Identifying and Calculating Recoverable Damages in Cyber Security Breaches—Part 2
Predicting Cyber Security Breaches
Cyber security breaches often result in the improper transfer of personal identifying information or sensitive financial and health information. This article focuses on the identification of potential cyber security breaches and how courts are addressing the presentation of such cases, including the issue of damages.
Read Identifying and Calculating Recoverable Damages in Cyber Security Breaches—Part 1
Patco Construction Company, Inc. v. People’s United Bank, d/b/a Ocean Bank87
A commercial banking customer whose account was hacked brought claims against the bank under, among other things, Article 4A of the Uniform Commercial Code. At issue was whether the commercial customer agreed to the bank’s security procedures, and whether those procedures were reasonable. On competing cross-motions for summary judgment the district court found in favor of the bank. On appeal, the First Circuit reversed, and left open the question of whether for liability or mitigation of damages purposes a commercial customer has any obligations or responsibilities under Article 4A, even where a bank’s security system is commercially unreasonable.
In Patco Construction Company, Inc. v. People’s United Bank, d/b/a/ Ocean Bank, the First Circuit reversed the District of Maine’s decision on cross-motions for summary judgment under Article 4A of the Uniform Commercial Code which governs a bank’s rights, duties, and liabilities to its commercial customers regarding electronic transfers.88
The facts in the case were relatively straight forward. Ocean Bank authorized six apparently fraudulent withdrawals, totaling $588,851.26, from Patco Construction Company’s (Patco) account over a span of seven days in May 2009.89 Although the thief correctly supplied Patco’s customized answers to security questions, nothing else about the six transactions was consistent with Patco’s use of the account. Patco used its online banking access to the account primarily to make regular weekly payroll payments—always on Fridays; always initiated from a computer at Patco’s offices in Sanford, Maine; always from a single static Internet Protocol (IP) address; and always accompanied by weekly withdrawals for federal and state tax withholding as well as 401(k) contributions.90
The six transactions at the center of the dispute, however, were different: they weren’t (or at least not all of them were) on a Friday; they were not initiated from a computer at Patco’s offices in Sanford, Maine; they were not from the same IP address; and they were not accompanied by withdrawals for federal and state tax withholdings as well as 401(k) contributions.91 “As a result, the [bank’s] security system flagged these transactions as uncharacteristic, highly suspicious, and potentially fraudulent from a ‘very high risk non-authenticated device.’ The transactions generated unprecedentedly high risk scores ranging from 563 to 790, well above Patco’s regular risk scores which ranged from 10 to 214.”92
The bank blocked or recovered $243,406.83, leaving a residual loss to Patco of $345,444.43.93 Patco sued the bank, seeking to hold it accountable under Article 4 of the UCC for the loss because, among other reasons, its security system was not commercially reasonable. Both parties moved for summary judgment. Although there were other issues raised by the appeal, the Article 4 arguments were the focal point of the First Circuit’s analysis.
