Assessing risk: Data breach litigation in U.S. courts
By Kim Phan
In an era of international commerce, companies collect and aggregate vast amounts of consumers’ personal information that may be communicated around the globe. Along with the growth of electronic consumer databases, there has been an increase in the numbers of data breaches, some of them perpetrated by overseas actors. A June 2011 Ponemon Institute study revealed that 90 percent of surveyed companies had experienced a data breach within the past year.
Companies may want to assess the level of risk posed by the possibility of litigation when determining how to respond to a data breach. Common factors that may impact the likelihood that a lawsuit will be filed following a data breach include:
- Type of data breached: A breach of financial information is more likely to result in litigation than other types of personal information, such as health information.
- Cause of the breach: A breach perpetrated by bad actors, such as hackers, is more likely to result in litigation than inadvertent breaches, such as the improper disposal of documents found in a dumpster.
- Misuse of personal information: A breach that results in known cases of fraud or identity theft is more likely to result in litigation.
- Size of the breach: A breach that impacts a large number of consumers is more likely to attract media attention. The resulting publicity may attract the attention of numerous plaintiffs and plaintiffs' attorneys.
Even if a lawsuit is filed, the laws applicable to data breach litigation in the U.S. are still evolving. Until recently, consumer plaintiffs have met with very little success in the courtroom, but this could change as the general public becomes increasingly aware that companies are maintaining detailed information about their customers. Courts may soon recognize that an individual consumer has a reasonable expectation that such information should be protected and that a data breach violates that expectation.
Data breach litigation often takes the form of a class-action lawsuit brought on behalf of a class of consumers whose personal information has been potentially compromised by a data breach. Certification of a nationwide class, however, is often very difficult for consumer plaintiffs. In order to certify the class, the burden rests on the plaintiffs to demonstrate that the various applicable state laws are sufficiently cohesive to warrant combining the plaintiffs’ causes of action. As state law in the area of data breach litigation is new and evolving, this will often pose a difficult first hurdle for the formation of a class-action lawsuit.
For data breach cases filed in federal court, Article III of the U.S. Constitution requires that the plaintiffs have standing to appear. Injury-in-fact, which is an essential element to demonstrate standing, requires a concrete and particular harm that is actual or imminent. Consumer plaintiffs face a significant barrier in data breach cases if there is no evidence that the data breach resulted in the actual misuse of the personal information breached. Without concrete examples of identity theft or other fraudulent use, the federal circuit courts are split on how to approach the alleged increased risk of harm that may arise following a data breach. Reilly v. Ceridian Corp., 664 F.3d 38 (3rd Cir. 2011), holding that no injury has occurred when the data breach has not resulted in misuse of personal information; Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), holding that an injury had occurred when a laptop containing personal information was stolen), and Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007), holding that an injury had occurred when a sophisticated hacker was the cause of the data breach.
- In the Seventh Circuit, the court concluded that the risk of future harm was sufficient to confer standing. In the Pisciotta v. Old National Bancorp case, the consumer plaintiffs sought compensation for credit monitoring services obtained in response to a breach. The court considered evidence that there was a sophisticated, intentional, and malicious hacker attack when concluding that, “the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would otherwise have faced, absent the defendant’s actions.”
- In the Ninth Circuit, the court also concluded that the risk of future harm following a data breach was sufficient to confer standing. In the Krottner v. Starbucks Corp. case, a laptop was stolen that contained unencrypted personal information. The court weighted heavily evidence that at least one attempt had been made to steal a consumer’s identity as a result of the breach. The court concluded that the consumer plaintiff’s “generalized anxiety and stress” as a result of the breach was sufficient to confer standing.
- In the Sixth Circuit case of Lambert v. Hartman, the consumer plaintiff’s personal information was published on a public website. In finding that standing exists, the court noted that if the plaintiff can “prove that she continues to face an increased risk of identity theft, she could likely show that monitoring suspicious activity on her credit report would not only combat that future risk but would also help to redress the past financial injury that she has suffered.”
- In the Third Circuit, however, the court characterized the risk of identity theft as speculative when there was no evidence that the breach was the result of malicious acts and there was no evidence that there had been any misuse of the compromised personal information. In Reilly v. Ceridian Corporation, a hacker gained access to the defendant company’s systems that contained the consumer plaintiff’s personal information, but it was unknown if the hacker read, copied or understood the nature of the data breached. The court concluded that any “hypothetical, future injury” arising from the breach was insufficient to confer standing.
