Data breach incidents are on the rise and here to stay. It seems like every week there is a new, high profile breach regarding a government agency, movie studio, retailer or health care provider. Let’s face it, data breaches are inevitable. I know that sounds fatalistic but that’s the truth. And there seems to be no conceivable way of reducing the number of breaches.
Previously, companies that experienced a breach had to deal with minimal financial downside aside from providing notice and identity theft protection to consumers. Throw in attorney fees to guide the company through inquiries by state and federal agencies. The big cost has arguably been bad publicity and eroding of consumer good will and confidence.
With respect to lawsuits, the shoe hasn’t really dropped in the form of large settlements or judgments. That is due mainly to the fact that most courts have found that victims of data breach have not experienced a cognizable damage required for Article III standing – this excepts credit and debit card providers that experience the cost of replacement of compromised cards. In other words, consumers only suffered the threat of some future, undefined harm. Well, it appears that companies can no longer sleep easy and expect to get rid of class action data breach lawsuits early with a motion to dismiss based on Article III deficiencies.
The 7th Circuit recently ruled, in the case of Remijas v. Neiman Marcus, that a class of consumers had standing to maintain a lawsuit for negligence. This is rather groundbreaking. The suit arose over a data breach at Neiman Marcus in which hackers gained access to customer credit card information. The consumers consisted of two basic sub-classes. One, had actually experienced fraudulent charges on their credit cards. The other, had yet to experience any negative consequences.
The Court found that both sub-classes had standing to sue. Those who had experienced fraudulent charges experienced financial harm, even though the fraudulent charges had been reimbursed. Secondly, the Court found such consumers had suffered aggravation and loss of value of the time needed to undue the effects of the unauthorized charges. Regarding those consumers who had not sustained fraudulent charges, the Court found that the substantial risk of such charges was enough to confer standing. Additionally, the Court found that such consumers had been harmed in expending time and money to prevent potential identity theft.
This decision is really a game changer in my opinion. It is now possible, under this standard, for virtually any data breach victim to get a class action for negligence off the ground. The consequences for companies are tremendous. Once a class clears the pleading stage, the next item is typically the class certification motion unless derailed by a summary judgment. Regardless, discovery will take place and that is likely to adduce evidence sufficient to get past any summary judgment motion. Thus, with class sizes in the hundreds of thousands if not millions, defense risk is off the charts.
In a commercial environment where data breaches are as inevitable as car accidents, companies will be wise to obtain adequate insurance and maintain the highest level of data security hygiene. Data security and privacy attorneys are able to assist in this effort. The insurance will provide for a defense while high levels of hygiene will either significantly reduce class size or provide victory on the breach of duty prong of a negligence action.