As courts have recognized, "[t]he fact that a company has suffered a security breach does not demonstrate that the company did not place significant emphasis on maintaining a high level of security."1 Nevertheless, companies that experience cybersecurity events frequently are faced with numerous class action lawsuits. In most cases, these complaints contain generic allegations that the company failed to maintain reasonable cybersecurity standards.
For instance, cybercriminals in 2023 exploited a zero-day vulnerability in Progress Software MOVEit secure file transfer software that resulted in more than 100 class action litigations against various companies that used the software program. As this incident involved a zero-day vulnerability in third-party software, it is challenging to see how these companies were negligent and how such negligence was responsible for this incident.
Tennessee Takes Action
Prompted by the escalating cost of these class action data breach litigations and the numerous headline-grabbing cyberattacks, particularly those in the healthcare industry, the Tennessee legislature recently passed, and Gov. Bill Lee signed into law, Public Chapter 991, which raises the liability standard for class action lawsuits arising from cybersecurity events.
For suits to which the higher standard will be applied, class action plaintiffs must establish that the cybersecurity event "was caused by willful and wanton misconduct or gross negligence on the part of the private entity." This law does not mention or explicitly amend the requirement that companies take "reasonable care" to prevent data from being compromised. Nor does the law speak to individual actions that are not class action litigations. Rather, the law creates a heightened liability requirement for class action data breach lawsuits that may effectively serve as an enhanced pleadings standard.
Specifically, the statute broadly covers private entities, both for-profit and not-for-profit – an important consideration in a state with multiple religious and nonprofit healthcare systems. The statute defines "cybersecurity event" to include any "event resulting in unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on an information system." As a result, it can reasonably be anticipated to apply to a wide swath of "events," including claims arising from the loss or theft of electronic devices, malware, ransomware, phishing, business email compromises and other types of attacks.
The statute defines "nonpublic information" as "information that is not publicly available and concerns a person that, because of a name, number, personal mark, or other identifier, can be used to identify that person, in combination with the following":
- Social Security number
- driver's license number or nondriver identification card number
- financial account number or credit or debit card number
- security code, access code or password that would permit access to the person's financial accounts or
- biometric records
This list is not consistent with Tennessee's data breach notification statute (Tenn. Code Annot. Section 47-18-2107) or with other federal and state breach notification statutes. For instance, the bill does not specifically mention health data as nonpublic information. Whether those additions or subtractions make a difference likely will be argued in future cases.
The bill also does not require the private entity to adhere to any particular cybersecurity or data protection standard in order to receive the protection afforded by the new liability standard. That omission almost certainly will lead to future disputes.
Sponsors of the legislation contend that the new liability standard will help protect businesses that are trying to recover from the aftermath of an "event" from almost immediately being served with numerous class action lawsuits. Critics argue that it lessens protections for patients and other citizens and is inconsistent with calls from the Cybersecurity & Infrastructure Security Agency (CISA) that critical infrastructure systems (such as healthcare) harden cyber protections.
Conclusion
Tennessee, living up to its slogan that the state is "open for business," joins a small number of states (such as Florida and West Virginia) that have considered measures to protect businesses from class action lawsuits following cybersecurity events. Time will tell whether national business organizations, working hand in glove with entities that have suffered an "event," are able to promote the passage of similar statutes in other states.
Notes
1 In re Heartland Payment Sys. Inc. Sec. Litig., 2009 WL 4798148 at *5 (D.N.J. Dec. 7, 2009).
