A data breach is a business crisis that can have enduring ramifications. While the discovery of a breach can initiate...
a drill -- investigating what happened, remediating the security gaps, engaging law enforcement, and complying with state and federal notification laws -- following these steps carefully and thoroughly might not be the end of a company's headaches. Any company dealing with a data breach also needs to be concerned about follow-on litigation.
While litigation can come in the form of defending against a government enforcement suit, it can also come in the form of private actions against employees, consumers or third parties. This article provides an overview of the kinds of data breach litigation companies have faced, what legal theories have been used and what defenses might be employed.
First, who sues? Consumers, financial institutions and third parties that have contracts with the companies maintaining personal confidential information or patient health information are the prime candidates. While it might seem obvious that consumers will sue, it is becoming increasingly common to see financial institutions -- banks and credit unions that have to issue new credit cards or reimburse consumers -- filing class actions lawsuits to recoup their alleged costs and lost business.
A recent example of this is the Home Depot data breach litigation and a consolidated multidistrict litigation against the company in the federal district court in the Northern District of Georgia. The actions there included both a consumer class action suit and a financial institution class action suit.
Consumer class action cases can stand at a disadvantage over financial institution class actions suits because consumers may have a difficult time proving standing or injury. Often, due to what they have already been reimbursed and being unable to prove identity theft, customers might not be able to keep their claims in court. Financial institutions might be on firmer footing if they can demonstrate that their costs were somehow caused by the breached company's lack of diligence or unreasonable actions before, during or after a breach.
Second, when do courts allow lawsuits? This can depend on whether the litigants are in state or federal court. In federal court, plaintiffs must contend with standing requirements. That is, they must disprove the defense's belief that there is no case or controversy, as required by Article III of the federal constitution. Once they overcome that hurdle, they must also prove that they have an injury that is cognizable by a court.
These can be difficult hurdles to overcome. The question of whether plaintiffs have standing in data breach class action cases often depends on the question of whether the plaintiffs have alleged actual injury, and not simply the risk or possibility of injury.
In a 2013 case, Clapper v. Amnesty International, the U.S. Supreme Court held that, in order for a plaintiff who alleges future harm to have the necessary Article III standing to sue in federal court, the plaintiff must meet the stringent bar that the harm being claimed is certainly impending. This has often been successfully used to defeat plaintiffs' claims, as they could not point to any specific identity theft or other injury that had occurred, only the possibility of such harm.
Having said that, not all plaintiffs have been doomed by bringing a suit where actual injury might be hard to prove. In 2015, the 7th Circuit Court decided the important case of Remijas v. Neiman Marcus Group, holding that "Clapper does not...foreclose any use whatsoever of future injuries to support Article III standing," and that "substantial risk" of harm could be sufficient.
Since the 7th Circuit Court's decision in Remijas, some sister circuits have made similar rulings -- such as the 6th Circuit Court, which, in the case of Galaria v. Nationwide Mutual Insurance Co., held that plaintiffs had standing when their personal information was stolen from the Nationwide Mutual Insurance Company computer network. Nevertheless, the Article III standing hurdle can be particularly nettlesome.
So, too, can the question of whether any such injury is compensable. Although the legal doctrines might sound arcane to the uninitiated -- and I will avoid untangling these doctrines here -- suffice it to say that plaintiffs have to do more than show that federal courts have jurisdiction over their claims. That is, they can claim more than the mere possibility of future harm, but they also have to show that the harm they are alleging is the kind that a court can hear, and that it would be possible for the court to actually remedy the injury if the claims are proven successful.
This gives defendants some openings, and helps to encourage prudent data security management and data breach notification compliance. The more companies can protect consumers upfront and respond quickly to breaches, the stronger their litigation defense will be. Keeping consumer harm to a minimum is both good corporate practice and a good litigation strategy.
It should be noted that state courts can be more forgiving on some of these issues. Since they decide civil cases under state law, they do not need to be concerned with standing under federal constitutional standards; as a general matter, they need only be concerned with whatever their state standing rules are. Those can potentially be more permissive. Assuming plaintiffs bring their suits in state court -- which can be difficult with regard to class actions, since data breaches affecting consumers will almost always affect consumers across state lines -- then it will be the idiosyncrasies of state law, and not constitutional standing or federal rules, that will govern.
Third, what claims do plaintiffs bring? Increasingly, they seek damages, both compensatory and punitive, with claims of negligence, breach of contract, consumer protection and unfair competition. Indeed, a survey of cases over the past three years shows that negligence claims are becoming increasingly popular. The Home Depot data breach litigation referenced above included negligence, negligence per se, and violations of various unfair and deceptive trade practices statutes.
What plaintiffs often cannot turn to is data breach notification statutes. While such statutes will normally provide state attorney general offices with the power to enforce violations of those statutes, they rarely provide private rights of action to individual consumers or state residents affected by a breach.
It's important to note that data breach litigation usually ends with a settlement, or possibly with a dismissal; it is rare that cases go to trial with a verdict. This is true, of course, for civil litigation in general -- the vast majority of cases never reach a final judgment at a trial. The Home Depot litigation, for example, had two class action settlements: one for the consumer class action suit and one for the financial institution class action suit.
For a company suffering a data breach, it can seem unfair that, after having been the victim of what is often criminal activity, the company might nevertheless have to suffer through a crucible of regulatory compliance and potential litigation. There are some signs that states and federal law enforcement entities increasingly see companies as victims rather than somehow complicit in data breaches.
Nevertheless, so long as companies collect, maintain and use confidential personal information, they will be expected to maintain reasonable policies governing the security of that information and to act prudently in the event of a data security incident. Reasonable action can increase, but never guarantee the likelihood of success in the event of subsequent litigation. Minimizing harm to consumers is not only the right thing to do, but it can also bolster a company's defense in the event a lawsuit is filed in the wake of a breach.