Unfortunately, big data breaches are not new. So there is the temptation to shrug one’s shoulders and think, “It’s just another day in modern life.” A data breach at a financial institution, however, demands our attention.
In March 2019, Capital One suffered a data breach exposing the information for over 100 million Capital One customers. The data compromised included 140,000 Social Security numbers, 80,000 bank account numbers, and an undisclosed number of names, addresses, credit information, balances and other private information.
Officials do not believe the hacker disseminated the information or actually used the stolen information for any fraudulent purpose, but investigations are still underway. Even still, this breach serves as an important reminder to financial institutions that they are targets for hackers seeking to gain access to private customer data.
While significant attention should be given to how to prevent a data breach, this article will discuss the potential legal fallout of a data breach and the claims a bank or financial institution might face under Alabama law in the wake of a data breach.
Breach of Contract – Express or Implied
In the event of a data breach, one claim that a bank can expect to see in a complaint is breach of contract. Customer agreements often govern the relationship between a bank and its customers, but they can also create a cause of action for a customer against the bank. If a customer agreement requires a bank to safeguard a customer’s private data or implies in any way that the bank will safeguard the customer’s private data, the bank can expect a breach of contract claim in the event of a data breach. This would expose the bank to actual damages suffered by an affected party or parties.
Even if the customer agreement does not expressly speak to a bank’s obligations to secure personal information, a creative plaintiff’s attorney might argue that an implied contract existed and file a civil action for breach of implied contract. In a July 30, 2019, putative class action relating to the Capital One data breach, the initial plaintiff alleges that Capital One breached an implied contract with him, a customer, because he entrusted his private information to the Capital One for the purpose of applying for a credit card and Capital One implicitly agreed that it would only use his private information for that purpose. The initial plaintiff also argues that Capital One implicitly agreed to safeguard his private information by accepting the private information for its credit card products. Should an Alabama bank suffer a data breach, that bank can expect that a plaintiff will allege a similar cause of action and argue that the bank agreed to safeguard the customer’s private information in exchange for the customer’s business.
Negligence or Negligence Per Se
Following the Capital One breach, plaintiff filed a putative class action alleging claims for negligence and negligence per se. The plaintiff alleged that Capital One was negligent because it solicited and took possession of customers’ private information and had a duty to exercise reasonable care in securing that information. The plaintiff also alleged that Capital One had a duty to destroy applicants’ personal information within a reasonable amount of time after the information was no longer required by Capital One. According to the plaintiff, these duties arose from its relationship with applicants and customers, federal laws, and from industry custom. And, according to the Complaint, Capital One breached these duties by failing to implement industry protocols, failing to exercise reasonable care, and by failing to provide timely notification of the breach.
The plaintiff also alleged a claim of negligence per se. While proving a negligence claim can sometimes be difficult, negligence per se lessens the burden of proof on the plaintiff because a violation of the law creates a presumption of negligence. The plaintiff pleaded negligence per se by pointing to the Federal Trade Commission Act (“FTC Act”). The Complaint argues that Capital One violated Section 5 of the FTC Act, which prohibits unfair practices in or affecting commerce, which, according to the plaintiff, includes a business’s failure to properly secure private information. While Section 5(a) of the FTC Act exempts banks, although case law indicates it may not exempt some bank subsidiaries, the claim from the plaintiff in the Capital One putative class action is indicative of how a plaintiff might use a statutory duty to argue and plead negligence per se. For example, a plaintiff might point to a bank’s statutory duties under the Gramm-Leach-Bliley Act (“GLBA”) and argue negligence per se for a data breach pointing to a violation of the GLBA.
The GLBA governs the treatment of nonpublic personal information about consumers by financial institutions. The GLBA requires financial institutions to design, implement and maintain standards to protect nonpublic consumer information, which become promulgated as the Safeguards Rule. The Safeguards Rule is implemented and enforced by eight different federal and state agencies, depending on the type of financial institution at issue. The Federal Trade Commission (FTC) has become a sort of “catch-all” regulator of the GLBA for financial institutions who do not fall within one of these or other enumerated categories, such as nonbank mortgage lenders, loan brokers, tax preparers, providers of real estate settlement services and debt collectors. While there is no private cause of action under the GLBA, officers and directors of the financial institution can face civil and criminal penalties that include fines and imprisonment. In the event of a data breach, a bank can expect federal and state agencies to examine the breach and, if appropriate, expect the government agencies to impose stiff penalties.
By no means is this an exhaustive list of possible claims a bank might face from private plaintiffs and state or federal agencies in the event of a data breach. A data breach will bring heightened scrutiny regarding a bank’s security practices, and a bank should seek to limit its exposure by complying with all laws setting security standards, meeting or exceeding industry custom, and using commercially reasonable care to secure private and sensitive information. If a breach occurs, a bank should immediately seek counsel to help navigate and limit civil and criminal liability.
Brian Malcom is a partner at Waller Lansden Dortch & Davis LLP in Birmingham. Representing banks, lenders, financial institutions, and healthcare firms in litigation matters, Brian Malcom constantly seeks to insulate clients from liability, while minimizing the impact on their operations. Clients depend on Brian’s analytic abilities to resolve commercial disputes related to financial products liability, contractual agreements, and other business issues.