A data breach is a business crisis that can have enduring ramifications. While the discovery of a breach can initiate a fire drill – investigating what happened, remediating the security gaps, engaging law enforcement, and complying with state and federal notification laws – even following these steps carefully and thoroughly might not be the end of a company’s headaches. Any company dealing with a data breach also needs to be concerned about follow-on litigation.
While litigation can come in the form of defending against a government enforcement suit, litigation can also come in the form of private actions: against employees, consumers, or third parties. This article provides an overview of the kinds of litigation companies have been facing, what legal theories have been used, and what defenses might be employed.
Who Sues?
First, who sues? Consumers, financial institutions, and third parties that have contracts with the companies maintaining personal confidential information or patient health information are the prime candidates. While it might seem obvious that consumers will sue, it is becoming increasingly common to see financial institutions – banks and credit unions that have to issue new credit cards or reimburse consumers – filing class actions lawsuits to recoup their (alleged) costs and lost business.
A recent example of this is in the Home Depot data breach litigation, a consolidated multidistrict litigation in the federal district court in the Northern District of Georgia. The actions there included both a consumer class action and a financial institution class action. As discussed below, consumer class action cases can stand at a disadvantage over financial institution class actions because consumers can have a difficult time proving standing or injury: to the extent, they have already been reimbursed or cannot prove identity theft, they might not be able to keep their claims in court. Financial institutions might be on firmer footing if they can demonstrate that their costs were somehow caused by the breached company’s lack of diligence or unreasonable actions before, during, or after a breach.
Is the Lawsuit Legit?
Second, when do courts allow for lawsuits? This can depend on whether the litigants are in state or federal court. In federal court, plaintiffs must contend with standing requirements: that is, they overcome the defense that there is no “case or controversy,” as required by Article III of the federal Constitution. Once they overcome that hurdle, they must normally also overcome whether they have an injury that is cognizable by a court.
These can be difficult hurdles to overcome. The question of whether plaintiffs have standing in data breach class actions often rises or falls on the question of whether the plaintiffs have alleged actual injury, and not simply the risk or possibility of injury. In a 2013 case, Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), the Supreme Court held that, in order for a plaintiff who alleges future harm to have the necessary Article III standing to sue in federal court, the plaintiff must meet the stringent bar that the harm being claimed is “certainly impending.” This has often been successfully used to defeat plaintiffs’ claims as being untethered from any actual injury, where a breach has been discovered but plaintiffs could not point to any specific identity theft or other injury that had occurred, only the possibility of such harm.
Having said that, not all plaintiffs have been doomed by bringing a suit where actual injury might be hard to prove. In 2015, the Seventh Circuit decided the important case Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015), holding that “Clapper does not . . . foreclose any use whatsoever of future injuries to support Article III standing,” and that “substantial risk” of harm could be sufficient. Since the Seventh Circuit’s decision in Remijas, some sister circuits have made similar rulings – such as the Sixth Circuit, which in one case held that plaintiffs had standing when their personal information was stolen from the Nationwide Mutual Insurance Company computer network. Galaria v. Nationwide Mutual Insurance Co., 663 Fed. Appx. 384, 2016 WL 2728027 (6th Cir. 2016). Nevertheless, the Article III standing hurdle can be particularly nettlesome.
So too can the question of whether any such injury is compensable. Although the legal doctrines might sound arcane to the uninitiated (and I will avoid disentangling these doctrines here), suffice it to say that plaintiffs not only have to show that federal courts have jurisdiction over their claims – that is, that they can claim more than the mere possibility of a future harm – but they also have to show that the harm they are alleging is the kind that a court can hear and that it would be possible for the court to actually remedy the injury if the claims are proven successful.
This gives defendants some openings and counsels in favor of prudent data security management and data breach notification compliance. The more companies can protect consumers up front and respond quickly to breaches, the stronger a litigation defense will be. Keeping consumer harm to a minimum is both good corporate practice and good litigation strategy.
It should be noted that state courts can be more forgiving on some of these issues since state courts deciding civil cases under state law do not need to be concerned with standing under federal constitutional standards; as a general matter, they need only be concerned with whatever their state standing rules are. Those can potentially be more permissive. Assuming plaintiffs bring their suits in state court – which can be difficult with regard to class actions since data breaches affecting consumers will almost always affect consumers across state lines – then it will be the idiosyncrasies of state law, and not constitutional standing or federal rules, that will govern.
What Are the Claims?
Third, what claims do plaintiffs bring? Increasingly, they seek damages (both compensatory and punitive) by turning to claims of negligence, breach of contract, consumer protection, and unfair competition. Indeed, a survey of cases over the past three years shows that negligence claims are increasingly becoming popular. The Home Depot data breach litigation referenced above itself included negligence, negligence per se, and violations of various unfair and deceptive trade practices statutes.
What plaintiffs often cannot turn to is data breach notification statutes. While such statutes will normally provide state attorney general offices with the power to enforce violations of those statutes, they rarely provide private rights of action to individual consumers or state residents affected by a breach.
It’s important to note that, usually, data breach litigation ends with a settlement, or possibly with a dismissal; but it is rare that cases go to trial with a verdict. (This is true, of course, for civil litigation in general – the vast majority of cases never reach a final judgment at a trial.) The Home Depot litigation, for example, had two class action settlements: one for the consumer class action, and one for the financial institution class action.
Be Prepared
For a company suffering a data breach, it can seem unfair that having been the victim of what is often criminal activity, that company might nevertheless have to suffer through a crucible of regulatory compliance and potential litigation. There are some signs that states and federal law enforcement entities increasingly see companies as victims rather than as somehow complicit in data breaches. Nevertheless, so long as companies collect, maintain, and use personal confidential information, they will be expected to maintain reasonable policies governing the security of that information and to act prudently in the event of a data security incident. Reasonable action can increase (but never guarantees) the likelihood of success in the event of subsequent litigation. Minimizing harm to consumers is not only the right thing to do; it can also bolster a company’s defenses in the event a lawsuit is filed in the wake of a breach.
About the Author: As counsel at Foley Hoag in Boston, Christopher Hart’s practice centers on three areas: civil commercial and business litigation, data privacy and cybersecurity, and representation of foreign sovereigns in U.S. courts and international tribunals. As an experienced litigator, Chris has represented Fortune 500 companies, start-up companies, individuals, and sovereign nations in a wide variety of contexts for over a decade.