Courts in several jurisdictions have dismissed every class-action suit filed on the basis of data breaches. Attorney David Goldstone, a partner in Boston-based Goodwin Procter's intellectual property and white collar crime & government investigations practices, explains why. But, he said, there's no guarantee that future suits will fail as well, and companies commonly settle rather than risk trial. He was interviewed at SecureWorld Boston Expo 2009 by Information Security magazine Sr. Technology Editor, Neil Roiter.
Read the full transcript from this video below:
Courts turn aside data breach suits
Neil Roiter: David, there have been several legal cases involving data breaches that have been dismissed. Can you explain the grounds why these were dismissed and why they've been unsuccessful?
David Goldstone: Sure, Neil. There's been a trend that we've seen in a number of courts across the country, from the District of Columbia, to Ohio, and New York, and a number of other courts, where when after there's a consumer data breach and personal information is disclosed to unauthorized parties, consumer class actions are brought against the company that was hacked into. Consistently in those cases, those cases have been dismissed. The reason for the dismissal has generally been that the courts have found no injury from just a data breach. The plaintiffs in those cases have argued, repeatedly, that the injury is that there's an increased risk of identity theft. But the courts have pretty consistently rejected that theory, thus far, and found that the increased risk of a data breach, by itself, is not enough to support a legal case.
Neil Roiter: Let's assume for the sake of argument that a plaintiff or a group of plaintiffs could show that there were actual damages from a data breach. Do you think this outcome might be different?
David Goldstone: If there were actual damages, then I certainly think, and if they could demonstrate that or even plead the actual damage and identify what those damages are, I think that would certainly increase their chance of maintaining a case. It would be difficult, though, to maintain it as a class action. Because for a class action, there needs to be commonality of injury among all the members of the class, and typically the damage or the injuries that are sustained in these cases are sustained uniquely to one individual at a time.
Neil Roiter: Do these cases now constitute a precedent for this type of action?
David Goldstone: Yes, they do constitute a precedence. In those districts and in those courts, they would have stronger precedential weight than in other districts or courts where that court has not decided that issue. Of course, every case stands on its own facts, and usually there are ways to distinguish particular precedents with respect to new cases that come around the pike.
Neil Roiter: In some high profile cases, TJX is a notable example, the company has moved ahead and settled with folks, offering cash, offering credit information...a lot of things to preempt, perhaps, the event of legal cases. Why do they do this when the cases have gone in favor of the defendants?
David Goldstone: You know, we did not represent TJX and we were not one of the law firms in that case, so I don't know what their motivation was in settling that case. But there certainly was some theoretical exposure, because each case, as I said, stands on its own facts. So the facts could be quite different, and maybe there were allegations of injury that would have carried the day in that case. But in any event, particularly given how high profile the cases were, given that TJX had settled with the Federal Trade Commission, and with Visa and MasterCard, no doubt one of their motivations was that they just wanted to put that episode behind them and they had agreed to improve their security practices. So no doubt, what they wanted to do was to look going forward, and it's quite frequent in a litigation situation that companies, even though they have a meritorious legal case, might settle it in order to put all of the litigation behind them.
Neil Roiter: Massachusetts has adopted significant data security regulation, and other states are considering it. How might these regulations, these state laws, possibly affect future cases?
David Goldstone: Well, yes, Massachusetts has enacted a requirement for comprehensive information security programs, for any company that maintains personal information of Massachusetts residents. Certainly there is the possibility, now by their terms, the regulations create no new legal cause of action. But they do create new enforcement opportunity for the Attorney General. So at a minimum, companies that don't comply with that do face exposure from the Attorney General. Now, as I mentioned before, in general, we've seen cases where courts have held that mere risk of identity theft is not sufficient to qualify as injury. Whether this Massachusetts law will cause courts to see it a different way, I can't...I don't have a crystal ball, I can't predict that, but it's certainly possible, Neil.