Despite the split between the circuits, the U.S. Supreme Court has so far declined to resolve the issue of standing in data breach litigation.
Stating a claim
Even if a plaintiff can establish standing, the plaintiff must still succeed on the merits of the case. Consumer plaintiffs have struggled to select from among myriad potentially applicable state and federal laws on which to state a claim for relief.
In a study of the hundreds of data breach cases filed in recent years, researchers identified more than 86 different causes of action brought by plaintiffs in response to a data breach. Claims raised by consumer plaintiffs have included tort claims; i.e., negligence; contractual claims, i.e., breach of contract, and/or statutory claims, i.e., consumer protection acts. Although there is no federal data breach law, 46 states have enacted such legislation. Some of these state laws provide consumers with a private right of action that can form the basis for data breach litigation; i.e., California Security Breach Information Act, Civ. Code §§ 1798.80 et seq., establishing a private right of action for breach of a company’s data protection obligation.
The most successful cases so far have involved a consumer plaintiff who has suffered actual identity theft that has led to fraudulent charges or some other demonstrated financial harm. Generally, in these cases, courts have been more willing to provide monetary recovery for demonstrated losses. In cases involving only the increased risk of harm, courts have struggled with applying traditional damage models. In each of the circuit court decisions previously discussed that conferred standing, all of these cases were ultimately dismissed because the consumer plaintiffs did not state a sufficient claim for relief.
Last year, however, the First Circuit concluded that a breach of global proportions that had resulted in identified instances of misuse of personal information established a sufficient risk of foreseeable future harm that could form the basis for a claim for relief. In the Anderson v. Hannaford Bros. Co. case, millions of consumers’ payment card information was compromised, leading to more than 1,800 known cases of fraud. The court concluded that it was reasonably foreseeable that a consumer would take steps to mitigate potential damages in light of known instances of fraud arising from the breach. The court, thus, allowed the consumer plaintiffs to recover the costs of reasonable efforts to mitigate the harm, such as the cost of credit monitoring.
Whether the Anderson decision represents a sea change in the number and success of consumer lawsuits arising from data breaches remains to be seen.
Additional sources of litigation
In addition to consumer lawsuits, companies should be aware of other sources of litigation risk, including federal regulators, state attorneys general and/or financial institutions impacted by the data breach.
Companies that experience a data breach could draw the attention of federal regulators. The Federal Trade Commission (FTC), the de facto U.S. privacy regulator, has filed a number of lawsuits against companies arising from data breaches. These lawsuits commonly result in settlements with no admission of wrongdoing by the company.
However, in June, the FTC filed a lawsuit against Wyndham Hotels & Resorts arising from a series of three data breaches over a period of two years. The FTC alleged that the company misrepresented the security measures taken to protect consumers’ personal information and that the failure to safeguard personal information caused substantial consumer injury. Rather than reaching a settlement agreement with the FTC, Wyndham has filed a motion in federal district court to dismiss the FTC’s lawsuit. Wyndham argues that the FTC, “has neither the expertise nor the statutory authority to establish data security standards for the private sector” and that the FTC has not published any regulations that would provide the business community with notice of what data security protections are necessary to be in compliance with the law. As this may be the first data security case that the FTC will be required to litigate, this case is being closely monitored by the U.S. legal and business communities. (Editor’s note: For more information on FTC v. Wyndham, see the article “Analyzing FTC v. Wyndham” from the October 2012 edition of Inside 1to1: PRIVACY.)
Until the Supreme Court acts or some other sea change occurs with regard to courts’ approach to data breach litigation, consumer plaintiffs will likely continue to face many barriers to obtaining judicial relief. As courts increasingly view these lawsuits favorably for consumers, however, the potential legal risk to a company following a data breach may be changing.
Kim Phan is an associate in the Privacy Practice and the Government and Regulatory Practice at Arnall Golden Gregory’s Washington, DC, office. Phan’s practice focuses on counseling clients about federal legislative and regulatory compliance matters. She assists clients with engaging congressional offices and executive agencies, such as the Federal Trade Commission and the Consumer Financial Protection Bureau.