This article was co-written by Massachusetts Fellow Lawrence G. Cetrulo, Hayley Kornachuk, and Elizabeth S. Dillon of Cetrulo LLP.
"Hackers only need to be successful once. But companies need to be successful repelling or defending against these attacks all the time."1
Americans are increasingly reliant on the Internet and digital technology. We use smart thermostats, digital locks, smart watches and wearable fitness trackers, smart scales, talking television remotes, talking washing machines, smart lightbulbs, connected coffee machines, ovens and refrigerators, smart ventilation systems, doorbell cameras, connected pet treat dispensers, smart cars, Amazon Echo, Google Home, and similar devices which connect us to the Internet. More broadly, the State and Federal government rely on the Internet to support critical infrastructure, including electricity, water, transportation, and education.
As reliance on the Internet grows, so too does the potential for cyberattacks.2 Recognizing this threat, all sectors of government have ramped up their enforcement of cybersecurity laws and regulations.3
The Federal Trade Commission ("FTC") , for example, has expanded its consumer protection mandate into the cybersecurity realm.4 Beginning in 2002, the FTC initiated cybersecurity-related enforcement actions,5 on the theory that a corporation's failure to implement reasonable cybersecurity best practices constitutes the type of unfair and deceptive business practices" prohibited by the Federal Trade Commission Act ("FTCA"), 15 U.S.C. §§ 41-58.
The FTC's interpretation of the "unfairness" provisions of the FTCA, while broad, has received judicial support. In FTC v. Wyndham Worldwide, 799 F.3d 236 (3d Cir. 2015), the Third Circuit held that the FTC maintained the authority to regulate cybersecurity and held that, in failing to properly protect against cyberattacks, Wyndham violated the unfairness provisions of the FTCA. Wyndham, 799 F.3d at 243-246. In so holding the Court expressly rejected Wyndham's argument that "a business 'does not treat its customers in an 'unfair' manner when the business itself is victimized by criminals." Id. at 246.
Corporate victims of cyberattacks already face significant costs, including "help desk activities, inbound communications, special investigative activities, remediation, legalexpenditures, product discounts, identity protection services and regulatory interventions."6 Now, corporate victims of cyberattacks also face significant enforcement actions by the FTC.
While the FTCA itself does not provide consumers with a private right of action,7 numerous state laws based upon the FTCA provide private rights of action, further expanding corporate cybersecurity victims' potential liability. The Massachusetts Consumer Protection Statute, M.G.L. c. 93A, for example, not only affords a private right of action to victims of unfair and deceptive trade practices (M.G.L. c. 93A, § 9), it also permits Courts to award double or treble damages and attorneys' fees in certain circumstances.
Massachusetts Courts have held that, when the FTC deems conduct "unfair and deceptive" pursuant to the FTCA, the same conduct also violates the prohibition against "unfair and deceptive trade practices" set forth under the Massachusetts Consumer Protection Act, M.G.L. c. 93A. See Slaney v. Westwood Auto, Inc., 366 Mass. 688, 694 n. 8 (1975) (Massachusetts has "wholly incorporated" the FTCA into M.G.L. c. 93A); Purity Supreme v. Attorney General, 380 Mass. 762, 766 ("Chapter 93A... incorporates the extensive body of Federal administrative and decisional law under the FTC Act... at least in so far as it relates to definitions of 'unfair' and 'deceptive'").
Because the FTC has successfully expanded the statutory term "unfair" to include cyberattacks, and because Massachusetts law comports with the FTCA, we anticipate that Massachusetts victims of cyberattacks will increasingly be using their private rights of action under M.G.L. c. 93A to seek redress from corporations following cyberattacks.
Indeed, Massachusetts Attorney General Maura Healy has already initiated litigation on behalf of Massachusetts residents under M.G.L. c. 93A. On September 19, 2017, General Healey initiated litigation against Equifax, Inc., in response to the data breach Equifax experienced between May 13, 2017 through July 30, 2017.8 According to the Complaint, the data breach at issue effected the sensitive and personal information of 143 million consumers, including roughly 3 million consumers in Massachusetts. The information stolen included full names, social security numbers, dates of birth, addresses, and for some, credit card numbers, driver's license numbers, and other personally identifiable information.
General Healey alleges that Equifax engaged in unfair and deceptive acts or practices in violation of G.L. c. 93A § 2(a) including : (a) failing to promptly notify the public (including the Attorney General's Office and affected residents) of the Data Breach despite the existence of substantial risk to consumers from the Data Breach; and/or (b) failing to maintain reasonable safeguards sufficient to secure the private and sensitive information about Massachusetts consumers from known and foreseeable threats of unauthorized access or unauthorized use, including identity theft, financial fraud, or other harms.
Although the Equifax litigation was initiated by General Healy, individual consumers also have the right, pursuant to M.G.L. c. 93A, § 9 to initiate private rights of action. This is not true of such statues in other states, as not all consumer protection statutes are equal, and available remedies vary from state to state. For example, not all states' consumer protection statutes afford private rights of action. The Arizona Fraud Act9 contains no language indicating whether a consumer or private party may bring an action and the Arkansas Deceptive Trade Practices Act10 only affords individuals the right to file a petition with the Attorney General after the Attorney General has brought a claim pursuant to Ark. Code Ann. §4-88-111.
