judge Advocate General’s Corps, or JAG, which operates like a court system, and has worked at the National Security Agency and USCYBERCOM, otherwise known as United States Cyber Command.
Licensed to practice law in Colorado, New York and Connecticut, Willson now works as a risk management and cyber security expert, writing and lecturing on both topics. He assists companies in planning, designing policies and providing awareness training, incident response and reputation management, among other things.
He said it’s important for companies to show due diligence and develop a plan to lower the risk of a data breach, and then, if an incident occurs, react quickly and protect their reputations.
“I can’t tell you how many times companies do the lip service, say they’re concerned about cyber security, yet aren’t really doing anything about it,” he said.
Willson pointed to Nationwide Insurance, which suffered a data breach in 2012 and was then hit with subsequent class action lawsuits. Recently, a federal appellate court denied Nationwide’s request for a rehearing after previously deciding to side with plaintiffs in two consolidated class action lawsuits against the company.
While he noted that he hasn’t looked at the specifics of the case, Willson said he could “almost guarantee” there were things the company could’ve done better to minimize its risk.
“Look, no one can all-out prevent it,” he said. “But you can prevent from being stupid. You can make sure you have at least basic security in place, so the company and its attorneys can defend that security.”
Sadly, many companies don’t think it will happen to them, Willson said.
“Whenever I teach a class or give a lecture, I always start off by asking, how many of you believe your company will be breached? And it’s astonishing, only 10 to 30 percent of the people raise their hands,” he said.
What’s worse is many of the executives he’s talked with often can’t explain what security measures they currently have in place, he said.
“If you’re breached tomorrow and faced with that question, you better be able to answer it,” Willson said. “Then it’s, how are you going to react? Who are you going to call -- a vendor to help investigate? How are you going to respond to shareholders and investors?
“A lot of companies are falling really short, in my opinion.”
While Willson couldn’t say whether Nationwide could have completely avoided the lawsuits brought against it, he didn’t necessarily agree with the U.S. Court of Appeals for the Sixth Circuit’s opinion in the case either.
In the Sixth Circuit’s September opinion, designated as unpublished, a majority of the court’s three-judge panel said it would be “unreasonable” to expect customers to wait for “actual misuse.”
“This is not a case where Plaintiffs seek to ‘manufacture standing by incurring costs in anticipation of non-imminent harm,’” Judge Helene White wrote for the panel majority. Judge Sheryl Lipman, for the U.S. District Court for the Western District of Tennessee, sitting by designation, joined her in the Sept. 12 decision.
“Rather, these costs are a concrete injury suffered to mitigate an imminent harm, and satisfy the injury requirement of Article III standing.”
The plaintiffs in the cases -- which were consolidated -- appealed to the Sixth Circuit from the U.S. District Court for the Southern District of Ohio.
Mohammad Galaria and Anthony Hancox brought their class actions in the Southern District of Ohio and the U.S. District Court for the District of Kansas, respectively, after hackers breached Nationwide Mutual Insurance Company’s computer network in October 2012 and stole their personal information, along with more than 1 million others.
In their complaints, the plaintiffs allege claims for invasion of privacy, negligence, bailment and violations of the Fair Credit Reporting Act, or FCRA.
More specifically, they argue Nationwide failed to adopt required procedures to protect against the wrongful dissemination of their data.
Willson contends the injury to the plaintiffs stems from the hackers’ actions, and Nationwide should not be held liable unless the court could find the company specifically negligent.
The majority, pointing to the U.S. Supreme Court’s decision in Spokeo v. Robins, said the “irreducible constitutional minimum” of standing consists of three elements: a plaintiff must have 1) suffered an injury in fact, 2) that is fairly traceable to the challenged conduct of a defendant and 3) that is likely to be redressed by a favorable judicial decision.
The nation’s high court explained in its May decision that for an injury to be particularized, it must affect the plaintiff in a “personal and individual way.” The injury-in-fact also must be “concrete,” which means “real” and “not abstract.” But “concrete” is not necessarily synonymous with “tangible.”
“Here, Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation,” White wrote for the Sixth Circuit majority. “Plaintiffs allege that the theft of their personal data places them at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of ‘possible future injury’ or ‘objectively reasonable likelihood’ of injury that the Supreme Court has explained are insufficient.
“There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals.”
Circuit Judge Alice Batchelder took a different position, dissenting from the majority.
“We need not take sides in the existing circuit split regarding whether an increased risk of identity theft is an Article III injury because, even assuming that it is, the plaintiffs have failed to demonstrate the second prong of Article III standing -- causation,” she explained. “The causation element requires ‘a causal connection between the injury and the [defendant’s] conduct’ -- in other words, the injury must be ‘fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court.’”
Batchelder argued that if Galaria and Hancox suffered injury, it was at the hands of criminal third-party actors -- in this case, the hackers.
In an Oct. 12 order, the Sixth Circuit denied Nationwide’s motion for rehearing en banc, or a rehearing by the full court.
Though he thinks it unfair, Willson doesn’t believe the Sixth Circuit ruling holds much weight.
“I’d be hard-pressed to say that it will have any effect on companies,” he said. “Most companies, in these situations, settle out. It’s quicker and cheaper.”
But he warned that some states, such as New York, have started to implement cyber security rules for companies, in particular financial institutions. Under those rules, risk assessments must be performed annually, and by a third party.
“There are some rules out there, and they’re slowing starting to pick at companies,” Willson said. “But it’s a horrible way to implement security. The law lags so far behind technology. What they’re being forced to implement should’ve been done years ago.”
From Legal Newsline: Reach Jessica Karmasek by email at firstname.lastname@example.org.