Cybersecurity: Another Year of Intrusions and Regulation Punctuated by a Pandemic

Cybersecurity, a topic that was already top of mind for boards and corporate stakeholders at the start of the year, was pushed even further to the fore in the wake of the COVID-19 pandemic. The increased prevalence of remote working made it all the more critical for companies to manage cybersecurity risk.[1] In a recent survey of business and technology executives, 96% of respondents said that they will shift their cybersecurity strategy due to COVID-19, and 50% say that they will consider cybersecurity in every business decision (up from 25% last year).[2] Boards in turn will take on an increasing role in managing oversight of this high-stakes issue.

Data Breaches

A number of significant data breaches occurred in 2020, driving the conversation on cybersecurity risk:

• In March, Marriott announced that beginning in mid-January, hackers had accessed the personal information of approximately 5.2 million guests, including names, contact details and addresses. This follows the previous high-profile hack of Marriott that occurred in 2018.
• In May, EasyJet announced that hackers had improperly accessed the email addresses and travel details of approximately 9 million customers including over 2,000 customers’ credit card numbers and security codes.
• In July, the Twitter accounts of many high-profile figures, including Joe Biden, Bill Gates and Kanye West, were hacked in a bitcoin scam.

Regulatory Focus on Cybersecurity

In response to continuing significant data breaches, regulators in 2020 were increasingly active in bringing cybersecurity enforcement actions against companies that allegedly maintained inadequate cybersecurity protections or failed to comply with related obligations:

• In July, New York’s Department of Financial Services (DFS) brought its first-ever enforcement action for the alleged breach of its cybersecurity regulations, which had been in force as of 2019. DFS alleged that First American Title Insurance Company was aware of a vulnerability in its website that allowed tens of millions of documents containing personal information to be publicly accessed, but, because of a “cascade of errors,” First American allegedly did not remedy the vulnerability for six months.
• In August, the U.S. Department of Justice charged Uber’s former Chief Security Officer with obstruction of justice and misprision of a felony for allegedly attempting to cover up a 2016 data breach during the course of an investigation by the Federal Trade Commission.[3] The prosecution represents an aggressive step by federal authorities in bringing charges under the obstruction and felony misprision statutes, the latter of which is a relatively rarely used statute in white-collar cases.
• In August, the Office of the Comptroller of the Currency (OCC) assessed an $80 million civil monetary penalty and entered into a cease-and-desist order with the bank subsidiaries of Capital One, following a 2019 cyber-attack. The OCC actions represent the first imposition of a significant penalty on a bank in connection with a data breach or an alleged failure to comply with the OCC’s guidelines relating to information security.[4]
• In October, the UK Information Commissioner’s Office announced that it was reducing its proposed fines against British Airways and Marriott Hotels for violations of the EU General Data Protection Regulation (GDPR) that occurred in connection with previous data breaches. In 2019, the ICO had announced its intent to fine British Airways and Marriott £183 million and £99 million, respectively, but the final fines were £20 million and £18.4 million. The reduction likely reflects the ICO’s consideration of remedial steps that the companies took and the fact that both companies are in industries that were severely impacted by the COVID-19 pandemic.
• In November, the Federal Trade Commission announced a settlement with Zoom Video Communications, Inc. (Zoom) arising out of Zoom’s alleged misrepresentations regarding the level of encryption it offered for users’ communications (unrelated to the breach Zoom disclosed in April), as well as an allegation that Zoom secretly installed software that bypassed an Apple Safari browser safeguard. In connection with the settlement, Zoom agreed to establish and implement a comprehensive security program that requires it, among other things, to regularly review software updates for security flaws.

Litigation Developments

There were also significant developments in litigation related to cybersecurity in 2020:

• In February, in largely denying Marriott’s motion to dismiss the litigation arising out of the 2018 breach of Starwood Hotels & Resorts (which Marriott acquired in 2016), a Maryland federal district court rejected Marriott’s standing arguments and held that plaintiffs can establish injury-in-fact based on the non-speculative “imminent threat” of identity theft.  The decision is one of a potentially developing trend of companies facing increasing difficulty in obtaining dismissals of data breach litigation at early stages based on the argument that consumers were not injured by exposure of their personal information.
• In May, in class action litigation arising out of the above-referenced 2019 data breach, Capital One was ordered by a Magistrate Judge in federal district court in Virginia to produce to plaintiffs a digital forensic investigation report, finding that such report was not protected from disclosure by the attorney work product doctrine. The court’s decision highlights the challenges in maintaining protection over the work product of data incident investigators who have broad retainer agreements and in cases where the product is used for multiple purposes.[5]
• The California Consumer Privacy Act (CCPA), as of 2020, gave California residents a private right of action in the event of data breaches. The first such lawsuits have already been filed, including Fuentes v. Sunshine Behavioral Health Group, LLC, an action arising out of an alleged data breach of the personal and medical information of thousands of patients of a behavioral health treatment center, and Atkinson v. Minted, Inc., an action arising out of an alleged data breach of the account information of millions of customers of an online stationery and craft company. CCPA litigation is likely to proliferate, particularly with the passage of enhanced CCPA provisions that were approved by California voters in the November election as discussed in The Privacy Law Plot Continues to Thicken: Compliance Considerations for 2021 in this memo.

Key Takeaways

• Cybersecurity continues to be an essential issue for companies, both in light of the pandemic and the notable data breaches that occurred in 2020.
• Increased regulatory action related to cybersecurity issues portends the continued shift away from regulators viewing hacked companies as only victims and toward potentially holding them responsible for perceived deficiencies in their cybersecurity programs and other implicated internal controls.
• Private litigation arising out of data breaches continues to proliferate, and courts have recently handed down plaintiff-friendly decisions on standing and discovery issues, which may make the cases even more expensive to litigate.
• In 2021, we expect these trends to continue and possibly expand as hackers continue their activities unabated, while the Biden administration may lead to an increased focus on enforcement and potentially federal data security legislation that has eluded lawmakers for years.

[1] For additional details, see our March blog post here.

[2] PwC Cybersecurity Coming of Age (October 5, 2020).

[3] For additional details, see our September blog post here.

[4] For additional details, see our August blog post here.

[5] For additional details, see our July blog post here.