The raft of enterprise data breaches over the past few years has prompted rapid evolution in Infosec technology, enterprise security philosophy, and has amplified the strategic importance of cybersecurity among corporate leadership. All good stuff.
But, as every silver lining has a cloud, and, since we live in the most litigious nation on the planet, it should surprise no one that the legal community smells blood in the water. Given this reality, I thought it might make sense to explore the data breach litigation landscape a bit. In this blog, we start with a discussion of consumer litigation, that is, the average Joe/Jane whose credit card was stolen, and how they might avail themselves of the justice system.
Researching the topic, I came across an exceptional legal white paper that is, essentially, a chapter from “Privacy and Surveillance Legal Issues,” a book published by Aspatore. The chapter/white paper – Private Data Security Breach Litigation in the United States (Douglas H. Meal, Partner, with David T. Cohen, Associate, Ropes & Gray LLP) – was published in the book in 2014, so it was likely written some time before that.
The paper details the difficulty information breach plaintiffs have satisfying the appropriate legal criteria to successfully prosecute claims against the breached company. Two legal hurdles, according to the white paper, have been difficult to overcome: 1) proving that the breach was the result of the company’s negligence, and 2) that specific damages can be shown to have been incurred as a direct result of the breach. From the paper:
“…plaintiffs frequently struggle to plead and prove that the data security breach resulted from the victim’s [the company experiencing the breach] breach of its legal obligations, as opposed to an unfortunate perpetration of computer crime by third parties, and/or that any breach of legal obligations caused any recoverable injury.”
Although generally unsuccessful, intrepid plaintiffs’ attorneys have mined the depths of their legal creativity in an attempt to find a legal theory of damages acceptable to courts. According to the white paper, these have included (quotes below taken directly from the above-referenced paper):
- Cognizable Injury: “…a plaintiff must show that he or she suffered some appreciable, non-speculative, present harm to state a claim for relief. So far, no element has proven more elusive for plaintiffs.”
- Increased Risk of Future Harm: “Consumers frequently have alleged that as a result of the exposure of their information, they are now at risk of having that information misused to commit future instances of identity theft, fraud, or phishing. Courts have routinely held that this is insufficient to state a claim.”
- Time and Money Spent Mitigating Risk of Future Harm: “…courts have overwhelmingly rejected this theory of injury, finding that such mitigation costs are merely derivative of the speculative risk of future identity theft.”
- Emotional Injury and Loss of Privacy: “Courts have generally found allegations of emotional distress to be insufficient to state a claim for relief.”
- Loss of Value of Information: “Courts…have consistently rejected the core concept of the theory—that consumer information has any economic value for which a consumer can expect to be compensated.”
- Benefit of the Bargain: “The courts dismissed the plaintiffs’ claim based on the benefit of the bargain theory as illusory, since the plaintiffs did not allege any defect with the product or service itself, nor any bargain with the defendant for a particular level of security.”
- Unreimbursed Losses: “Significantly, the plaintiff must actually incur the loss that is claimed. For example, it is well-established that a consumer has not suffered any cognizable injury related to a fraudulent credit card charge if that charge was later reimbursed by the card issuer, as often occurs.”
The chapter goes on to detail other legal nuances, including the contractual relationships between consumers and breached companies, credit card companies and the banks that issue the cards, and the challenges plaintiffs’ attorneys face declaring breach victims as part of a legal Class. Despite its detail and complexity, the paper’s analysis paints a clear picture of a US Court system reluctant to penalize enterprises for data breaches, setting a very high bar for plaintiffs to recover damages successfully.
In Part 2 of this post (coming soon to a theater near you), we’ll discuss how the Ashley-Madison breach and, more importantly, the Federal Trade Commission’s action against Wyndham may be tipping the legal balance away from the breached enterprises as we head toward 2016, adding an increasingly hostile legal landscape to the list of concerns keeping InfoSec professionals and their corporate management awake at night.
 I was unable to find a direct link to the white paper/chapter, but it’s readily available via a “Private Data Security Breach Litigation in the United States Douglas H. Meal” Google search.