Plaintiffs’ lawyers love to challenge products labeled as “natural,” with hundreds of false advertising class actions filed in just the last few years. Recently, in Astiana v. Hain Celestial (pdf), the Ninth Circuit reversed the dismissal of one such class action, and in doing so, addressed some key recurring arguments made at the pleading stage in litigation over “natural” labeling.

The Hain Celestial Group makes moisturizing lotion, deodorant, shampoo, conditioner, and other cosmetics products. Hain labels these products “All Natural,” “Pure Natural,” or “Pure, Natural & Organic.” A number of named plaintiffs, including Skye Astiana, filed a putative nationwide class action, alleging that they had been duped into purchasing Hain’s cosmetics. According to plaintiffs, those cosmetics were not natural at all, but allegedly contained “synthetic and artificial ingredients ranging from benzyl alcohol to airplane anti-freeze.” Astiana claimed that she likely would not have purchased Hain’s cosmetics at market prices had she been aware of their synthetic and artificial contents. As is typical in such cases, she sought damages and injunctive relief under a variety of theories: for alleged violations of the federal Magnuson-Moss Warranty Act, California’s unfair competition and false advertising laws, and common law theories of fraud and quasi-contract.

The district court dismissed the entire case in deference to the “primary jurisdiction” of the U.S. Food and Drug Administration over natural labeling of cosmetics. On appeal, the Ninth Circuit made two important rulings to which defendants in “natural” litigation should pay special attention:

Primary Jurisdiction

Federal regulators have (with a few limited exceptions not relevant here) declined either to adopt a formal definition of the term “natural” or to regulate that term’s use on cosmetics or food labels. But both plaintiffs and defendants have pointed to informal FDA statements and letters on the subject to advance particular litigation positions. For example, in this case, Hain invoked the prudential doctrine of primary jurisdiction to argue that a case challenging labeling statements cannot go forward because the FDA, not the courts, must determine in the first instance what the challenged labeling statement means and how it should be used. (Indeed, as we have previously discussed, the primary jurisdiction doctrine has led more than a dozen courts to stay false advertising cases in which plaintiffs allege that the ingredient name “evaporated cane juice” is misleading.)

Critically for other defendants intending to invoke primary jurisdiction in the future, the Ninth Circuit concluded that the district court had not erred in concluding that the doctrine applied. Rather, the district court’s error was only in dismissing the case rather than staying it. As the Ninth Circuit explained, “[w]ithout doubt, defining what is ‘natural’ for cosmetics labeling is both an area within the FDA’s expertise and a question not yet addressed by the agency,” and “[o]btaining expert advice from that agency would help ensure uniformity in administration of the comprehensive regulatory regime established by the [Food Drug and Cosmetics Act.]” Significantly, as the Ninth Circuit noted, the FDA had shown “reticence to define ‘natural’” at the time Hain invoked the doctrine with respect to food labels, in light of competing demands on the agency, and there is no reason to believe the FDA is on the verge of rulemaking on ‘natural’ labeling. But that was not a reason to bar the doctrine’s application.

That said, when, as in Astiana, additional judicial proceedings are contemplated once the FDA completes its work, the Ninth Circuit held that the case should be stayed rather than dismissed. And on that basis, the Ninth Circuit reversed the district court’s dismissal. Whether the Astiana decision supports primary jurisdiction arguments outside the context of “natural” labeling on cosmetics—such as ‘natural’ statements on food labels—remains to be seen. But as we read it, the court’s core holding would seem to have broader application.

Express Preemption

Hain separately argued that the FDCA expressly preempted the plaintiffs’ claims challenging the use of the term “natural.” But because there are no regulations defining ‘natural’ or its use on cosmetics labels, the Ninth Circuit disagreed, concluding that neither plaintiffs’ claims nor their requested remedy would impose requirements different from the (non-existent) federal rules on “natural” labeling. The Court did not find persuasive Hain’s argument that the FDA’s conscious decision not to define or regulate the term “natural” supports express preemption. That said, in other settings, including in “natural” cases, defendants may still find it appropriate to point out that the FDA (or another agency) has made a conscious decision not to regulate, and that such a decision should be entitled to deference and respect, or should be taken into account in assessing whether plaintiff has stated a claim.

