In 2012, online footwear company Zappos suffered a data breach impacting roughly 24 million consumers which resulted in a class action lawsuit. During the litigation, the District Court of Nevada dismissed certain claims for lack of Article III standing on the basis that the consumers merely alleged a risk of potential harm resulting from the data breach, and not actual financial injury. The Ninth Circuit Court of Appeals (“Ninth Circuit”) reversed the District Court’s decision and reinstated the dismissed claims, finding that allegations of a substantial risk of impending harm satisfied Article III standing requirements.
On March 25, 2019, Zappos’ request to appeal the Ninth Circuit’s decision to the U.S. Supreme Court was denied. Currently, five of the twelve regional federal circuits agree that substantial risk claims satisfy Article III standing requirements. Thus, the Supreme Court’s decision has inherently increased the likelihood that organizations falling victim to data breaches will be required to litigate against speculative harm claims.
In the event that an organization ends up in data breach litigation, the organization bears the burden of proving that it acted prudently in protecting the personal information of its consumers. Prudency is typically evaluated in the context of a “reasonable under the circumstances” standard. However, standards of “reasonableness” are constantly coevolving with advancements in cyber-security capabilities, cloud technology, and the regulatory framework applicable to data protection.
In maintaining best practices for your organization, there a number of emerging best practices that can be followed:
- Offensive Security– Improve the security of your organization’s most critical assets through external penetration testing and red teaming
- Automation– Leverage automation technologies to create and maintain security dashboards, collect, analyze, and correlate threat data, and conduct application security scanning
- Information Security & Policy Compliance–
- Perform a gap analysis on your InfoSec department’s policies and procedures and create, refine, and standardize processes and procedures to address gaps
- Develop and implement initiatives to enable readiness and compliance with audit and security frameworks (CSF, SOC, Hi-Trust, etc.)
- Security Remediation Orchestration– Connect security tools and integrate disparate security systems in order to streamline workflows and create bandwidth for workers to perform high value manual tasks
- Threat Modeling– Facilitate brainstorming sessions focused on identifying and prioritizing potential threats and vulnerabilities and defining countermeasures to prevent or mitigate associated impact
- Security Education & Awareness– Develop informative security education and awareness collateral for circulation throughout your organization in order to homogenize workforce understanding of cyber-security threats and countermeasures applicable to the organization
- Phishing Strategy– Administer phishing awareness trainings and simulations and implement defense measures (e.g. multi-factor authentication, endpoint protection, and quarantine software) to combat external phishing attacks.
If you have any questions regarding the U.S. Supreme Court’s recent decision or would like additional insight into implementing the cyber-security measures mentioned above, please contact Michael Morgenstern (michael.morgenstern@dayblink.com) or Chris Kokotilo (chris.kokotilo@dayblink.com) at DayBlink Consulting.