If you ask Jay Edelson, he'll tell you things are about to get significantly better for class-action litigants on the plaintiffs side. He sees a shift in the way courts are willing or not willing to handle settlements. He's feeling good enough about the future of such cases, in fact, that he announced yesterday three new filings on behalf of Edelson PC, his Chicago-based law firm, recently put forth or with plans to officially file, including one against Bose, for sharing its consumers listening preferences with data miners, and one against Confident, the messaging app Trump campaigners reportedly used to leak news to journalists. The third is against MDLive, which Edelson is suing over alleged patient privacy concerns.
Aside from the new suits, the news that class-actions are on the up and up was part of his message in a session at the IAPP's Global Privacy Summit on Wednesday on "The State of Data Breach Litigation Today," in which Edelson, who runs Edelson PC, and Doug Meal of Ropes and Gray discussed the lay of the land. And no one worth their beans puts on a data breach session without talking Spokeo, in which the Supreme Court held that in order to clear the threshold for Article Three standing to sue, a plaintiff must prove "concrete" injury, though that injury can be intangible. Edelson argued the case for the plaintiff. (For a thorough analysis of the Spokeo case, click here.)
While many people made a big to-do of the Spokeo ruling and what it might mean for the future of privacy litigation — particularly data breach attorneys who saw opportunity in the court's ruling that harms can be intangible — Edelson said it's a mistake to think that just because there's a claim, there's a case.
"The court said the risk of future harm can be enough to have standing, and a lot of data breach lawyers said, 'That's terrific,'" he said. "And I think that's wrong."
That's because you still have to show damages in a breach case. So even if a plaintiff can get past a "motion to dismiss" in court, it's very possible that case then goes nowhere.
"You have to show damages," Edelson said. "In a data breach case, if you have a bad theory, a theory that 'Maybe in 10 years, Doug might get injured,' how are you going to quantify that?"
Edelson said, maybe lamented, there's an entire section of plaintiffs attorneys who have one goal in data breach cases, which is to avoid a motion to dismiss.
"The idea is if you can get by a motion to dismiss, even with a really bad claim, the defense isn't going to want to engage in discovery, and they're going to want some kind of settlement."
That's not something that sits well with Edelson.
"Firms that are doing that are doing such a disservice to data breach law in general and I think to their claims."
Meal and Edelson agreed there are essentially two ways defense attorneys can try cases these days. They can be predicated on actual harm, that is, there was a data breach and data was stolen. Or they can be based on "overpayment theory" if there's a concern actual harm can't be proved. For example, a customer has paid money for a service, and the corporation they paid made promises about the level of data security they could provide, and then failed to uphold those promises.
While Edelson was more upbeat on the "overpayment theory" type of cases, Meal said, in reality, courts aren't really changing their tune on requiring proof that there's been an actual harm.
"There's never been a data breach of any kind involving any situation, no matter how extensive the breach was, where anybody could say they were certainly going to incur an actual, out-pocket, tangible loss," Meal said. "No data breach is ever going to hit the certainly impending loss standard."
But for the plaintiff's side, Edelson said he sees good things happening for plaintiffs in settlements.
"The wind is at our backs, if our backs means people who want better deals for the class," he said. "I think the idea that we're going to have data breach causes that survive motions to dismiss, I'm hoping those days are gone."
Edelson said courts are now interested in seeing data breach cases in which the class itself wins, and not just the plaintiffs' attorneys. And in the case where the damages award will simply pay off the plaintiffs' attorneys and the class itself sees nothing in the end, "courts will find a way to throw away those cases," he said.