Two attorneys for a prominent law firm warn that courts are starting to look more favorably on class-action lawsuits brought by data breach victims, who historically have had trouble proving actual damages from the thefts.
“A recent survey of data breach litigation found that the average settlement award in these cases was approximately $2,500 per plaintiff, with mean attorneys’ fees reaching $1.2 million,” wrote Sharon R. Klein and Jeffrey L. Vagle of Pepper Hamilton LLC. Despite those awards, companies often have been able to resist class-action lawsuits. “A pivotal question for standing is establishing injury-in-fact, which has successfully prevented certification of many purported data breach class actions. Recent cases, however, have been breaking down the court’s resistance to class certifications, raising the stakes in data breach and privacy cases.”
The publication comes about a week after a Southern California judge dismissed key arguments in a class-action lawsuit filed after the April 2011 Sony PlayStation hack that put millions of customers at risk of identity theft and fraud.
The judge determined Sony couldn’t be expected to perfectly protect customer data, nor were consumers able to show real damages from the breach.
But the threshold for demonstrating actual or potential harm may be changing at a time when “big data” and cloud computing are raising the level of risk exponentially for companies.
Several recent cases illustrate this shift. In one, a circuit court reversed an earlier dismissal of a lawsuit filed against the New England-based supermarket chain Hannaford Bros., which suffered a sophisticated attack that garnered thieves 4.2 million credit card numbers. Customers sued to recover damages in unauthorized charges, related fees and the cost of purchasing ID theft insurance.
In another, a class-action lawsuit was allowed to continue after a judge ruled there was sufficient evidence of two instances of identity theft after a health plan provider lost two laptops containing unencrypted patient data for more than a million people.
Privacy class actions can be particularly problematic for both parties, the attorneys said, because of conflicts of interest. In one instance, a case against a Sacramento-based health provider was repeatedly delayed until a judge was found who was not a victim in the massive data breach.
But it’s how businesses handle big data that could prove the tipping point.
“The greater a company’s use or retention of protected customer data, the greater the risk of exposure to these class-action suits,” the report said. Netflix, for instance, was sued after turning over huge batches of anonymized customer data for a contest to improve its movie recommendation algorithm. The company eventually settled in 2010 by establishing a $9 million fund for privacy groups.
“The likelihood of a data breach or privacy issue occurring in any business has become a virtual certainty,” the attorneys conclude. “Class action lawsuits stemming from such incidents have upped the ante with the potential of millions of dollars of attorneys’ fees if not damage recoveries.
“All companies would be prudent to increase their risk mitigation efforts to beef up administrative, technical, and physical security to prevent data breaches coupled with enforcing security and privacy policies and procedures and strengthened indemnification provisions with third parties who have access to a company’s data. Such measures may also serve to convince a court that no likelihood of actual damages from an actual injury-in-fact exists upon which a class action lawsuit can be based. Companies should also evaluate their insurance coverage, and confirm that they have a liability policy in place that specifically covers the costs associated with data breaches and related incidents.”