The First Circuit explained that under Article 4A of the UCC a bank receiving a payment order ordinarily bears the risk of loss for any unauthorized funds transfer.94 However, Article 4A permits a bank to shift the loss to a customer in one of two ways. First, a bank may show that the transfer was authorized by the person identified as the sender or that person is bound by it under the law of agency.95 The second way a bank can avoid liability is if the:
bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if:
(a) The security procedure is a commercially reasonable method of providing security against unauthorized payment orders; and
(b) The bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. The bank is not required to follow an instruction that violates a written agreement with the customer or notice of which is not received at a time and in a manner affording the bank a reasonable opportunity to act on it before the payment order is accepted.96
The bank sought summary judgment arguing that Patco agreed to its security procedures, which were commercially reasonable, and the bank transferred the money in good faith. The bank’s arguments were presumably premised, at least in part, on Patco’s consent to the bank’s “eBanking for Business Agreement” which stated that “use of the Ocean National Bank’s eBanking for Business password constitutes authentication of all transactions performed by you or on your behalf.” The eBanking agreement went on to state that Ocean Bank did not “assume any responsibilities” with respect to Patco’s use of eBanking, that “electronic transmission of confidential business and sensitive personal information” was at Patco’s risk, and that Ocean Bank was liable “only for its gross negligence, limited to six months of fees.”97
The First Circuit analyzed the bank’s security procedures and ultimately concluded that they were not reasonable. In so doing, the court was particularly focused on the bank’s requirement that all electronic transactions over $1 required answers to security questions.98 The court was concerned that requiring frequent answers to security questions created a risk that keyloggers (a form of computer malware that monitors Internet activity and records keystrokes entered on financial sites) or other malware could capture that information. This risk was further compounded by the fact that the bank did not monitor risk alerts it received. Accordingly, the bank’s motion for summary judgment was denied.99
The First Circuit, however, left unanswered the question of whether, for liability or mitigation of damages purposes, a commercial customer has any obligations or responsibilities under Article 4A even where a bank’s security system is commercially unreasonable. Although the First Circuit did not issue any rulings on the subject, it did highlight factual issues the district court could consider in its analysis such as whether Patco should have been receiving e-mail alerts from the bank and whether the fraud was caused by malware and keylogging or whether Patco shared some responsibility.
The First Circuit concluded its analysis of the issue by saying, “Article 4A does not appear to be a one-way street. Commercial customers have obligations and responsibilities as well, under at least
§ 4–1204.”100 That section contains a requirement requiring the customer to promptly (within 90 days) notify the bank or risk losing any interest the customer would otherwise be entitled to receive.101
Shames-Yeakel v. Citizens Financial Bank102
After a bank demanded that a couple repay funds unlawfully withdrawn from their personal home line of credit, then transferred to their business account before being stolen, a lawsuit was filed seeking damages for negligence; breach of contract; and violation of the Truth in Lending Act, Electronic Funds Act, the Fair Credit Reporting Act, and the Indiana Uniform Consumer Credit Code. Plaintiffs voluntarily withdrew their consumer credit and breach of contract claims, and the district court granted summary judgment on the Electronic Funds Transfer Act claim, granted in part the motion on the Fair Credit Reporting Act and negligence claims, but denied the motion on the Truth in Lending Act claim. As to the negligence claim, the court allowed plaintiffs’ allegations of emotional and mental pain and anguish damages allegations to survive.
The facts in this case are concerning. Plaintiffs operated an accounting and booking business from their home. The accounting business had a corporate (as distinct from their personal) account with Citizens Bank.103
In April 2003, plaintiffs opened a $50,000 home equity line of credit with Citizens Bank. Plaintiffs took four advances on the line—all of which appeared to have been used for personal and not business reasons.104
On February 13, 2007, an unknown individual made an unauthorized $26,500 withdrawal on plaintiffs’ home equity line of credit using plaintiffs’ user name and password. What the thief did next is intriguing—instead of removing the funds directly, and immediately, the funds were transferred from the home equity line into plaintiffs’ commercial account, and were ultimately removed from that account.105 Because the funds were ultimately removed from the business account, the bank attempted to argue that the statutory claims premised on a consumer transaction should not apply. The court was not persuaded with that argument.106
Next, the court found that there was sufficient evidence to support a FCRA claim. This was because Citizens reported a debt (the loan balance after the funds were stolen) arising from a debt, but failed to note on the reports that the debt was the product of a theft.107
The last issue to be addressed in this discussion is the court’s analysis of plaintiffs’ negligence claim. On that claim, the court began with a careful analysis of defendant’s duty, breach of that duty, and then causation. Interestingly, the district court was willing to consider emotional and mental pain and anguish as potential damages components in this case. That is because, the court opined, “A reasonable finder of fact could conclude that Plaintiffs suffered mental and emotional anguish, and that Citizens’ alleged negligence in allowing the theft to occur and then violating TILA was a proximate cause of the anguish.”108
General Damages Discussion
There are a variety of types of damages that may be available in cyber liability cases and the nature and scope of damages will be dependent upon the following:
- Types of claims being made
- The party making the claims
- The geographic location of the claims (both from the standpoint of the claimant and alleged wrongdoer)
- The location of the alleged damages
- The specific circumstances surrounding the underlying data breach or other data breach claim
For example, while all parties may have claims against the entity that allowed the data breach to occur, the breaching entity may have claims against vendors or subcontractors obligated to provide advisory and/or security services. Similarly, in many instances, there will be contractual and/or common law indemnity claims that could flow upstream or downstream from the breaching party.
