Prepare for the inevitable: Post-data breach class actionsReprints
Actual injury versus plaintiff anxiety will remain key to successful data breach litigation. Beth D. Diamond, global claims leader for specialty insurer Beazley P.L.C., discusses how companies can best prepare for attempted class actions in the wake of data breaches.
Lightning may not strike twice in the same place, but the same cannot be said of class action lawsuits.
For this reason companies caught in class actions stemming from data breaches would do well to consider the precedents they could set by agreeing to over-generous terms.
The good news for defendants is that the hurdles plaintiffs must surmount to bring a case to trial are significant. Numerous lawsuits have been dismissed on the grounds that the plaintiffs failed to show that they were harmed by a data breach.
One such case occurred last year and is worth reading for the clarity with which Judge James E. Boasberg of the U.S. District Court for the District of Columbia analyzes the “thorny ... issues regarding when, exactly, the loss or theft of something as abstract as data becomes a concrete injury.”
The case involved data tapes, among other items, stolen from a car parked in a San Antonio garage in September 2011. The car was owned by an employee of information technology company Science Applications International Corp., which handles data for the federal government. The tapes contained personal information and medical records relating to 4.7 million members of the U.S. military and their families enrolled in Tricare, the armed forces health care program.
There is no question that the loss of the data was embarrassing. According to letters mailed to affected service members by SAIC in November 2011, it included names, Social Security numbers, addresses, dates of birth and phone numbers, as well as a variety of medical information. It did not, however, include any financial data. Moreover, SAIC considered that the chance of the data being accessed by the thieves or any other unauthorized party was low because to do so would require “specific hardware and software.”
Numerous individuals sued, and their lawsuits were consolidated into a single action. SAIC and three government defendants — Tricare, the U.S. Department of Defense and its then-secretary, Chuck Hagel — sought to dismiss the complaint on the grounds that the plaintiffs could show no injury based on the data breach and therefore lacked standing to sue in federal court.
The key question then addressed by the court was whether, as alleged by the plaintiffs, the mere fact that their data had been stolen constituted “a distinct and palpable harm.” A number of the plaintiffs also claimed that the time and money they had spent checking their credit (though SAIC had offered them free credit monitoring) and talking to their banks should be compensable.
In his ruling, Judge Boasberg gave these arguments short shrift, citing a variety of court opinions, including a U.S. Supreme Court decision in Clapper v. Amnesty International USA in 2013, that supported the view that a threatened injury must be “certainly impending” to afford plaintiffs standing to sue. If those caught up in a data breach, or any untoward event, were so alarmed that they spent time and money to protect themselves from potential harm, that would not, in itself, give them standing. In the trenchant language of the Supreme Court: “(R)espondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”
The plaintiffs' attorneys shot back that, due to the data breach, their clients were 9.5 times more likely than the average person to become victims of identity theft. But Judge Boasberg was unmoved. A heightened risk of identity theft, he said, is not the same as a harm that is “certainly impending” — the litmus test endorsed by the Supreme Court.
This was not quite the end of the story. The Supreme Court had also acknowledged that it had sometimes “found standing based on a "substantial risk' that harm will occur,” prompting plaintiffs to “reasonably incur costs to mitigate or avoid that harm.” But Judge Boasberg concluded that the plaintiffs in the SAIC litigation did not clear that hurdle either.
While a more recent Seventh Circuit decision, in Remijas v. Neiman Marcus Group L.L.C., upheld plaintiffs' standing to sue due to “injuries associated with resolving fraudulent charges and protecting oneself against future identity theft” after a data breach, that case involved theft of credit card numbers that allegedly resulted in actual fraudulent charges on the affected individuals' cards. This contrasts with the SAIC case, where no financial data was lost. It would still be quite difficult to establish standing in a case where the victim of a breach can show only some fear of future fraud perpetrated at his or her expense. After all, anxiety is still a far cry from the “concrete, particularized and actual or imminent” harm that the Supreme Court required.
From this, it should be clear that the precise circumstances of data breaches need to be carefully analyzed to assess the risk of successful litigation. Specialty insurer Beazley P.L.C. has helped more than 2,200 organizations manage data breaches and address the third-party liability risks they pose. From this experience we can identify the following factors that frequently serve to diminish the third-party risk:
• More than half of the data breaches we have helped clients handle have been caused by errors or inadvertence in the organization — not theft. In these situations, it is, of course, possible that the data will fall into the wrong hands. But it is unlikely that a court would find the mere fact of such a breach constituted “certainly impending” harm or a “substantial risk” of harm.
• Data, in all likelihood, were not the principal target of many thieves. This certainly seemed possible in the SAIC case: The judge, in a characteristically colorful turn of phrase, said the tapes could be “lying in a landfill in Texas” after the thief had achieved his or her “main goal of boosting the car stereo and GPS.”
Of course, there are situations in which these defenses will not apply. In January, Judge Paul A. Magnuson of the U.S. District Court for the District of Minnesota allowed a class action against the retailer Target Corp. — the victim of a massive hacking attack in 2013 — to proceed on the grounds that the plaintiffs suffered injuries that afforded them standing.
“Target ignores much of what is pled,” the judge wrote, “instead contending that because some plaintiffs do not allege that their expenses were unreimbursed or say whether they or their bank closed their accounts, plaintiffs have insufficiently alleged injury. These arguments gloss over the actual allegations made and set a too-high standard for plaintiffs to meet at the motion-to-dismiss stage.”
Based on Judge Magnuson's decision, Target in March agreed to settle the lawsuit for $10 million. That $10 million is nevertheless modest relative to the magnitude of the approximately 110 million Target customers allegedly affected by the data breach. Other settlements have been likewise low, such as LinkedIn's $1.25 million deal over the exposure of 6.5 million logins and passwords. Plaintiffs' difficulty in proving damages in these types of cases ultimately mean they pose limited financial threat.
But that will not deter plaintiffs attorneys from continuing to file putative class actions after a data breach thanks in large part to attorneys fees. The Target settlement agreement, by way of example, permits plaintiffs attorneys to recover as much as $6.75 million, in addition to the $10 million.
Data breaches can cause consumers massive harm, as well as great anxiety. The best insurance for businesses addresses both dimensions of the problem, offering expertly coordinated first-party services to manage the breach and robust financial protection against third-party liability. In the latter arena, the distinction between harm and anxiety may prove crucial.
Beth D. Diamond, global claims team leader for technology, media and business services insurance with Beazley P.L.C., can be reached at firstname.lastname@example.org or at 646-943-5912.