With the rapid growth of the use of technology in business comes great risk to consumers private information, and a concomitant risk to many of the businesses that are charged with the protection of that private information. In recent years, the Federal Government has enacted regulations, albeit vague in form, in an attempt to manage these risks. One such act, entitled the Gramm-Leach-Bliley Act (GLBA), or the Financial Services Modernization Act, was enacted by Congress in 1999 in an effort to provide a forward-looking framework within which “financial institutions” must proactively protect consumers’ nonpublic financial information.1
Financial institutions are required by the GLBA to “establish appropriate standards” to safeguard customer’s personal financial information, in order: “(1) to insure the security and confidentiality of customer records and information; (2) to protect against any anticipated threats or hazards to the security or integrity of such records; and (3) to protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.”2
In response to this directive, the Federal Trade Commission (FTC) promulgated the Safeguards Rule, which requires financial institutions subject to FTC jurisdiction to adopt safeguards against disclosure of customers’ personal information.3 The FTC’s Safeguards Rule is intentionally broad to allow flexibility for the broad range of businesses covered by the Rule. It provides a “framework for developing, implementing, and maintaining the required safeguards, but leaves each financial institution discretion to tailor its information security program to its own circumstances.”4 The Rule requires each covered financial institution to implement steps including, but not limited to, designating employees to coordinate the safeguards in order to ensure accountability; identifying and assessing the risks to customer information in each relevant area of the company’s operation; and designing and implement information safeguards.5
CAUSES OF ACTION
Plaintiffs have attempted to bring suit under the GLBA for businesses’ alleged violations of the GLBA. However, it has been consistently held that the GLBA does not provide for a private right of action.6 In fact, by its very terms, the GLBA can only be enforced by “the Federal functional regulators, the State insurance authorities, and the Federal Trade Commission.”7 Courts have held that, although the GLBA does not provide for a private cause of action, it does set forth identifiable standards, the breach of which may be used to satisfy an element of a common law negligence per se cause of action.8
Although case law indicates that a Plaintiff may bring an action in negligence per se based upon an alleged violation of the GLBA, defense counsel may defend against such a claim by utilizing a Motion for Summary Judgment establishing that the covered financial institution had written security policies in place to protect consumers’ financial information. In Guin v. Brazos Higher Educ. Serv. Corp., Inc., No. CIV. 05-668 RHK/JSM, 2006 WL 288483 (D. Minn. Feb. 7 2006), Plaintiff alleged that Defendant owed a duty under the GLBA to secure Plaintiff’s private information, and the duty was breached by allowing an employee to keep nonencrypted private data on his laptop. The court found that Plaintiff did not present sufficient evidence to support the claim that Defendant had breached a duty established by the GLBA, based upon the fact that Defendant had “written security policies, current risk assessment reports, and proper safeguards for its customers’ personal information as required by the GLB Act.”9
A negligence per se claim may also be defended against through a Motion to Dismiss based upon the Economic Loss Rule, which states that purely economic losses are not recoverable in negligence absent personal injury or property damage. A recent landmark case involving corporate giant TJ Maxx involved claims of negligence, which the court dismissed based upon the economic loss rule.10 In that case, TJ Maxx issued credit cards to consumers, who then used those cards to purchase goods at TJ Maxx stores. TJ Maxx discovered that hackers had stolen personal and financial information of consumers who used the credit cards. The Plaintiffs formed a class action lawsuit against TJ Maxx to recover their costs and alleged various counts, including negligence.11
The Plaintiffs argued that their claims were not barred by the economic loss rule because they experienced property damage in that the compromised credit cards could no longer be used and that card verification codes were lost. The court disagreed with Plaintiffs’ position on the basis that the cost of replacement cards is an economic loss, and dismissed the negligence count.12 Thus, to the extent the state recognizes the economic loss doctrine, actions based upon the theory of negligence per se may be disposed of at the Motion to Dismiss stage.
