2017 Year in Review: Data Breaches

Financial Services Law

The year 2017 saw the number of data breaches grow, and the trend is expected to continue and intensify. From Yahoo’s announcement that three billion of its user accounts were compromised to the Equifax breach and resulting fallout, data breaches never strayed far from the front pages.

In raw numbers, data breaches have been increasing each year. According to the Identity Theft Resource Center (ITRC), there was a 29% increase in the number of breaches during the first six months of 2017 over the same period in 2016. The majority—63%—of those breaches involved hacking, which the ITRC defines as including phishing, ransomware, malware and skimming. Of the data breaches attributable to hacking, nearly half involved phishing, and nearly one in five involved ransomware.

Perhaps the most newsworthy breach of 2017 was the theft from Equifax of over 143 million records, including names, Social Security numbers, birthdates, addresses and driver’s license numbers. The breach spawned legislative hearings, multiple class actions, proposed legislation and regulations, and other responses.

Approximately one month after the Equifax breach became public, Yahoo, which suffered a breach in 2013, announced that every single customer account—over three billion in total—was affected by the breach. The huge number of impacted accounts made this the largest data breach ever.

In data breach litigation, financial institutions saw some success in 2017 in suing retailers to recover consumers’ losses stemming from breaches. For example, Veridian Credit Union filed suit against Eddie Bauer after hackers accessed Eddie Bauer’s point-of-sale register system. Veridian claimed that the data breach and its costs, which included reissuing payment cards to Veridian customers, were the foreseeable result of Eddie Bauer’s inadequate data security measures. District Judge James L. Robart denied Eddie Bauer’s motion to dismiss the suit, applying Washington law because it defines the standard of conduct for businesses that suffer breaches. Judge Robart also allowed the suit to continue, based on a theory that Eddie Bauer engaged in an unfair or deceptive act or practice. Going forward, other financial institutions are likely to assert claims under similar theories.

Legislative and regulatory approaches to preventing data breaches also expanded in 2017. Following the Equifax breach, New York Attorney General Eric T. Schneiderman introduced the SHIELD Act, a bill designed to protect New Yorkers’ personal information from data breaches. If enacted, the Act would require businesses to adopt “reasonable” safeguards for sensitive data and expand the triggers for reporting breaches. The Office of the Comptroller of the Currency (OCC) has also announced the intent to focus on cybersecurity. The OCC’s Committee on Bank Supervision, in its operating plan for fiscal year 2018, included cybersecurity in its areas of focus as well. This will entail OCC examiners “review[ing] banks’ programs to determine to what extent they assess the evolving cyber threat environment and banks’ cyber resilience,” in part to ensure banks are prepared to prevent data breaches.

There is no reason to think that the pace of data breaches will slow down, nor will governmental scrutiny of companies’ cybersecurity efforts. It is more important than ever for companies to be familiar with the data they store, be aware of emerging threats, and know how to respond when—not if—they are subject to a cyberattack or breach.