Obviously, the type of claim being made and the location of the claim are critical issues to evaluate in the initial phase of a damage assessment. Class action claims would generally create a substantially higher damage exposure than individual claims; however, a handful of claims by credit card issuing banks could create even greater exposure for damages, as these claims would include not only the cardholder’s claims, but also claims for internal investigation, reissuance of cards and payment on behalf of the cardholder for fraudulent transactions.
Furthermore, an ever-increasing number of damage claims can be made under state and/or federal law. These claims include penalties and fines for failing to adequately protect a consumer’s private financial information.
General Elements of Damage Claims
While there may be a number of different types of claims arising out of the broad category of “cyber liability,” the vast majority of claims arise out of data breaches, which result in the transfer of individual or entity confidential financial information to unauthorized recipients. In analyzing a typical data breach claim, the following are the typical components:109
- Detection and escalation costs
- Forensic and investigative activities
- Assessment and audit services
- Crisis management team
- Communication to executive management and board of directors
- Notification costs
- Create contact database
- Determine regulatory compliance requirements
- Engagement of outside experts (including lawyers)
- Postal expenses
- Secondary contacts through mail or e-mail
- Inbound communications setup
- Post data breach costs
- Help desk set up
- Inbound communication
- Special investigation
- Remediation (including credit monitoring and victim identity protection services)
- Legal expenses
- Product discounts
- Identity protection services
- Regulatory intervention response
- Lost business costs
- Abnormal turnover of customers
- Customer acquisition activities
- Reputation loss
- Diminished goodwill
The average total of the above itemized data breach costs are estimated to be $188 per capita in the United States for 2012.110
Conclusion—Target Claim Case Study for Data Breach Damages111
As explained in more detail above, during the holiday shopping season of 2013, Target was the victim of a significant data breach. According to a complaint filed by a number of banks issuing cards that were stolen, 40 million Target customers’ personal information was stolen. This information included payment cards, customer names, credit card or debit card numbers, expiration dates, CVV codes, and PIN numbers. Target acknowledged that the information was stolen during the time period between November 27 and December 15, 2013. After initially stating that the PIN numbers had not been stolen, and after Target offered customers a 10 percent discount during the remaining holiday shopping days, Target acknowledged on December 27, 2013, that hackers had stolen PIN numbers.
In early January 2014, Target revealed for the first time that the personal information of an additional 70 million individuals had also been stolen. This information included customer names, mailing addresses, phone numbers, and e-mail addresses.
Within days of the data breach, the Secret Service, which is responsible for protecting the United States’ financial infrastructure and payment systems, became aware of 255,000 to 500,000 new stolen payment cards. The Secret Service notified Target on December 15, 2013, and Target commenced an initial investigation.
The class action complaint alleged that Target agents or employees downloaded information about best practices in data security. In addition, Target’s internal information indicated that an Enterprise Risk Management system would have cost less than 3 percent of the cost of the data breach, yet Target refused to implement such a system.
Assuming the average record cost per compromised customer of $188 for the Target data breach, the total resulting damages are approximately $7.5 billion. According to the complaint, the estimated costs to banks and retailers caused by the data breach could eventually exceed $18 billion. According to the Consumer Bankers Association, the member banks have spent over $172 million to reissue stolen payment cards. This amount does not include fraudulent purchases and unauthorized cash withdrawals that the banks have had to absorb (most of the stolen data is alleged to have landed in Russia).
