Increasingly, c-suite executives and board members have questions about their companies' cybersecurity practices — or lack thereof. This monthly series is intended to provide high-level answers to some of those questions, specifically focusing on the development of cybersecurity policies, incident-response plans, liability of board members and executives for data breaches and the attorney-client privilege for cybersecurity investigations. Part 6 examined the obligations of publicly traded companies to report data breaches and cybersecurity vulnerabilities to shareholders and the Securities and Exchange Commission.

Part 7: Who could sue my company after a data breach?                                          

Previous installments of this series have focused on the expectations regulators have regarding data security and data breach reporting. Indeed, regulatory scrutiny could lead to onerous requirements, negative publicity, and, in some cases, large fines. 

However, lawsuits on behalf of victims of data breaches could lead to multi-million-dollar verdicts and settlements. This installment of this series focuses on the most likely lawsuits to emerge after a data breach, and the barriers that some plaintiffs face in succeeding in these suits.

The reason the price tag for these cases can be so high is that data breach lawsuits typically are filed as class actions, meaning that a small group of plaintiffs sues on behalf of a much larger “class” of people whose personal information was compromised during a data breach. For instance, consider the breach of a retailer’s payment card system, which exposes the payment data for 500,000 customers. Even if the verdict or settlement leads to damages of $100 per person, the overall cost to the company will be $50 million.

The volume of potential class members is where data breaches expose companies to far greater liability than more traditional personal injury lawsuits. For instance, if a customer slips and falls in Target, the retailer is only liable to one potential plaintiff. In contrast, the late-2013 Target data breach exposed the payment card data of more than 40 million customers.    

Companies also often are plaintiffs in data breach litigation. For instance, if a retailer’s breach of payment card data violated its agreements with banks and credit card issuers, those companies may sue the retailer. Service providers also may face lawsuits from companies whose data they failed to protect.

Typically, data breach plaintiffs sue companies under a number of common-law and statutory claims, most of which are decades or centuries old and were not designed with data breaches in mind. Among the common data breach-related claims:

• State consumer protection laws: Every state and the District of Columbia has a consumer protection statute that applies to unfair and deceptive trade practices. Many of these laws allow customers to recover significant damages. Claims under these state consumer protection laws are common in large data breach class actions.
• State data breach notification laws: As discussed earlier in this series, 47 states and the District of Columbia have enacted laws that require companies to notify individuals of the disclosure of certain types of personal information. Some of these statutes allow individuals to bring a private lawsuit against the company if they were not properly notified.
• Negligence: The company breached its duty to safeguard the plaintiffs’ personal information, and the breach injured the plaintiffs. Typically, plaintiffs allege that the breach either caused identity theft or similar harms, or has substantially increased the risk of such damage.
• Negligent misrepresentation: The company misrepresented its claims about data security, or it omitted crucial details about its failure to adequately safeguard personal information. 
• Breach of contract: To succeed on a breach of contract claim, the plaintiff must demonstrate that the defendant breached a duty to secure data that was included in a contract between the plaintiff and defendant, and that this breach caused harm to the plaintiff.
• Breach of warranty: Plaintiffs claim that companies expressly or implicitly warranted that they would provide adequate data security. Often in these cases, the court must decide whether the defendant disclaimed such warranties in its agreements with customers or business partners.
• Unjust enrichment: If negligence, breach-of-contract, and other common legal claims do not apply, a data breach victim could attempt to seek damages under a theory of “unjust enrichment,” which applies when the defendant took “undue advantage” of the plaintiff, such as through fraud, and obtained a benefit. 

In many cases, these claims are not a slam dunk for plaintiffs. That is because federal courts only allow plaintiffs to bring suits if they meet a constitutional requirement known as “standing.” As the Supreme Court has long stated, for a plaintiff to have standing, the plaintiff “must allege personal injury fairly traceable to the defendant’s allegedly unlawful conduct and likely to be redressed by the requested relief.”

In data breach cases, the most common dispute is whether the plaintiff has alleged sufficient personal injury arising from the data breach. If a plaintiff suffered identity theft that can be traced back to the breach, the plaintiff likely has standing. 

The more difficult issue arises when a plaintiff has not yet experienced identity theft, but argues that the data breach increases the risk of such harm. Is risk of identity theft, and nothing more, sufficient to establish standing to sue?

It depends on which judge you ask. Some courts have held that risk of future identity theft is enough to allow the plaintiff to sue a company after a data breach. Other courts have reached exactly the opposite conclusion. For instance, the United States Court of Appeals for the Third Circuit concluded that hypothetical harm from a data breach – and nothing more – does not establish standing because it depends on too many “ifs.” The court wrote, “if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully, only then will [the plaintiffs] have suffered an injury.”

The United States Supreme Court has not issued any opinions regarding standing in data breach class actions. However, in a 2013 opinion, the court held that plaintiffs did not have standing in a lawsuit against the federal government, in which they alleged that intelligence surveillance programs created a “reasonable likelihood” that the government obtained their communications in violation of the Fourth Amendment. This month, the Supreme Court had an opportunity to clarify the standing requirements in a privacy class action against Spokeo, but in a fairly narrow ruling, sent the case back to the Ninth Circuit for further deliberation.

Because courts differ on whether risk of identity theft is enough to establish standing, the success of a data breach lawsuit, in many cases, will depend on the court where the lawsuit is brought. 

photo credit: Dell Women's Entrepreneur Network 2014 - Austin via photopin (license)