Data breach litigation trends show signs of change, with more success on the part of plaintiffs in proving legal standing for their claims and more varied types of lawsuits, including shareholder complaints against directors and officers.
“The tide is turning, as we see it,” said Melody McAnally, partner with Butler Snow LLP. When data breach lawsuits first started cropping up, courts dismissed cases in which plaintiffs failed to show they had experienced any immediate harm.
“There’s nothing to remedy,” she told Advisen.
For example, a lawsuit against federal contractor Science Applications International Corporation and the U.S. Department of Defense saw a court determine that the fear of identity theft or fraud isn’t enough to prove actual damage.
“Courts for this reason are reluctant to grant standing where the alleged future injury depends on the actions of an independent third party,” said court records in that case.
This trend has persisted, but appears to be changing. One reason may be the fact that data breaches have become more commonplace in the last three years.
“The change has certainly coincided with a lot of these issues taking center stage in the media,” stated Chandler Givens, associate with Edelson in Chicago. Givens explained that courts more readily understand the risk of exploitation with sensitive data being stolen.
Gerard M. Stegmaier, partner in the privacy and data security group at Goodwin Procter LLP, noted that some courts remain skeptical of claims, but lawsuits aren’t likely to abate.
“I think we’re going to continue to see increases in litigation on privacy and security because the reality is that consumers are still concerned,” he said.
However, the fact that consumers’ general concern that already-public information has become more public isn’t enough of an argument for the judiciary has prompted more complex ways of defining harm. McAnally cited the seminal 2011 California case of Claridge v. RockYou, which found “an inherent value in the customers’ personally identifiable information.” The case, which ultimately settled, affirmed the thinking that a customer’s information should be considered their “property.”
“It really shocked the data litigation world,” she said. Not all courts have shifted their thinking to follow this determination, she added.
“It’s still early and we haven’t enough rulings and we certainly haven’t had enough jury trials to see how plaintiffs are going to fare,” McAnally told Advisen.
New Case Efforts
Givens told Advisen that a new theory gaining traction has been to highlight the data breach as a breach of contract for services that consumers have bought. One example includes a recently settled case against LinkedIn. Premium users of the professional networking site argueed that a security breach violated the company’s promise to safeguard their data and if they had known of the lax security practices, they would not have purchased a subscription.
“The argument is that if it’s something that should have been prevented, a portion of the fees that [customers have] been paying should be returned,” said Givens, who worked on the case. “It’s novel and it’s a clever theory.”
LinkedIn settled for $1.25 million. And settling tends to be the most common action for organizations facing a data breach lawsuit. Should a case succeed past the pleading stage, when defendants can move to dismiss the complaint, corporations are more reluctant to proceed through the discovery phase. The time and cost of litigation, as well as the chance that a company’s security measures could be put on display, are compelling reasons to settle.
“The reality of these class action lawsuits is that almost none of them ever go to trial,” said Givens. They are, however, lasting longer.
“More of these cases are surviving and becoming more expensive to litigate,” said Stegmaier.
While consumer lawsuits tend to garner the most headlines, organizations should worry more about other sources of litigation in the future, including shareholder derivative suits. McAnally noted that one has already arisen from the Wyndham hotel chain’s data breach and resulting federal regulatory actions, with shareholders alleging that controlling officers should have heeded warning signs about security issues.
According to McAnally, businesses should also be worried that financial institutions, hit with the costs of notifying customers and reissuing payment cards, will retaliate and demand more accountability.
“They’re starting to stand up and say, okay, companies, were you negligent in your security?” she said. “That just puts tremendous pressure on a business.
While data breach litigation is already the fastest-growing arena among all class action cases, adding banks and shareholders to the list of potential plaintiffs could overwhelm corporations.
“That’s a three-pronged attack that a corporation could face,” said McAnally. She noted it will be interesting to see how shareholders prove their damages, adding, “We advise our clients to have a third-party come in and evaluate your security on the front end, before you have a breach.”
Givens said that every business should ensure that its consumer-facing policies accurately reflect how the company actually operates, with everything documented.
“That’s one of the big takeaways from this new era of courts adopting some of these theories about data breaches,” he said. “If the practices don’t square with what you’re telling consumers you’re doing, there could be a lawsuit and it’ll come out.”
Stegmaier explained that cases against directors and officers have a high bar to clear due to a 1996 case against Caremark International, making a claim difficult absent proven fraud or grossly negligence. More cases against directors indicates a shift in corporations’ views on cyber risk. Stegmaier also predicted more emphasis on class certification, as well as cases related to the enforceability of mandatory arbitration clauses in customer contracts.
“Five years ago, this wasn’t an issue in many boardrooms and now it’s an issue in every boardroom,” he said.