After much anticipation, the Third Circuit heard oral arguments (audio) last Tuesday in the interlocutory appeal in FTC v. Wyndham Worldwide Corp. We have written previously about this case, which likely will be a significant one in the privacy and data-security field. At issue is whether Section 5 of the FTC Act authorizes the FTC to regulate data security at all, as well as what constitutes “unfairness” in the data-security context. The case may have a large impact on future FTC enforcement actions and major implications for class action litigation.

But after all the build up, the panel of the Third Circuit hearing argument might change the script. Questioning by the judges (Thomas Ambro, Jane Roth, and Anthony Scirica) indicated that the panel was seriously considering a ruling that the FTC should have brought any unfairness claim in an FTC administrative action in the first instance (as it did in the LabMD action), not in federal district court. If that happens, we will have to wait even longer to learn whether the federal courts agree with the FTC’s views on the scope and contours of its unfairness authority in the data-security context.

Counsel for the FTC and for Wyndham spent large portions of the oral argument emphasizing the positions they had briefed. Wyndham’s counsel, for example, argued at length that negligence alone cannot satisfy an “unfairness” standard, that businesses had not received adequate notice of what triggers such liability, and that the FTC had not adequately alleged substantial injury. But the panel may not reach those issues. Instead, the court focused on the threshold question of whether the FTC had the authority in the first place to sue in federal court under Section 13(b) of the FTC Act. That section permits “the Commission [to] seek, and after proper proof, the court [to] issue, a permanent injunction,” but limits such relief to “proper cases.”

Is the Wyndham action a “proper case”? According to the FTC—which invoked decisions of the Ninth Circuit and the Seventh Circuit for support—it is “proper” to sue whenever the FTC alleges a violation of a law that the FTC enforces. For its part, Wyndham did not disagree, instead arguing that such a rule would have practical benefits—including that, in its view, the company would get a fairer shake in federal court than in an FTC administrative action. But the Third Circuit panel appeared to be unconvinced on this point, and focused instead on whether a case presenting novel and complex issues should first be brought in an administrative action. In fact, the panel asked the parties to provide supplemental briefing on the point.

It is always perilous to read the tea leaves after an oral argument. But it is an understatement to say that the Third Circuit’s panel was dropping some hints, especially by requesting further briefing on whether the FTC action belongs in federal court. There is therefore a substantial possibility that the court will send the action to the FTC for administrative adjudication in the first instance.

That result would serve to underscore a point we have made before—that post hoc litigation is a poor way to impose data-security standards. Litigation moves forward in fits and starts, and by its nature is unlikely to produce clear rules or standards in complex areas like data security. In short, it is an unpredictable and expensive method of forging broadly applicable standards. All stakeholders—both businesses and their consumers and employees—are likely to suffer from a lack of meaningful direction if data-security standards are generated via litigation. With the cyber threat continuing to grow—from garden-variety hackers to sophisticated operations that may be sponsored by foreign governments—consensus-based standard setting is far more likely to provide practical guidance for American businesses that seek to protect private information, intellectual property, and business-critical systems from the continuing cyber onslaught.

One of the hottest areas in class actions is litigation under the Telephone Consumer Protection Act (TCPA).  And one of the most significant issues in TCPA litigation is the existence and scope of vicarious liability.  The key question is to what extent are businesses liable for the actions of third-party marketers who, without the consent of the recipient, send text messages or place calls using autodialers or prerecorded voices or transmit faxes?

Some plaintiffs had argued that businesses are strictly liable for TCPA violations committed in their name by third-party marketers.  Last year, the FCC rejected that approach in a declaratory ruling.  As we explained in our report, the FCC instead concluded that plaintiffs instead must prove liability under “federal common law principles of agency.”

