This is part of a series of articles by Wright Lindsey Jennings’ labor and employment team examining key trends for employers and the workplace in 2019. The series was featured in Arkansas Business.
Despite notable data breaches and the call for stronger data security in the past few years, individuals and companies alike continue to fall victim to hackers. According to a Javelin Strategy and Research report cited by CNBC, $16.8 billion was stolen by identity theft scams in 2017.
Two industries that have found themselves continually in the crosshairs of hackers are the hospitality and financial services industries. In the financial services industry, look no further than the Equifax data breach that exposed an estimated 143 million Americans. Hospitality companies including Landry’s, Arby’s, Wendy’s, Panera Bread, Sonic, Hilton Hotels, Hyatt Corporation, Omni Hotels & Resorts, Trump International and Noodles & Company have also suffered data breaches recently. Marriott announced on November 30, 2018, that its guest reservation system had been hacked, potentially exposing the personal information of approximately 500 million guests. Because of the number of breaches, hospitality industry organizations such as the American Hotel and Lodging Association and the National Restaurant Association have made data security a main area of concern and focus.
A Major Cause of Data Breaches
While not the main cause, a number of these breaches can be chalked up to employee error. According to a 2017 study by Keeper Security and the Ponemon Institute, negligent employees were the number one cause of data breaches at small and medium-sized businesses across North America and the UK. In a press release, Keeper Security CEO and cofounder, Darren Guccione stated “[t]he number one greatest cyber threat to a business is their very own employees.” This threat is even more magnified in industries with high employee turnover rates, such as the hospitality industry.
Exposure to Potential Losses
Based on recent case law, many individual data breach victims are heading to the courtroom to recoup damages for the breach of their information. According to a 2018 survey of general counsel and senior legal officers at 385 companies cited in a Defense Research Institute article, cybersecurity/data privacy is the area of law most likely to give rise to the next wave of class action litigation. Federal circuit courts are split on what it takes for a class to have the right to bring a lawsuit. Specifically, the circuits disagree over whether fear of identity theft in the wake of a data breach is sufficient to meet the standing requirements of Article III of the United States Constitution. Some federal circuits hold that the fear of identity theft in the wake of a data breach is enough for victims to bring a lawsuit. In a data breach lawsuit involving a chain of grocery stores, In re Supervalu, Inc., 870 F.3d 763 (8th Cir. 2017), the Eighth Circuit—the circuit that Arkansas sits in—went a step further and held that a victim has the right to bring a data breach claim only if he or she can allege he or she has suffered identity theft or fraudulent charges as a result of the breach. No matter the circuits’ differences, case law shows that litigation may be a viable route to recouping damages for data breach victims. And, with the United States Supreme Court’s refusal to hear a case on the issue of standing in data breach lawsuits earlier this year, Attias v. CareFirst, 138 S. Ct. 981 (2018), the Eighth Circuit’s standard looks to be the one that will be followed by Arkansas federal courts for a little while longer.
Employees who are victims of data breaches are also looking to recoup damages. See Corona v. Sony Pictures, Entertainment, Inc., No. CV 14-09600, 2015 WL 12655592 (C.D. Cal. Nov. 24, 2015). Credit and debit card issuers who have to reissue credit cards and reimburse cardholders for fraudulent charges are looking to recoup damages. See In re Target Corp. Customer Data Security Breach Litigation, 309 F.R.D. 482, 490 (D. Minn. 2015). In addition to litigation, businesses risk violating federal data privacy and security laws like the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and the Genetic Information Nondiscrimination Act (GINA), as well as state data privacy and security laws like Arkansas’s Personal Information Protection Act.
Possible Ways to Help Avoid Losses
Continued employee policy enforcement and training can assist in avoiding a data breach or becoming a defendant in a potentially expensive class action lawsuit. Have policies and procedures concerning storage, use and access to sensitive information. Train employees to recognize scams like phishing emails. For example, many phishing emails have spelling mistakes or poor grammar, and they usually request personal information via email while legitimate emails typically do not. Also, make sure employees do not click on unexpected attachments and embedded links in suspicious emails.
Having a response plan in place can mitigate damages as well. In the event of a cyberattack, contact your insurance company to see if any of your policies apply to data breaches. Make sure you comply with federal/state laws relating to data breaches. Most states, including Arkansas, have laws that require notifying authorities and any customers/employees affected by the breach if there is a reasonable likelihood of harm. Finally, consider taking all affected equipment offline and consulting a data forensics team and legal counsel to investigate.
Daveante Jones is a labor and employment attorney at Wright Lindsey Jennings in Little Rock who focuses on discrimination, employee leave, minimum wage and overtime, employment contracts and agency investigations. You can email him at firstname.lastname@example.org.