In this age, data breaches occur every day. The breached organization’s response is often reactive, combined with confusion over what happened and worry about the potential fallout. Many of us tend to believe that data breaches are the result of some high-tech hack job. Many are. But a substantial number of data breaches are caused by employee error and misuse. Many breaches are preventable. And for dealerships that take data security and privacy seriously, the legal liability associated with a data breach can be significantly diminished.
When I set up data security and privacy programs for proactive dealerships, the most common concern is the extent of a dealer’s potential liability following a breach. If this inquiry comes in the midst of setting up a compliance program, the answer is palatable. If it comes following a breach – and with no programs in place – the answer won’t make it past management’s gag reflex.
Before diving into a dealer’s potential liability for a data breach, let’s review a few concepts. To start, let’s get a handle on the definition of a data breach. Indiana defines a data breach as “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information[.]” Proper encryption of computerized information can take unauthorized access to personal information away from the data breach definition, but not always. Also, Indiana, unlike most states, extends the definition of a data breach to unauthorized access to paper materials – i.e., your deal files. So, anywhere that you store your customers’ information is a potential breach point – your DMS, local databases, employee phones and devices, e-mail, computer terminals that aren’t timed out, file cabinets and so on.
When a breach occurs, your customers will most likely wonder what sort of damage they’ll suffer. Courts have struggled with this question. The unauthorized exposure of your customer’s information (even if stolen) doesn’t necessarily lead to your customers suffering pecuniary harm. Until fairly recently, potential data breach lawsuits (class actions in particular) brought in Indiana courts stood on shaky ground due to the plaintiff’s ability to show damages, resulting in a lack of standing. Standing generally refers to a plaintiff’s ability to demonstrate harm or the likelihood of harm that can be remedied through a lawsuit. The trick is to figure out whether a data breach creates sufficient impending harm to confer legal standing on plaintiffs.
In Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015), the Seventh Circuit Court of Appeals (Indiana is in the 7th Circuit) provided guidance favoring plaintiffs. That court decided that there was an “objectively reasonable likelihood” that data thieves would misuse stolen data. Plaintiffs do not have to wait until identity theft or credit card fraud occurs prior to establishing a sufficient injury for standing purposes. So, if customer data is stolen, it’s wise to assume that the customer will now have standing to sue – regardless of whether the data is ever misused. Lawsuits will involve a combination of statutory and common law claims, most of which haven’t been applied to, and weren’t designed for, data breach lawsuits.
Here are a few considerations.
Deceptive Consumer Practices Act
Data Breach Notification Laws
Indiana’s data breach notification statute sets out the steps that a company must take following a breach. As the name implies, many requirements relate to notifying customers of the breach. It also governs the actions that must be taken to keep personal information secure and uncompromised. What this statute lacks is a private cause of action. While many states grant consumers a private cause of action under their data breach notification laws, Indiana limits the universe of people who can sue your dealership to the Attorney General. That seems like good news, but the AG can seek a penalty of $150,000 per deceptive act.
The age-old negligence claim has been wrapped around everything from auto accidents to professional malpractice. Any time a person/company fails to fulfill a duty to a person or class of persons, it can be sued for the damages that are proximately caused by the breach of duty. We expect to see claims that a dealer had an obligation to safeguard data and maintain its customers’ privacy. Failing to emplace policies and adequate control systems will provide fuel for these claims.
Breach of contract/warranty/negligent misrepresentation
There must be an exchange of obligations (or forfeiture of some right) to establish a claim for breach of contract – e.g., you give me money, I’ll give you a car. The inquiry here is whether an obligation to secure information arose incidental to the transaction, or perhaps representations made by the dealer to the customer. Statements concerning data security and privacy, if inaccurate, may also give rise to a claim for negligent misrepresentation (in addition to a statutory deception claim).
This list of potential claims is not exhaustive. Enterprising plaintiffs’ lawyers are sure to test the bounds of the existing legal infrastructure when prosecuting data breach lawsuits. Dealers can prepare to avert potential civil liability by simply complying with state and federal mandates, and by routinely reviewing and improving their systems. Unfortunately, many dealers’ compliance plans either do not exist, or they are inaccurate/insufficient. It’s easy for dealerships – who are chiefly concerned with business, as they should be – to fall out of compliance with modern laws and practices.
Developing the proper programs will go a long way to providing you with a strong hedge of defense should a breach hit your dealership. You certainly don’t want to be the test case.