Jun 21, 2022

Data Breach Litigation and Penalties Are Potentially Catastrophic to Your Practice

This blog was provided by Gallagher Affinity, a premier sponsor of the PICPA.

James VinocurBy James Vinocur, JD

Data breaches cannot be taken lightly. In a worst-case scenario a breach could, in fact, lead to a bankruptcy. A data breach at a CPA firm will likely require remediation and a forensic investigation; it may also require both legal counsel and costly client notification to comply with state and federal data breach laws. The road does not end there, however. A data breach may also lead to civil penalties and litigation. This post briefly discusses the kinds of lawsuits that typically arise from a data breach, as well as the civil penalties that can be imposed.  

As a reminder, typical data breaches involve the unauthorized access or theft of a firm’s computerized data, including employees’ and clients’ personal information, such as names, addresses, government-issued identification numbers (including, but not limited to, Social Security numbers, driver’s license numbers, passport numbers, etc.), financial account information, and the like. Pursuant to each state’s data breach notification law, firms that fall victim to a data breach are required to notify those customers and clients whose information was accessed. This is where potential civil penalties arise.

Digitally conceived padlocks over an array of numbers: most open, one red and lockedThose same laws also provide for penalties to be imposed if a company fails to comply with its notification obligations, either entirely or in an untimely fashion. Penalties vary from state to state, but they generally fall into two buckets: penalties based on per violation or breach and penalties left for the state attorney general to determine based on the nature of the violation. (The latter scenario is the case in Pennsylvania.) Penalties range on the low end from $100 per violation in Rhode Island to up to $10,000 per violation in South Dakota. States whose laws define the cost of each violation typically cap the total amounts at $150,000 to $250,000. In addition to state laws, companies governed by federal data breach notification laws — such as the Gramm Leach Bliley Act — can potentially face penalties of up to $100,000 per violation. (Notably, a company’s officers and directions can be held personally liable in the event of a violation up to $10,000). Fines can add up quickly: the largest penalties have been in the tens of millions of dollars resulting from massive breaches. For instance, Equifax reached a settlement with both federal agencies and states in that it agreed to pay $575 million (and up to $700 million) as a result of a 2017 breach that led to the exposure of information for nearly 150 million people.

In addition to government-imposed penalties, a number of state data breach notification laws also provide a specific framework in which private civil lawsuits are allowed. However, even in the absence of such a framework, affected customers can initiate lawsuits against entities who stored their personal information. The majority of lawsuits based on the theft/access of personal information are based on statutes that are meant to protect consumers’ rights and/or ensure fair trade practices, or on the common law tort of negligence. For instance, a client may initiate a lawsuit against its tax preparer on the grounds that the specialist failed to properly safeguard the client’s personal information. Or, the tax preparer may have made statements on its website or in advertisements that it took the safety and security of its clients’ information seriously, and a client may say that he or she relied on that statement in choosing the tax preparer and that the breach showed the assertion wasn’t true. Frequently, lawsuits arise in a class-action context, where dozens or even hundreds of claimants in a similar position band together to sue a company for failure to have safeguarded their information. (This was the case in the Equifax matter mentioned above.)  

Note, to prevail on such a claim, one must be able to show that a breach directly caused real damages (what the Supreme Court has called a “concrete and particularized” injury-in-fact). This is often difficult. Many courts have repeatedly stated that it is (generally) insufficient to allege a future, hypothetical harm, such as the increased risk of identity theft. However, some courts have allowed lawsuits to proceed where the claimant alleged a substantial risk of identity theft or were there was impending risk. Also, it can be difficult to prove that a data breach that occurred on a certain date led to the unauthorized opening of a line of credit months later. In addition, assessing the value of a victim’s personal information is not straightforward. It may be easy to allege that the theft of credit card information led to $42 in unauthorized payments at Starbucks, but it is much harder to calculate the value of the theft of someone’s Social Security number. Data breach lawsuits almost never lead to actual trials and are usually settled, but for a CPA firm facing such a lawsuit that might provide scant consolation: the firm will still need attorneys to get to that point — which is another good reminder to get insurance for such an event.  

James Vinocur, JD, is a partner at Goldberg Segalla in New York City, where he specializes in data privacy and cybersecurity issues. Prior to joining Goldberg Segalla, he served as deputy chief of the cybercrimes bureau of the Manhattan District Attorney’s Office. He can be reached at jvinocur@goldbergsegalla.com.

Get more information on cyber insurance plans offered by PICPA premier sponsor Gallagher Affinity.

Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.

Leave a comment

Follow @PaCPAs on Twitter
PICPA Staff Contributors
Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of PICPA officers or members. The information contained in herein does not constitute accounting, legal, or professional advice. For professional advice, please engage or consult a qualified professional.