Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Why So Many Data Breach Lawsuits FailIn Most Cases, Proving 'Injury' Isn't Easy
Most U.S. lawsuits filed in response to data breaches fail. Even so, after a business issues a major data breach notification, it's a sure bet that one or more of its customers will respond - days, weeks or perhaps even months later - by filing a lawsuit against the breached business. Such lawsuits typically seek class-action status, meaning that one or more victims can seek damages on behalf of a larger group of victims.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
That's the case with a complaint filed earlier this month against Home Depot. The suit accuses the retailer's senior management team of "overarching complacency when it came to data security," leading to its 2014 data breach that exposed 56 million payment cards.
But in recent months, courts have tossed out a long list of breach lawsuits. For example, a judge recently dismissed a lawsuit filed against eBay in the wake of its 2014 data breach that exposed encrypted passwords and personal information for 145 million users (see eBay Breach-Related Lawsuit Dismissed).
A small minority of class-action lawsuits related to data breaches, however, do progress. In the wake of Target's massive 2013 data breach, for example, the retailer in March opted to settle a related consumer class-action lawsuit by paying $10 million to victims, as well as to reimburse plaintiffs' attorneys' fees and expenses up to $6.75 million (see Judge OK's Target Breach Settlement). Target has also agreed on a $19 million settlement with MasterCard on behalf of affected card issuers (see Will Banks Drop Target Lawsuit?).
And in 2013, health plan operator AvMed agreed to settle for $3 million a class-action lawsuit filed over its 2009 data breach stemming from the loss of two laptops. The settlement explains that the amount is what AvMed should have spent on protecting data, so it's a refund of premium overpayment. And it was significant because it awarded payments to those who were not victims of identity theft.
Why Many Cases Are Dismissed
Nevertheless, the vast majority of consumers' data-breach lawsuits get dismissed after judges rule that the "plaintiffs bar" - the group of attorneys representing plaintiffs - has failed to prove that victims suffered an actual or threatened injury, under what's known as Article III standing, legal experts say.
"The most significant obstacle facing the plaintiffs bar is establishing standing, particularly in the wake of the Supreme Court's 2013 decision in Clapper v Amnesty Int'l. In that case, the court held that Amnesty International and others lacked standing to challenge a section of the Foreign Intelligence Surveillance Act," data breach and privacy attorney Linda Kornfeld, who's the managing partner of the Los Angeles office of law firm Kasowitz, Benson, Torres & Friedman, tells Information Security Media Group. "The court rejected the plaintiffs' effort to establish standing by arguing about the possibility of future injury; the court was not persuaded by plaintiffs' argument that they were likely to be the target of surveillance and would suffer injury based upon a 'predicted' chain of events."
In the Target consumer lawsuit, however, "the Minnesota District Court failed to even mention Clapper in finding that the plaintiffs had standing to pursue their case," says Barry Goheen, a partner King & Spalding, in a blog post.
But Clapper has been applied by judges to dismiss many recent data breach and privacy-related cases, Kornfeld says. "There are some outliers, though, including the Sony PlayStation case, Adobe, and a few others where the courts found standing [and settlements were reached]. The Target court also found standing. Usually once that happens, the case settles for a relatively nominal per class member amount." And when cases settle, "the plaintiffs bar gets its attorney fees," she adds.
Of course that begs the question of whether notions of "harm" should be redefined, especially in an era where data breaches may result in the exposure of personal information. Some of that information, such as Social Security numbers, can leave people at risk of identity theft for years going forward.
"The laws and our perceptions about consumer harm are clearly financial, so when the courts and people in decision-making positions look at consumer harm, they only see dollar signs," Eva Casey-Velasquez, president and CEO of the nonprofit Identity Theft Resource Center, tells ISMG. "When people, especially with these payment card breaches, are able to call their ... financial institution, and they end up getting made whole, we automatically look at them and go, 'OK, you're not a victim, it's your financial institution that's the victim.'"
In many cases, she says, that's justified, because the result of a data breach is "merely an inconvenience" for affected consumers - at least when their credit card data gets stolen; card issuers take the fraud hit. That's because under the Fair Credit Billing Act, consumers face a maximum liability of $50 for any fraud they report within 60 days, and no liability on charges that occur after they report that a card has been lost or stolen.
But consumers have no such legal protections when it comes to debit card fraud, despite their using debit cards to conduct about half of all payment-card transactions in the United States. "I still hear people go, 'I want to keep myself protected, so I use my debit card for transactions and sign for it instead of using my PIN,'" Casey-Velasquez says. "But that doesn't change anything - it's still a debit card. Your protections still aren't the same as with a true credit card."
Awaiting Spokeo Ruling
Kornfeld says that data breach attorneys are now watching the pending Spokeo v. Robins case, which may see the U.S. Supreme Court address - even tangentially - questions related to Article III standing in privacy and data breach cases (see Holding Websites Liable for False Data).
In the case, plaintiff Thomas Robins alleges that Spokeo, a "people search engine," shared inaccurate information about him on its publicly available Spokeo.com website, and thus "caused actual harm" to his employment prospects.
"However, until the Supreme Court resolves the debate over whether the Clapper decision raised the bar for establishing standing, particularly in this data breach/privacy context, or legislatures act, the trend of cases failing for lack of standing likely will continue," Kornfeld says.