But that declaratory ruling was decided in the context of telemarketing.  Should the same rule apply to alleged TCPA violations involving unsolicited marketing faxes?  Can plaintiffs revive their old arguments that businesses are strictly liable for faxes advertising their services sent by others?  Or are businesses not liable for TCPA violations that they themselves don’t commit?

The Eleventh Circuit recently considered this issue in Palm Beach Golf Center-Boca, Inc. v. John G. Sarris, D.D.S., P.A.  In that case, a marketer had allegedly sent several thousand unsolicited faxes advertising the services of a dental practice.  When a recipient of a fax sued the dental practice under the TCPA, the district court granted summary judgment in part because the plaintiff had failed to show that the dental practice was vicariously liable for the marketers actions.

The Eleventh Circuit reversed.  The court explained that the FCC’s prior declaratory ruling that the limited scope of vicarious liability for TCPA violations applied only to telemarketing calls.  But rather than decide what the vicarious-liability standard should be for faxes, the court held—based on a letter brief (pdf) submitted by the FCC—that the recipient of the fax didn’t need to prove vicarious liability at all.  Instead, the court held that  the dental practice could be viewed as the sender itself and therefore the recipient could attempt to show that the dental practice had directly violated the TCPA itself.

That result is hard to swallow.  The dental practice, after all, hadn’t actually sent any faxes itself.  And although it had hired the marketer, the evidence presented to the district court apparently showed that the dental practice had no direct role in the fax campaign—it didn’t decide to whom to send faxes or even approve the final language of the fax itself.  And it certainly didn’t press the button to send the faxes.

Nonetheless, the court held—based on the FCC’s letter brief—that the recipient of the fax could proceed to trial on the theory that the dental practice had committed a direct violation of the TCPA.  The TCPA makes it unlawful “to use any telephone facsimile machine, computer, or other device to send, to a telephone facsimile machine, an unsolicited advertisement.”  Under a natural reading of this language, one would think that the dental practice itself neither “use[d]” a fax machine nor “sen[t]” a fax.  But in the FCC’s view, a business is the “send[er]” of a fax transmitted by a third party so long as the fax was either sent on the business’s “behalf” or if the fax “advertise[s] or promote[s]” the business’s “goods or service.”

The FCC’s position conflates direct and vicarious liability for alleged TCPA violations involving faxes.  There are accordingly strong reasons to think that other courts should refuse to defer to the FCC’s interpretation.  That said, businesses whose marketing activities may include third-party fax campaigns should be aware of the potential that courts will, like the Eleventh Circuit in Palm Beach Golf Center, adopt the FCC’s position and authorize claims for direct liability under the TCPA.

We have written previously about the FTC’s action arising out of the data breach suffered by the Wyndham hotel group, and the company’s petition for permission to pursue an interlocutory appeal regarding the FTC’s use of its “unfairness” jurisdiction to police data security standards. On Tuesday, the Third Circuit granted Wyndham’s petition. Even the FTC had agreed that the “the legal issues presented are ‘controlling question[s] of law,’ and they are undoubtedly important.”  Yesterday’s ruling promises that these questions soon will be considered by the Third Circuit.

Later this week, DRI—an important professional organization that serves as a leading voice for the defense bar and in-house counsel—will once again hold its annual seminar on class actions in Washington, D.C.  I will be one of the speakers, and will be discussing recent developments affecting arbitration and class actions.  I plan to preview some of the issues that I’ll be discussing on the blog in the weeks to come.   More information about the seminar is available here.  I look forward to seeing readers of our blog and other friends and colleagues.

We have written previously about FTC v. Wyndham Worldwide Corp., currently pending in federal district court in New Jersey, and its potential significance for data security class actions. A recent opinion in that case has brought it back into the news—and made clear that the stakes are as high as ever.

Over the FTC’s opposition, the district court certified an interlocutory appeal to the Third Circuit regarding its earlier denial of Wyndham’s motion to dismiss. Specifically, the district court certified two questions of law for appellate review: (1) whether the FTC has the authority under Section 5 of the FTC Act to pursue an unfairness claim involving data security; and (2) whether the FTC must formally promulgate regulations before bringing such an unfairness claim. Here is a copy of Wyndham’s petition to the Third Circuit to accept the certified appeal.

