Virtually every reader is well aware of the decision from the US Court of Appeals for the First Circuit finding that claims by class-action plaintiffs for “mitigation damages” arising from a cyber breach were viable. Anderson v. Hannaford Brothers Co., 659 F.3d 151 (1st Cir. 2011).
There, the court held under Maine law that, in the abstract, certain claimants whose financial information was stolen could recover certain costs incurred in a reasonable effort to mitigate.
Needless to say, Hannaford Brothers is an extreme outlier in the world of cyber class-action litigation. And—as it should have in my view—the case effectively ended when the District Court, on remand, declined to certify the putative class in light of the claimants’ failure to establish that common issues of law and fact “predominate” over individual issues, a predicate to class certification.
As a result, the court limited the category of claimants who could continue to prosecute their claims only to “Hannaford customers who incurred out-of-pocket costs in mitigation efforts that they undertook in response to learning of the data intrusion.” In re Hannaford Brothers Company Data Security Breach Litigation, 293 F.R.D. 21. (D. Me. 2013).
Score one for Hannaford Brothers, similar companies and cyber insurers looking to budget for and manage attorneys’ fees and expenses.
At the same time, the court’s credible and thoughtful decision should be instructive to other courts facing similar issues.
But not so fast. More recently in comScore v. Dunstan, the Seventh Circuit upheld the certification of a 10 million-person data privacy class involving a data aggregator. Unlike in Hannaford, the comScore plaintiffs’ claims were statutory-based under a number of federal laws, including the Stored Communications Act (SCA) and the Electronic Communications Privacy Act (ECPA). comScore v. Dunstan, No. 13-cv-8007 (7th Cir. Jun. 11, 2013).
Needless to say, comScore is readily distinguishable from Hannaford, as the potential damages in comScore, if any, would be statutory rather than common law. Still, the comScore decision sets an ominous tone, particularly for policyholders and their insurers who could see their defense fees and costs increase significantly in the context of a privacy breach.
The beat goes on. Most recently, in In re: Sony Gaming Networks and Customer Security Litigation, Case No. 3:11-02258 (S.D. Ca. January 24, 2014), the District Court for the Southern District of California allowed a putative class of plaintiffs to proceed in the face of a motion to dismiss advocating that the plaintiffs lacked standing. In its motion papers, Sony observed none of the named plaintiffs had alleged their personal information had been actually accessed.
Notwithstanding this apparent defect, the court, following its decision in Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 2010, found that under various states’ consumer protections statutes (but not the common law), plaintiffs had “plausibly alleged a ‘credible threat’ of impending harm….” to the extent those claims were based on Sony’s alleged misrepresentations and omissions regarding reasonable network security and industry-standard encryption.
According to the court, “although Sony seeks to combat these allegations by stating that Sony disclaimed any right to so-called ‘perfect security,’ … whether or not Sony’s representations regarding ‘reasonable security’ were deceptive, in light of Sony’s additional representations regarding ‘industry-standard’ encryption, are questions of fact not suitable for disposition on a motion to dismiss.” On this basis, the court allowed the putative class to proceed to discovery and, ultimately, class certification—albeit with a significantly watered-down version of their previously pending first amended complaint.
Meanwhile, the Sony court attempted to reconcile its decision with the Supreme Court’s ruling in Clapper v Amnesty International, 133 S. Ct. 1138 (2013). There, the Supreme Court found the claimants did not have Article III standing because they failed to show a fear of a “threatened injury” arising from government surveillance operations was “certainly impending.”
In contrast, the Sony court found Clapper distinguishable because the plaintiffs alleged “their personal information was collected by Sony and then wrongfully disclosed as a result of the intrusion sufficient to establish Article III standing at this stage in the proceedings.”
Individually, the above cases might seem like one-offs. But together, they raise the specter of a trend whereby privacy-related defense fees and costs could dramatically increase in the context of a significant security breach.
Courts may not (yet) be prepared to award common law (i.e., non-statutory) damages to individuals who have a fear of future harm. But allowing putative class plaintiffs to move into the discovery and class certification phases certainly will cause defendants and cyber insurers to incur significantly greater defense fees and costs than they would if a motion to dismiss had been granted (as has been the case more often than not, up until now).
According to Advisen, the number of litigated privacy cases increased 1100% between 2005 and 2012, from 9 in 2005 to 98 in 2012. Advisen’s database reflects at least 80 cases were litigated in 2013, although that is far from the final tabulation. In short, the number of privacy-related lawsuits is growing exponentially. As a corollary, so too will the resulting costs of defense.
We have seen this show before in the D&O context. Business entities that are sued oftentimes elect to be defended by large, multi-national law firms. Cases proceed, costs mount, then they settle. After hundreds of thousands, if not millions, of dollars are spent on the defense.
Whether this model will be imported into the privacy class action context is for others to decide. But if the privacy cases go the way of their D&O cousins, it will be interesting to see if the litigants’ competing concerns (high defense costs vs. the impact on plaintiffs of potential years of litigation with a risk of no recovery) will encourage early settlements.
However, we’ll first need to see whether and how the emerging body of case law evolves.
Richard J. Bortnick is senior counsel at Traub Lieberman Straus & Shrewsberry and contributing author for the Cyber Risk Network. He was previously shareholder in law firm Christie, Parabue and Young. Rick litigates and counsels US and international clients on cyber and technology risks, exposures and best practices, directors’ and officers’ liability, professional liability, insurance coverage, and commercial litigation matters.
He also drafts professional liability insurance policies of varying types, including cyber, privacy and technology forms, and is Publisher of the highly-regarded cyber industry blog, Cyberinquirer.com.
