Data Breach Lessons from Recent Robinhood Lawsuit

December 8, 2021

Takeaway:

For most companies, following the SHIELD or FTC practices are sufficient to establish a reasonable security program that should protect companies from civil liability or penalty. But companies storing large amounts of personal information, or valuable proprietary information, should consider even greater controls and protections.


Robinhood, a stock trading platform, was recently sued in connection with a significant data breach. When high profile companies like Robinhood experience loss to data breach, the glare of scary headlines is only a shadow of the cost to the company. Increasingly, companies are subject to litigation risk and the corresponding damages caused by a breach.

According to a class action lawsuit filed in Federal District Court in the Eastern District of New York, over 7 million individual records were revealed in the Robinhood breach. The lawsuit alleges negligence, breach of contract, breach of fiduciary duty, and other violations of state and federal law.

Plaintiffs point out that this type of breach was reasonably foreseeable, given all the news and information on data breaches in recent years. Plaintiffs claim that Robinhood had a duty to secure their personal information. That duty – plaintiffs allege – stems from users’ relationship with the Robinhood service and is actionable based on the Federal Trade Commission Act (FTC Act), which prohibits unfair practices in or affecting commerce, and New York’s SHIELD statute.

Plaintiffs say that Robinhood failed to implement adequate policy, procedure, and technical safeguards, as recommended by the FTC and SHIELD. If those laws create an affirmative duty and obligation for implementing a reasonable security plan, then Robinhood – and others – can be found liable and assessed damages for failure to do so.

What is a “reasonable security plan”? According to Plaintiffs, a reasonable plan includes:

  • data encryption
  • employee training
  • technological tools to defend systems against invasion

But what’s really recommended under SHIELD and FTC, and is that guidance enough to protect companies?

New York SHIELD Law
New York passed N.Y. Gen. Bus.Law Sect. 899-bb(2), the Stop Hacks and Improve Data Security Act (SHIELD), to force companies with private information of New York residents to implement and maintain reasonable security safeguards. Under SHIELD, reasonable safeguards are specified and include:

  • designating a program coordinator
  • vendor risk management
  • assessment
  • monitoring of networks and physical spaces
  • disposal of aged private information

It also stipulates that entities compliant with HIPAA or Gramm Leach Bliley are compliant with SHIELD.

FTC guidance
The FTC Act has been used in other cases to establish a duty of care. In the Robinhood case, Plaintiffs allege that Robinhood’s duty is set forth in the FTC’s guidance publication called Protecting Personal Information: A Guide for Business.

The FTC’s protecting personal information guide for business is a simple, straightforward but robust set of recommendations for businesses protecting personal information. It’s organized under five catchy key principles:

  1. Take Stock
  2. Scale Down
  3. Lock It
  4. Pitch It
  5. Plan Ahead

These recommendations cover some of the same practices recommended by SHIELD, but include more precise guidance including:

  • recommendations to implement the principle of least privilege
  • demilitarized zones and firewall
  • extensive physical security access controls
  • vulnerability assessments
  • network scanning

For most companies, following the SHIELD or FTC practices are sufficient to establish a reasonable security program that should protect companies from civil liability or penalty. But companies storing large amounts of personal information, or valuable proprietary information, should consider even greater controls and protections.

News & Events

Related News

27 Pietragallo Lawyers Named in 2025 The Best Lawyers In America and Ones to Watch
August 15, 2024
Pietragallo Gordon Alfano Bosick & Raspanti, LLP is pleased to announce that 27 lawyers have been named as 2025 The Best Lawyers in America® and Ones to Watch. Read More
Douglas K. Rosenblum Appointed as a Hearing Committee Member Serving the Disciplinary Board of the Supreme Court of Pennsylvania
July 1, 2024
Partner Douglas K. Rosenblum of Pietragallo Gordon Alfano Bosick & Raspanti, LLP has been appointed as a Hearing Committee Member serving the Disciplinary Board of the Supreme Court of Pennsylvania effective July 1, 2024. Read More
View More News & Events