Data Breach Lessons from Recent Robinhood Lawsuit

December 8, 2021

By: Martin T. Shepherd

Takeaway:

For most companies, following the SHIELD or FTC practices are sufficient to establish a reasonable security program that should protect companies from civil liability or penalty. But companies storing large amounts of personal information, or valuable proprietary information, should consider even greater controls and protections.


Robinhood, a stock trading platform, was recently sued in connection with a significant data breach. When high profile companies like Robinhood experience loss to data breach, the glare of scary headlines is only a shadow of the cost to the company. Increasingly, companies are subject to litigation risk and the corresponding damages caused by a breach.

According to a class action lawsuit filed in Federal District Court in the Eastern District of New York, over 7 million individual records were revealed in the Robinhood breach. The lawsuit alleges negligence, breach of contract, breach of fiduciary duty, and other violations of state and federal law.

Plaintiffs point out that this type of breach was reasonably foreseeable, given all the news and information on data breaches in recent years. Plaintiffs claim that Robinhood had a duty to secure their personal information. That duty – plaintiffs allege – stems from users’ relationship with the Robinhood service and is actionable based on the Federal Trade Commission Act (FTC Act), which prohibits unfair practices in or affecting commerce, and New York’s SHIELD statute.

Plaintiffs say that Robinhood failed to implement adequate policy, procedure, and technical safeguards, as recommended by the FTC and SHIELD. If those laws create an affirmative duty and obligation for implementing a reasonable security plan, then Robinhood – and others – can be found liable and assessed damages for failure to do so.

What is a “reasonable security plan”? According to Plaintiffs, a reasonable plan includes:

  • data encryption
  • employee training
  • technological tools to defend systems against invasion

But what’s really recommended under SHIELD and FTC, and is that guidance enough to protect companies?

New York SHIELD Law
New York passed N.Y. Gen. Bus.Law Sect. 899-bb(2), the Stop Hacks and Improve Data Security Act (SHIELD), to force companies with private information of New York residents to implement and maintain reasonable security safeguards. Under SHIELD, reasonable safeguards are specified and include:

  • designating a program coordinator
  • vendor risk management
  • assessment
  • monitoring of networks and physical spaces
  • disposal of aged private information

It also stipulates that entities compliant with HIPAA or Gramm Leach Bliley are compliant with SHIELD.

FTC guidance
The FTC Act has been used in other cases to establish a duty of care. In the Robinhood case, Plaintiffs allege that Robinhood’s duty is set forth in the FTC’s guidance publication called Protecting Personal Information: A Guide for Business.

The FTC’s protecting personal information guide for business is a simple, straightforward but robust set of recommendations for businesses protecting personal information. It’s organized under five catchy key principles:

  1. Take Stock
  2. Scale Down
  3. Lock It
  4. Pitch It
  5. Plan Ahead

These recommendations cover some of the same practices recommended by SHIELD, but include more precise guidance including:

  • recommendations to implement the principle of least privilege
  • demilitarized zones and firewall
  • extensive physical security access controls
  • vulnerability assessments
  • network scanning

For most companies, following the SHIELD or FTC practices are sufficient to establish a reasonable security program that should protect companies from civil liability or penalty. But companies storing large amounts of personal information, or valuable proprietary information, should consider even greater controls and protections.

News & Events

Related News

Pietragallo Adds Cybersecurity Lawyer Martin T. Shepherd
October 7, 2021
Martin T. Shepherd, a well-known and respected litigation lawyer, has joined Pietragallo Gordon Alfano Bosick & Raspanti, LLP in the firm’s Commercial Litigation team and as head of the firm’s Diversity Initiative. Read More

Upcoming Events

Pamela Coyle Brecht to present at Health Care Compliance Association’s 2022 Managed Care Compliance Conference
January 31, 2022
On Monday, January 31, 2022, Pietragallo partner Pamela Coyle Brecht will be presenting on “The Dos and Don’ts of Medicare Advantage and Medicaid Managed Care: Lessons from Recent Enforcement Activity” at the HCCA’s Managed Care Compliance Conference. Read More
Pamela Coyle Brecht to present at Federal Bar Association’s 2022 Qui Tam Conference
February 24, 2022
On Thursday, February 24, 2022 Pietragallo partner Pamela Coyle Brecht will be presenting on “Private Equity – The Newest Face at the FCA Table” at the Federal Bar Association’s 2022 Qui Tam Conference. Read More
View More News & Events