After the oral argument in POM Wonderful LLC v. Coca-Cola Co. (pdf), No. 12-761, the Supreme Court appeared all but certain to allow competitors to sue for false advertising under the Lanham Act over labels of FDA-regulated food products.  Food manufactures have been waiting to see just how broad the ruling would be and whether it would affect the onslaught of consumer class actions challenging food and beverage labels.  The wait is over, and the POM v. Coke decision, while effecting a dramatic change in competitor actions, should have little impact on consumer class actions.

As described by the Supreme Court, here are the facts of the case:  POM markets a juice product labeled “Pomegranate Blueberry 100% Juice,” which consists entirely of pomegranate and blueberry juices.  Coke (under its Minute Maid brand) markets “Pomegranate Blueberry Flavored Blend of 5 Juices,” a competing product that contains 99.4% apple and grape juices, with pomegranate, blueberry, and raspberry juices accounting for the remaining 0.6%.  The label on the Minute Maid product features a picture of all five fruits and the words “Pomegranate Blueberry” in a larger font than the words “Flavored Blend of 5 Juices.”  Significantly, the Minute Maid label complies with the technical labeling rules set out in the federal Food, Drug, and Cosmetic Act (FDCA) and FDA’s related regulations for naming a flavored juice blend.

POM alleged that Coke’s product name and label violate the Lanham Act’s false-advertising provision because (according to POM) consumers will be fooled into thinking there is more pomegranate and blueberry juice in the product than there really is.  The district court and Ninth Circuit rejected the Lanham Act claims, accepting Coke’s argument  that because juice labeling is pervasively regulated by FDA, applying generalized principles of false advertising under the Lanham Act would destroy the uniform, national labeling standard announced by the agency under the FDCA.  As the Ninth Circuit put it, “the FDCA and its regulations bar pursuit of both the name and labeling aspect” of the Lanham Act claim because allowing the claim would “undermine the FDA’s regulations and expert judgments” about how juices may and should be included in the product name.

The Supreme Court unanimously reversed the Ninth Circuit’s decision in an opinion by Justice Kennedy.  In analyzing whether one federal statute (the FDCA) precludes a remedy available under another (the Lanham Act), the Court ruled that the FDCA and Lanham Act can be harmonized because they are “complementary and have separate scopes and purposes” and—unlike FDCA’s express preemption of state-law claims—neither statute “discloses a purpose” by Congress to bar competitor suits like POM’s.  (A more detailed discussion of the Court’s opinion is available here.)  Notably—although the Court repeatedly tells us that the FDCA and Lanham Act can get along—the opinion never actually does the hard work of harmonizing Coke’s compliance with the FDCA’s detailed rules for naming flavored juice blends with POM’s theory of liability challenging the FDCA-compliant name under a generalized theory of false advertising.

By contrast with competitor lawsuits, the Court’s decision should have virtually no impact on food labeling consumer class actions.  While the Court expressed the view that consumers will be indirect beneficiaries of competitor Lanham Act claims over allegedly misleading labels, it made clear that its decision does not address or alter the interplay between state consumer protection laws or consumer suits and the FDCA.  In other words, the decision does not in any way undermine preemption principles that would apply to state-law claims challenging labels regulated by FDA.  That’s important not just for food companies facing consumer class actions, but also to avoid a problem the Court specifically recognized in its decision: the “disuniformity that would arise from the multitude of state laws, state regulations, state administrative agency rulings, and state-court decisions that are partially forbidden by the FDCA’s pre-emption provision.”  Though the Court correctly recognizes the resulting chaos if each state could impose non-identical labeling requirements, it characterizes the potential disuniformity from the potential tension between the FDCA and the Lanham Act a result that Congress envisioned.

