SUMMER 2019 TODAY’S GENER AL COUNSEL
Data and Business Litigation By Sarah F. Hutchins and Alli Davidson
etention of data is a double-edged sword for most businesses. On the one hand, data protection has become a paramount concern for businesses. Cybersecurity breaches are incredibly costly because they engender increased regulatory oversight and damage a company’s reputation. On the other hand, businesses often over-collect, over-retain, or fail to adequately protect data, which needlessly raises risks. The current state of business litigation exemplifies this dichotomy. Data exposure is becoming a frequent source of civil lawsuits as companies face claims of negligence, breach of contract or other legal causes of action after a breach. Data can, however, serve as a treasure trove of evidence in a variety of lawsuits, including those involving trade secrets and non-compete agreements. These types of litigation have heated up nationally as the economy has improved and the competition for talent has stiffened. Companies should look in the mirror and ask: Do my data policies take these litigation trends and risks into account? Will they help or hurt my company if we need to pursue a claim or defend against one? There are practical steps that companies can take before a breach or a lawsuit to better protect their intellectual property and put themselves in a stronger position when the need for litigation arises. KNOW YOUR OBLIGATIONS
There have been numerous federal attempts at data security standards, but they have yet to coalesce into a final regulation. There are, however, federal regulations impacting certain industries or types of information, such as regulations by the Securities and Exchange Commission for public companies, more stringent security requirements for financial institutions and protection of health data. Though not specific to only data related issues, the Federal Trade Commission (FTC) has general
oversight over unfair and deceptive practices by organizations and individuals, including the fair use and storage of certain types of data. As a result, businesses could face FTC oversight if they promise to treat data a certain way but do not adhere to that promise. U.S. entities are subject to global regulation in some cases. For example, the EU implemented a robust standard last year called the General Data Protection Regulation (GDPR), and it impacts U.S.-based companies that store and use Europeans’ personal data. It also enhances restrictions on transferring personal data outside of the EU. In addition, every state in this country has its own data breach and/or protection laws that set forth the steps a company must take to notify that state’s residents if they are impacted by a data breach. The constraints on companies’ collection, storage, use and destruction of data is also defined by case law, including case law for breach of contract and negligence. The standard for negligence in relation to a data breach is still evolving in case law, and is jurisdiction dependent. Plaintiffs often argue that the defendant company failed to meet applicable industry standards in data storage and protection. The “correct” or applicable standard is often debatable and subject to multiple considerations such as business category, size and data type, though the standard from the International Organization for Standardization (ISO/IEC 27040) can be a helpful guide. The bottom line for companies is that it is important to explore all the
standards that are common practice in their industry and stay abreast of changes. By determining which ones are the most widely adopted (as well as which elements within the various standards are used across the board) and following them, you can build a strong defense against a claim of negligence. Implementing contractual protections of data can also short-circuit a negligence claim. In certain instances, contractual protection of data, such as data processed by a vendor, can be required by law. It is also important for companies to be aware that courts have found implied contracts in certain instances, including between an employer and employee, to keep data in a safe and secure manner or use data in a certain way. For instance, in Sackin v. TransPerfect Global, a federal court in New York recently denied an employer’s motion to dismiss a lawsuit and held that, in some situations, companies that require their employees to provide personal information make an implicit promise to safeguard that information.
There are many tools companies can use to immediately improve data security and strengthen their position with respect to litigation.
After diagnosing their obligations, businesses need to review, and be intentional about, how they grant access to data. Especially in the realm of trade secret litigation, companies often do not realize that an individual had access to certain proprietary data before that person left the company and took it with them. A good place to start is by adopting the principle of least privilege. Only give employees access to information and the ability to do things with tech-