The GLBA does not specify fines to be imposed upon violation of the Act. However, potential exposure for businesses can be significant, as evidenced by the multimillion dollar settlement resulting from the TJ Maxx case. The Plaintiffs settled with TJ Maxx for compensation to those injured, agreeing to implement a credit monitoring plan, institute identity theft insurance, and providing $6.5 million in attorneys’ fees and costs. TJ Maxx settled with 41 state Attorneys General for $9.75 Million and an agreement to fund state data protection and prosecution efforts. The details of the information security program adopted by TJ Maxx are stringent, and require detailed levels of security. 13
In 2005, the first two instances of the FTC’s enforcement of the Safeguards Rule resulted in non-monetary settlements. In these cases, the FTC issued a Complaint charging two mortgage companies with violation of the FTC’s Safeguards Rule for not having reasonable protections for consumers’ private information. The parties thereafter executed an Agreement Containing Consent Order, where the companies agreed to implement an assessment and report from a third-party professional, using procedures and standards that set forth security program safeguards appropriate for the businesses’ size and function.14
Thus, potential exposure for businesses in failing to implement security measures could entail significant monetary settlements/damages, as well as significant costs in implementing security plans that are likely more stringent than if implemented without the intervention of lawsuits and settlements. The aforementioned discussion demonstrates the potential exposure to lawsuits, damages, and settlements under the emerging cyber security laws, and highlights the importance of proactively implementing security measures to protect not only consumer nonpublic information, but the time and resources of all involved.
1 Gramm-Leach-Bliley Act of 1999, Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified in scattered sections of 12 and 15 U.S.C.). The GLBA applies to “customers,” including “any person (or authorized representative of a person) to whom the financial institution provides a product or service, including that of acting as a fiduciary.” The “financial institutions” consist of “any institution engaged in the business of providing financial services to customers who maintain a credit, deposit, trust, or other financial account or relationship with the institution.”
2 15 U.S.C. §6801(b).
3 16 C.F.R. §314, Standards for Safeguarding Customer Information; Final Rule.
4 16 C.F.R. §314.4.
6 See 15 U.S.C. §6805; Dunmire v. Morgan Stanley DW, Inc., 475 F.3d 956, 960 (8th Cir. 2007) (“[n]o private right of action exists for an alleged violation of the GLBA”); Lentz v. Bureau of Med. Econ. (In re Lentz), 405 B.R. 893, 899 (Bankr.N.D.Ohio 2009) (“courts have consistently held there is no private right of action created by Congress in the GLBA”); French v. Am. Gen. Fin. Servs. (In re French), 401 B.R. 295, 310 (Bankr.E.D.Tenn.2009) (“[by its very terms, the Gramm-Leach-Bliley Act does not provide a private right of action”).
7 15 U.S.C. § 6805(a).
8 See Nicholas Homes, Inc. v. M & I Marshall & Ilsley Bank, N.A., 2010 WL 1759453 (D.Ariz., Apr. 30, 2010) (“The Court agrees that, although the GLBA does not provide for a private cause of action, it also does not preclude a common law cause of action.”), and Basham v. Pacific Funding Group, 2010 WL 2902368 (E. D.Cal., July 22, 2010) (“[T]he violation of a statute can be used to satisfy an element of a negligence cause of action.”).
9 Guin v. Brazos Higher Educ. Serv. Corp., Inc., No. CIV. 05-668 RHK/JSM, 2006 WL 288483, at *4 (D. Minn., Feb. 7, 2006).
10 In re TJX Companies Retail Security Breach Litigation, Civil Action No. 07-10162-WGY (D. Mass., Dec. 18, 2007).
13 Tara M. Desautels and John L. Nicholson, Pillsbury Winthrop Shaw Pittman LLP, TJ Maxx Settlement Requires Creation of Information Security Program and Funding of State Data Protection and Prosecution Efforts (2009), http://www.pillsburylaw.com/siteFiles/Publications/7F4F43B367B5276B0CFA6D13CFF4044C.pdf.