Whether the Court was right or wrong about that, one thing is clear:  In creating food labels, food companies should consider not only what the FDCA and federal regulations say, but also analyze the potential risks of competitor lawsuits under the Lanham Act.  We will have more to say about these issues on a webinar tomorrow; interested clients or friends of the firm may register for the webinar here. 

 

 

The plaintiffs’ bar continues to file consumer class actions challenging food and beverage labels en masse, especially in the Northern District of California—also known as the “Food Court.” One particular line of cases—at least 52 class actions, at last count—targets companies selling products containing evaporated cane juice. The battle over evaporated cane juice has become the latest front in the war over whether federal courts should apply the primary-jurisdiction doctrine and dismiss or stay food class actions while awaiting guidance from the federal Food and Drug Administration.

In these cases, plaintiffs allege that the term “evaporated cane juice” is misleading because (in their view) it disguises the fact that the ingredient is a type of “sugar”; they contend that the ingredient  should be identified as “sugar.” Their theory rests almost entirely on a draft guidance that the FDA issued in 2009, in which the agency proposed the ingredient be called “dried cane syrup” (notably, not “sugar”), and invited public comment on the issue. That guidance suggested that the name “evaporated cane juice” not be used because it suggests the ingredient is a juice.

In response to these lawsuit, many defendants have emphasized that the FDA’s 2009 guidance not only is non-binding, but that the existence of the guidance establishes that the FDA is examining the precise issue underlying plaintiffs’ theory of liability. Accordingly, defendants argue, courts should let the agency finish its work. Or, put another way, because the federal Food, Drug, and Cosmetic Act squarely authorizes the FDA to regulate the names of ingredients as part of its power to prescribe uniform national standards for food labels, the issue is within the FDA’s “primary jurisdiction.” Thus, as we have contended in advancing the primary-jurisdiction argument, the issue should be decided by an expert agency, not via litigation brought by profit-motivated consumer class action lawyers.

How have these arguments fared? Because the FDA did not take action for over four years after issuing the 2009 draft guidance, plaintiffs had a great deal of success in convincing courts that the FDA was not actively addressing the evaporated-cane-juice issue further and therefore that applying the primary-jurisdiction doctrine was inappropriate.

All that changed in March 2014, when the FDA published a notice in the Federal Register reopening the comment period on the 2009 draft guidance and emphasizing that it has “not reached a final decision on the common or usual name for” evaporated cane juice and that it “intend[s] to revise the draft guidance, if appropriate, and issue it in final form.” [Our firm recently filed a comment with the FDA on this issue.]

As if a light had been switched on, virtually every court to consider the issue since the March notice—at least 10 class actions so far—has ruled in favor of deferring to the FDA’s primary jurisdiction in evaporated-cane-juice cases. This overwhelming trend is welcome news.

But from our perspective, the fact that the FDA recently reiterated its interest in this area should not have been necessary to trigger the primary-jurisdiction doctrine. Indeed, even before the March 2014 notice, the question of the proper labeling of evaporated cane juice was one within the primary jurisdiction of the FDA, as at least one court recognized.

To be sure, as one judge has put it, whether the FDA (or another regulatory agency) “has shown any interest in the issues presented by the litigants” appears to be an “unofficial fifth factor” that influences courts grappling with whether primary jurisdiction should be applied in a given case. Greenfield v. Yucatan Foods, L.P., — F. Supp. 2d –, 2014 WL 1891140, at *4-5 (S.D. Fla. May 7, 2014). But this “unofficial fifth factor” is neither necessary nor part of the four, well-recognized factors for applying primary jurisdiction: “(1) [a] need to resolve an issue that (2) has been placed by Congress within the jurisdiction of an administrative body having regulatory authority (3) pursuant to a statute that subjects an industry or activity to a comprehensive regulatory authority that (4) requires expertise or uniformity in administration.” Clark v. Time Warner Cable, 523 F.3d 1110, 1115 (9th Cir. 2008).

The same factors were satisfied in the evaporated-cane-juice context even before the March 2014 notice.  And—speaking more generally—uncertainty over when the FDA will act should not be treated as an invitation for different courts to apply different state laws and develop differing labeling regimes.