Some state consumer protection statutes which include a private right of action limit available remedies. For example, while Mississippi affords a private right of action under its consumer protection statute, Miss. Code Ann. § 75-24-15, the available remedies are minimal and likely not worth the time and effort of initiating litigation.
In addition, many states have pre-suit notice requirements, while others do not allow consumers to recover attorneys' fees, even if they win. The possibility of having to pay attorneys' fees, would make pursuing a claim under an Unfair and Deceptive Acts and Practices statute little to no use to consumers.11
Other issues that consumers may face is whether their state's statute distinguishes between "deceptive practices" and "unfair practices" and how broad are the prohibition of those two acts. Some state statutes, like the Massachusetts Consumer Protection Statute, are based on the FTCA, which includes a general and broad prohibition against both deceptive conduct and unfair conduct. Other states' consumer protection statutes contain very narrow readings as to what constitutes unfair and deceptive practices. Lastly, some states' consumer protection statutes allow for state agencies (akin to the FTC) to issue regulations prohibiting specific unfair or deceptive practices. This allows states to target "emerging" unfair or deceptive practices, such as those relating to cybersecurity attacks.
Although consumer protection statutes vary widely from state-to-state, it is anticipated that there will be (a) an increase in individual consumers initiating private rights of action as the threat of cyberattacks continues to grow, and, where the FTC and comparable state agencies may not use their limited resources to pursue claims against smaller corporate victims of cyberattacks, (b) individual consumers will turn increasingly to state consumer protection statutes to seek relief, particularly where the applicable statute permits attorneys' fees awards and multiple damages, as in Massachusetts.
Attorneys representing individual consumers should familiarize themselves with state consumer protection laws to determine whether initiating litigation against corporations following a cyberattack is worthwhile. Attorneys representing corporations should evaluate the increasing risk of cyberattacks, not only with respect to immediate costs following an attack, but also with respect to increasing liability under Federal and state consumer protection laws.
1 PAUL A. FERILLO, NAVIGATING THE CYBERSECURITY STORM: A GUIDE FOR DIRECTORS AND OFFICERS (2015).
2 Lee Rainie, et al., Cyberattacks Likely to Increase, Pew Research Center Internet and Technology (Oct. 29, 2014), https://www.pewinternet.org/2014/10/29/cyber-attacks-likely-to-increase/ (last visited January 25, 2018).
3 Lawrence G. Cetrulo, et al., Expanding Enforcement: The Developing Field of Cybersecurity, Massachusetts Lawyers Journal, May/ June 2017, at 26.
4 PREPARED STATEMENT OF THE FEDERAL TRADE COMMISSION ON SMALL BUSINESS CYBERSECURITY: FEDERAL RESOURCES AND COORDINATION BEFORE THE COMMITTEE ON SMALL BUSINESS UNITED STATES HOUSE OF REPRESENTATIVES, Washington, D.C., March 8, 2017, available at https://www.ftc.gov/system/files/documents/public_statements/1174903/p072104_commission_testimony.pdf (last visited Jan. 25, 2018).
6 2017 Cost of Data Breach Study; Global Overview, PONEMON INSTITUTE, Jun. 2017, at 3.
7 Stephanie L. Kroeze, The FTC Won't Let me Be: The Need for a Private Right of Action Under Section 5 of the FTC Act, 50 Val. U. L. Rev. 227 (2015) (available at https://scholar.valp.edu/vulr/vol50/iss1/7) (last visited Jan. 26, 2018).
8 Commonwealth of Massachusetts v. Equifax, Inc., Suffolk Superior Court C.A. No. 1784-CV-03009.
9 Ariz. Rev. Stat. Ann. §§ 44-1521 through 44-1534
10 Ark. Code Ann. §§ 4-88-101 through 4-88-207
11 See Gen. Motors Acceptance Corp. v. Laesser, 791 So. 2d 517 (Fla. Dist. Ct. App. 2001) Because Laesser brought his underlying claim against General Motors under sections 501.201-501.213, he became liable for the latter's reasonable appellate attorney's fees when he lost on appeal. The court required Laesser, who had won under the Florida Deceptive and Unfair Trade Practices Act in the trial court to pay attorney fees to the business after the business won the case on appeal without any finding that the he had brought the suit in bad faith.
Massachusetts Fellow Lawrence G. Cetrulo is a 1971 graduate of Harvard College, with a master’s degree in education from the Harvard Graduate School of Education in 1972, and is a 1975 graduate of the Northeastern University School of Law. Cetrulo has been a national leader in the defense and trial of toxic tort litigation for over 39 years and is the founding and managing partner of Cetrulo LLP with offices in Boston, on the refurbished Boston Seaport, Providence, New Haven, and New York City.
Hayley Kornachuk is an associate at Cetrulo LLP’s Boston Office. She practices primarily in the area of asbestos litigation, products liability and toxic tort litigation. Prior to joining Cetrulo, Kornachuk worked in the legal department of an insurance company handling water damage subrogation claims and managing e-discovery matters for a Fortune 500 company.
Elizabeth S. Dillon is an associate attorney at Cetrulo LLP. Her practice focuses on employment advice and counseling, as well as employment, business, real estate, and probate litigation.