Could civil litigation fill in the gaps that regulation doesn’t cover?
Could civil litigation fill in the gaps that regulation doesn’t cover?

Yahoo will be sued over the mega breach that was revealed last week. A resident of New York, Ronald Schwartz, filed the suit on Friday in a California court represented by law firms Robbins Geller Rudman as well as Dowd and Labaton Sucharow.

The suit states that if only Yahoo had been more serious about user privacy, then millions of the company's customers' personal data would not been exposed. Instead, the claimants state, the company showed “reckless disregard for the security of its users' personal information”. The lawsuit says that  Yahoo took three times as long as it should have to uncover the breach, which was initially performed in 2014.

While there are different estimates about what the average breach detection time is, a FireEye report released earlier this year put it at 146 days, which would make a breach pulled off in 2014 well overdue for discovery.

Already, the UK information commissioner has threatened large fines over the failure to protect customer data.

The breach, known to some as the largest ever, exposed 500 million user accounts and is believed to have been pulled off by a group with the backing of a nation-state. The company admitted on 22 September that the stolen information included email addresses, phone numbers, and encrypted passwords.

Millions of users have been urged to change their passwords in the wake of the disclosure.

The details of how the company was breached are not yet clear and a Yahoo spokesperson told SCMagazineUK.com that the company does not comment on ongoing litigation.

Victims of data breaches are increasingly wising up to the responsibilities companies have in protecting their data. After the Morrison's breach of 2014 exposed the payroll data of the supermarket giant's employees, thousands of those employees mounted a lawsuit against the company. More recently, the staff of hard drive manufacturer Seagate have launched a civil suit against the company for failing to protect their personal data.

As regulations are so often arcane and hard to follow, could civil litigation be a route to not only fair recompense for the victims of a breach, but a strict corrective to those who should have been better prepared?

This may “lead to more than just companies re-thinking their security strategy,” Amit Ashbel, cyber-security evangelist at Checkmarx told SC. “It will probably also create an industry demand for clear regulations and standards to not necessarily prevent such attacks but rather protect organisations from further legal actions following a breach.”

Gubi Singh, chief operating officer at Redscan told SC that claimants may face problems moving forward with lawsuits: “The challenge for any customer thinking about taking out legal action is proving that he or she has incurred direct financial loss as a result of their personal data being compromised. Awards for distress are uncommon so this appears to be the main factor holding back claims.”

Michael Callahan, senior vice president at Firemon held similar reservations:  “I don't think litigation on its own will force companies to protect themselves better, although it may help.  As with many of these things, the response is far too reactive. While most communications seem to be focusing on what customers can do after the fact or suing, they're ignoring the wider issue of the complexity of networks and security and how the business should be tackling cyber-security with better, more intelligent security management.”

But what if current coercive measures, like regulation, fail? The GDPR which is set to fine companies four percent of global turnover for non-compliance, doesn't take effect until 2018.

Current regulation often doesn't quite suffice, said Mark James, security specialist at ESET: “It does seem to the general public that breaches happen all too often; your data is lost or stolen, the hacked company are really sorry, they have reviewed their security procedures and will do all they can to not let it happen again, but what exactly is that? Often any fines levied against that company are insignificant when you look at their financial turnover, in many cases it seems cheaper to do the minimum, take the hit and mop up the damage.”

James added, “Our data has become a tradable commodity and sadly the fines and repercussions do not seem enough of a deterrent; will civil litigation make the difference? Maybe.”

Given that fact, it's often the sole recourse of a party injured in a major breach, argues Graham Mann, managing director at Encode Group UK. He told SC: “In these situations, it's the individuals that are impacted, some severely. Let down by current legislation, it leaves the injured consumer/employee with no recompense save civil action.”

Mann believes that it might have the coercive effect that regulation often fails to have: “the potential financial implications of such action will drive boards to focus on better securing personal data. In turn, this will put pressure on directors to personally take a more active role in their cyber-security defences.”

Whatever the value of such a development, this is something that organisations should be preparing for Brian Chappell, director of technical services EMEAI & APAC at BeyondTrust told SC: “The Yahoo case could set a worrying precedent given last year's UK law move toward US-style opt-out class action lawsuits, where all affected parties are automatically included in the lawsuit unless they choose to actively opt-out. This could lead to massive claims against organisations proven to have done a poor job in securing their user's data.”

Paul Farrington, manager of EMEA solution architects at Veracode doesn't think it will be so much litigation, but insurance that forces companies to shape up. He told SC, “fire insurance was an essential driver in both creating and enforcing minimum standards for fire safety procedures and building construction. Similarly, we're likely to see cyber insurance will help establish a new baseline for cybersecurity best practice.”

“Companies who pay into cyber insurance policies want to ensure their cybersecurity measures meet the required level for the policy to pay out if they are breached. And while offsetting the financial losses of a breach tends to be the primary incentive for most companies buying this insurance, it will also dramatically change corporate approaches to cybersecurity and establish a benchmark for responsible security.”