Here’s hoping for a few more helpings of primary jurisdiction at the Food Court—and a few more scoops of uniformity and certainty for the food and beverage industry.

Already, 2014 has been an eventful year in the world of data breaches and cybersecurity. In addition to a flurry of litigation over high-profile breaches at the start of the year, the National Institute for Standards and Technology released its long-anticipated Cybersecurity Framework. The latest development is the recent decision in the closely-watched Wyndham case, in which a federal district court has just held that the Federal Trade Commission may use its “unfairness” authority under Section 5(a) of the FTC Act to enforce data-security standards. As a result, companies can expect the FTC to continue—and perhaps even expand—its efforts to regulate data-security standards through enforcement actions. And (as we have seen time and time again) where the FTC leads, the plaintiff’s bar often follows by filing class actions piggybacking on the agency’s allegations.

What happened in Wyndham?

The Wyndham action arose when a group of hackers allegedly penetrated the hospitality chain’s networks from 2008 to 2010, and compromised over a half-million payment card numbers. Already facing the substantial financial and reputational harm caused by the hackers’ crime, Wyndham next found itself facing a civil action filed by the FTC. In its initial and amended complaints, the FTC alleged that Wyndham had not maintained reasonable and appropriate data security measures. The agency claimed that Wyndham had engaged in (1) deception through alleged misrepresentations of the company’s data-security practices; and (2) “unfair” conduct based upon the harms allegedly suffered as a result of the purportedly unreasonable data-security practices.

Wyndham moved to dismiss the amended complaint, arguing, among other things, that the FTC’s “unfairness” authority does not extend to data security, that the FTC had failed to provide fair notice of what Section 5 of the FTC Act requires, and that Section 5 does not govern the security of payment card data. Wyndham—joined by a number of amici—pointed to the FTC’s lack of clear statutory authority, the continued legislative debates about data-security standards, and the FTC’s failure to establish standards through rulemaking as powerful reasons why the FTC lacked the authority to regulate data-security practices through Section 5 enforcement actions.

The district court was not persuaded. It concluded that more narrow data-security requirements enacted by Congress complemented, rather than precluded, the FTC’s assertion of authority under Section 5. The court also disagreed with defendants about the import of the ongoing legislative debates and prior statements by the FTC about the limits of its authority to regulate data security. The court thus declined “to carve out” what it understood to be “a data-security exception to the FTC’s authority.” The court likewise held that the FTC did not need to promulgate rules before exercising that authority, and that the FTC had adequately pled its unfairness claim. Finally, the court rejected the defendants’ challenge to the FTC’s deception claim.

Implications of the Wyndham decision

Many observers believe that the district court’s decision—and the resulting headlines—may serve to boost the FTC’s efforts to regulate data security. From our perspective, the decision (unless it is overturned on appeal) may have a significant effect on data-breach class actions as well for at least three reasons.

First, past FTC actions have spawned follow-on class litigation. Continued or possibly expanded FTC activity in the field of data security thus does not bode well for companies that must defend themselves first from hackers and then from regulators and plaintiffs’ attorneys who seek to turn a company’s victimization into a basis for claimed liability.

Second, the district court’s highlighting of what it called “data-security insufficiencies” may foreshadow a focus on simplistic checklists rather than on risk-based data security practices. These supposed “insufficiencies” include allegations that the company stored unencrypted data, used outdated operating systems, and failed to require the use of complex passwords. These purported “insufficiencies” were described in a manner bereft of any context—and in particular, without any reference to the specific risks facing the company or the company’s overall security response. But data security is not one-size-fits-all. Context does matter. For that reason, the creation of a data security checklist through litigation, whether by the FTC or by a putative class representative, will benefit no one.

Third, the district court’s willingness to authorize case-by-case development of security standards—including through the use of consent orders that provide little or no guidance to non-parties—promises legal and regulatory uncertainty for companies in an area that cries out for stable and predictable guidelines. This uncertainty will only increase if class actions are allowed to further complicate the existing patchwork of data-security standards.

