Business man reviews contract
Article

The role of forensic accounting in “connecting the dots” in data breach cases

The growing sophistication of techniques used by the independent criminal hackers, hacktivists, organized crime, and foreign governments to penetrate corporate networks and exploit vulnerabilities is inevitably producing data breaches that are more complex and impactful. For instance, the Target data breach alone affected over forty million people, and preliminary estimates suggest the Home Depot breach may eventually affect more than sixty million people. In addition, even though the eighty-five million customers affected by the J.P. Morgan data breach did not have any sensitive or personal information stolen (such as Social Security Numbers), enough information was obtained to open these customers up to phishing attacks.[1] These are some of the most talked about security breaches and data privacy cases; however, there are numerous cases with similar backgrounds that are mere footnotes in the news.[2]

According to a white paper published by Bryan Cave in June 2014 on the Trends in Data Privacy and Security Class Action Litigation, there were 178 data related class action complaints filed against private entities during the first quarter of 2014.[3] Approximately half of these complaints were filed against Target, however the upward trend is in line with prior quarters.[4] With the increased number of data related cases in the news recently, the number of cases each quarter is likely to exceed 100 filings. Many of these cases however will likely not be successful due to a Supreme Court interpretation set out in the 2013 Clapper v. Amnesty International case. Although that particular case did not pertain to data breaches (the case is a human rights case involving wire-tapping), it did set a requirement for many types of cases (including data related cases). In summary, the case established three main hurdles to clear in order for a case to survive a motion to dismiss due to lack of standing:

  1. A law suit cannot merely be based on speculation of what may occur;
  2. A law suit depends on the establishment of an actual injury or a certainly impending injury; [5] and
  3. A plaintiff cannot establish a case by merely spending money to avoid feared injury.

The Clapper decision led to the dismissal of many data breach cases at the outset due to a lack of standing because the plaintiff could not answer two key questions:

  1. Can the plaintiff establish injury to themselves due to the data issue; and
  2. Can the plaintiff establish damages?

If either of these questions are answered, “No” or “I’m not sure,” the likelihood of a judge allowing for a case to continue through the legal process is low.[6]

Although forensic accountants are typically associated with the establishment of damages, it is important to note that a forensic accountant’s skill set can also be useful in connecting (or disconnecting) a plaintiff to the data issue that transpired and assist with establishing injury to the plaintiff.  In today’s business environment, forensic accountants are required to mine and connect numerous data sources to get to the financial information needed for damage analyses in order to establish damages. This data analytic skill set is transferable to non-damage aspects of a case including the establishment of injury. Data breach cases can involve large sets of data including consumer information, company information from various databases, and data stored by third parties. One of the keys to establishing injury in these cases is connecting these three data sources and locating the “signal” within “noise”. Due to the amount of data available, this may seem overwhelming at first, however, a forensic accountant can help dissect and parse the data to get at the information that is critical to a case. 

Data mining in large data-related class action cases starts with identifying the key sources of data that will assist in identifying injured parties. The relevant information can be housed in a variety of sources including, but not limited to:

  • The data that was breached and made publically available;
  • Unaffected databases at the breached company that store personal information;
  • Publically available databases maintained by third parties; and
  • Consumer financial records.

It is important to identify the potential data sources first, as the key in these types of cases is connecting the dots between the various datasets and records. Once the relevant information is identified and obtained, the identification of the class can begin. This step includes beginning to define the class and identifying the specific data points necessary to identify the class.  From a data mining perspective, this step typically entails a number of preliminary queries of the data at issue to identify those individuals impacted and beginning to organize data and information that will assist with establishing injury. At this point, queries will be refined and result sets analyzed in detail to identify specific information that is relevant to the matter.[7] By bringing a forensic accountant in early, this data mining technique can be useful in amending pleadings, refining the definition of the class, and identifying prospective class members. The net result is that attorneys will be better prepared and informed about potential issues in the case.

From a defense perspective, a forensic accountant’s skill set in mining data and identifying patterns can assist in dissecting the definition of the class and using the data available to identify individuals that may not belong in the class, identify additional information to help strengthen the client’s case, or identify potential weaknesses in the case. This process entails not only analyzing the data at issue but also connecting the data to other pertinent data sources (such as publically available third party information). The other data sources depend on the facts and circumstances of the case, but can be instrumental in defending a class action suit. 

Data related cases require attorneys to develop various forms of attack and defenses in order to assist their client in winning their case. Although forensic accountants have historically assisted only with determining damages after all the attacks and defenses have been used, a forensic accountant’s skill set reaches far beyond assessing damages and can be useful in all aspects of a case. For instance, data mining can lead to identifying key pieces of information for the case that will assist in developing better arguments. Given the narrowing focus of how to establish injury in data related cases, the importance of analyzing data and identifying patterns that establish injury to parties is imperative. 

As data breach cases become ever more complex and impactful, forensic accountants can play a vital role in assisting attorneys prepare legal cases by connecting the dots between various data sources. 

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.

--

[1] Per recent news reports by CNN and ABC News, it is thought that the JPMorgan data breach only exposed customer information such as names, addresses, emails, and phone numbers.

[2] Other breaches range from smaller breaches at local businesses such as Bartell Hotels in San Diego (credit card information for over 55,000 guests) to smaller breaches at large businesses such as the United Parcel Service (credit and debit card information for over 105,000 transactions).  Breaches are not limited to commercial companies as personal information stored at a number of healthcare providers has been exposed (for example 60,582 records from Onsite Health Diagnostics / Healthways).  Government agencies have also been impacted (for example, 19,000 records containing personal identifying information was exposed from the St. Louis Recorder of Deeds).

[3] See “Shifting Trends: Privacy & Security Class Action Litigation” by Shahin Rothermel and David Zetoony and published in June 2014 by Bryan Cave, LLP.

[4] There were 145 data related class action cases filed in the fourth quarter of 2013.

[5] Also see the Reilly v. Ceridian Corporation.

[6] Although the likelihood of a case continuing is low, it is not impossible.  For example, earlier this year, a case in the Southern District of Florida (Juana Curry and William Moore v. Avmed, Inc., d/b/a AVMED), settled.  As part of the settlement, class members who could not establish injury to themselves were allowed to remain in the class and receive a portion of the settlement (the definition of a class member was “all current and former AvMed customers… whose Sensitive Personal  Information was contained on the laptops stolen…”).  The settlement amount for this matter was unique as it was considered a refund of an insurance premium overpayment and not an award for a sustained injury.  This refund of insurance premium overpayment represented the amount of premium payments that the plaintiffs contend Avmed should have used to improve its data security controls.  It is unclear how this case will affect data breach cases going forward as the class was formed and allowed by the court prior to the 2013 Clapper decision, but the settlement was approved after the 2013 Clapper decision.

[7] For example, was the information made available via the breach used for nefarious purposes (was the party injured) or is their evidence that suggests the data leaked as part of the breach will be used in a way that may injure a party in the future?