The banks allege that the costs they will incur include the following:
- Canceling and reissuing access devices
- Closing deposits, transactions, share drafts, and other accounts and taking actions to stop payments and block transactions with respect to those accounts
- Opening and reopening deposit, transaction, share draft, and other accounts
- Refunding and adjusting cardholders to cover the cost of unauthorized transactions relating to the data breach
- Notifying affected cardholders
- Paying damages to affected cardholders
The claims against Target include unjust enrichment based on the allegation that Target benefited from receiving payments on transactions, has saved costs of not implementing proper data security policies, and realized increased sales related to false assurances of security. The complaint seeks refund or disgorgement from Target of wrongfully collected funds.
The class action complaint by the banks, which was eventually dismissed without prejudice, addresses issues with respect to claims against Target, but additional claims likely exist that Target could make against professionals and consulting firms advising Target with respect to security issues. For example, if Trustwave is determined to have failed to provide correct and industry standard advice to Target, Target could not only seek indemnity for all of the damages it is being asked to pay to the banks, but also could seek to recover Target’s internal investigation fees, legal fees, and lost customers, as well as damage to reputation and goodwill.
This situation resulted from Target having provided access to its computer system to a heating and air conditioning contractor that provides services to Target. As demonstrated by this situation, a relatively innocent and benign situation can turn into a global multibillion dollar damage claim that will take years to unwind and resolve.
Laura Caldera Taylor is a trial attorney in the Portland, Oregon, office of Bullivant Houser Bailey PC. Licensed in Oregon, she represents clients in intellectual property, directors’ and officers’ liability, professional malpractice, securities fraud, and other complex business litigation. Laura’s success with intellectual property clients includes patent, trademark, copyright, and trade secret litigation in state and federal courts in multiple jurisdictions. She was involved in the trial and appeal of one of the leading cases on trademark initial interest confusion on the Internet, Interstellar Starship Servs., Ltd. v. Epix, Inc., 304 F.3d 936, 941 (9th Cir. 2002). Laura’s success in D&O, securities fraud, and other complex business disputes includes state and federal litigation in multiple jurisdictions, as well as arbitrations and mediations. She was involved in one of the most complex commercial bankruptcies in Oregon’s history with an estimated $1.6 billion bankruptcy estate. Laura can be reached at (503) 499-4602 or laura.taylor@bullivant.com.
Thomas L. Hutchinson is an attorney in the Portland, Oregon, office of Bullivant Houser Bailey PC, where he is chairman of the firm’s business and commercial litigation group. After obtaining a bachelor of science degree in accounting, he spent three years as a financial consultant with a top-tier CPA firm. Licensed in Oregon and Louisiana, his litigation practice focuses on advising businesses and individuals regarding a wide range of issues with an emphasis on disputes involving financial matters. Tom’s areas of expertise include a full range of commercial disputes, professional liability litigation involving claims against attorneys, accountants, and financial advisors, and securities and bankruptcy-related litigation. He has tried a number of commercial cases to judgment and verdict, and has been involved in a number of matters involving broker-dealers, hedge funds, venture capital funds, and mortgage backed-securities. Tom can be reached at (503) 499-4582 or tom.hutchinson@bullivant.com.
87. 684 F.3d 197 (1st Cir. 2012).
88. Id. at 199.
89. Id.
90. Id. at 200.
91. Id.
92. Id. at 213.
93. Id.
94. Id. at 208.
95. Id.
96. Id.
97. Id. at 201.
98. Id. at 212.
99. Id. at 213.
100. Id.. at 214.
101. Id. at 214–215.
102. USDC N. D. Ill. Case No. 07 C 5387, Memorandum Opinion and Order (08/21/2009).
103. Id. at 2.
104. Id. at 2–3.
105. Id. at 3–4.
106. Id.. at 10–11.
107. Id. at 15.
108. Id. at 21.
109. 2013 Cost of a Data Breach Study (Traverse City, MI: Ponemon Institute, June 13, 2013).
110. Id.
111. The discussion below regarding the Target data breach is based on the allegations in the class action complaint filed in Trustmark National Bank and Green Bank, NA v. Target Corporation and Trustwave Holdings., Inc., USDC, Northern District of Illinois, Eastern Division, Case No. 14 CV 2069.