At bottom, the Wyndham decision is troubling for companies that seek to manage data-security risks and stave off unnecessary and inappropriate litigation. Indeed, the district court appeared resigned to the prospect of more litigation in this area, noting that “we live in a digital age that is rapidly evolving” and that will raise “a variety of thorny legal issues that Congress and the courts will continue to grapple with for the foreseeable future.” Companies certainly should hope that the district court was wrong to forecast more litigation, but should be prepared for continued legal uncertainty and the opportunistic litigation it will generate.

We’ll be discussing the Wyndham decision—along with many other new trends and strategies in data breach and privacy class actions—in a webinar next week. We hope that clients and friends of the firm will consider joining us for that discussion.

After a year of public-private collaboration and considerable anticipation, the National Institute for Standards and Technology’s (NIST) cybersecurity framework for critical infrastructure has arrived. The interest in the framework has only grown after several high profile data breaches in late 2013 have cast an unrelenting spotlight on cybersecurity issues. The framework presents businesses with important questions about whether and how they should use it, and—as cybersecurity-related class actions multiply—how the plaintiffs’ bar intends to invoke the framework.

After attempts at more comprehensive legislation faltered, President Obama issued an executive order (EO 13636) requiring development of the framework. By design, the framework is both voluntary and limited in its application. Most significantly, it only applies to critical infrastructure. In addition, it contemplates the creation of incentives to support its adoption and possible follow-on regulatory “actions to mitigate cyber risks,” and leaves unresolved the ongoing debate over information sharing and attendant liability protections.

But while the framework is voluntary, it likely will be influential. The Administration, for example, has said that in developing the framework it intended to “leverage” “common cybersecurity practices” to improve the cybersecurity of critical infrastructure. For critical infrastructure operators, multiple questions arise, including (1) will regulators rely on the framework; (2) how, if at all, will insurance markets account for the framework; and (3) will plaintiffs’ attorneys invoke the framework to exert leverage of their own via class action litigation.

Even before the framework’s introduction, many observers recognized the possibility that—in light of the SEC’s increasing emphasis on the appropriate disclosure of cyber risks— the plaintiff’s bar would press securities litigation alleging material omissions or misrepresentations about such risks. Recognizing that such lawsuits may be inevitable, businesses that operate critical infrastructure surely will want to take account of the framework both in assessing their cybersecurity posture and in disclosing the existence of cyber risks. In particular, companies should consider whether to incorporate elements of the framework (e.g., a “Framework Profile”) into their public disclosures.

Another significant issue is that, because the framework arguably may facilitate board-level awareness and management of cyber risk, plaintiffs may be more likely to bring actions against officers and directors for breach of fiduciary duties in connection with cyber incidents. Although the success of such actions remains to be seen, the release of the framework underscores the importance of cybersecurity to corporate boards and top executives.

At the same time, in our view, businesses should be reassured by the fact that nothing in the framework suggests that a company’s decision not to adopt an individual element—what it calls an “informative reference”—should form the basis of a future lawsuit, whether for data breach or other harm. Indeed, the framework specifically states that it is not a checklist and that it is not “one-size fits all.” Transforming an “informative reference” from the framework into a stand-alone requirement is not a mandate that the framework contemplates or supports. Attaching liability to individual “informative references” would create static cybersecurity checklists that the framework specifically rejects; indeed, it would frustrate the continued development of appropriate cybersecurity protections that the framework itself is aimed to encourage. Companies should therefore be prepared to defend against attempts to elevate the framework into liability standards, which would frustrate the Framework’s goal of providing a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” to managing cybersecurity risk.

The stakes of cyber attacks are high. So too are the stakes of litigation that are likely to ensue. The NIST Framework doubtless will be cited in that litigation, but, properly understood, it should not form the basis of a claim. To that end, we will be watching closely to see whether the plaintiff’s bar seeks to use the framework in ways that would defeat its stated purposes.