It was a game changing week for corporations fighting the longstanding effects of data breaches. Instead of the little guy against the big corporation, it was customers, shareholders and the government against corporate America.
First, the CEO of Target resigned in the wake of the holiday season massive data breach that plummeted its profits and customers’ confidence in the retailers’ ability to protect their privacy. This was a first to see a CEO resign following a data breach.
Then Wyndham Worldwide, which suffered three data breaches between 2008 and 2010, and is often touted as a hero for challenging the Federal Trade Commission’s jurisdiction over data security, was hit with a shareholders’ suit this week. Although the Wyndham case against the FTC has had its ups and downs, as happens in novel litigation, it has paved the way for others, including LabMD, to challenge the FTC’s assertion of very broad regulatory enforcement under the guise of Section 5 of the FTC Act (consumer protection) over a company’s data security practices following a data breach. The Wyndham shareholders’ derivative suit is a blow to the C-Suite and corporate board and another first in the wake of a data breach. The suit alleges claims of breach of fiduciary duty, waste of corporate assets and unjust enrichment against the CEO, General Counsel and corporate directors. A novel concept that will, no doubt, proliferate in the wake of large data breaches.
And what about LabMD? Watch that case closely. LabMD followed Wyndham’s path and is in the middle of a contentious row with the FTC disputing its enforcement jurisdiction over its data security practices. It alleges that the Department of Health and Human Services has jurisdiction over data breaches involving health information under HIPAA and that the FTC is exceeding the powers given to it by Congress. It too suffered a blow on Wednesday when a District Court in Georgia dismissed its attempt to circumvent the FTC’s administrative hearing process as the case wasn’t “ripe” for consideration and tossed it back for resolution before an administrative law judge. This after LabMD contends it wound down its business due to the burden and expense of the FTC’s investigation.
Strong message to the C-Suite and corporate board this week: data security is risky business and needs to be addressed at the top levels of the organization as there is no relief from customers, shareholders and regulators.