Look for additional data breach class action cases, standing decisions and shareholders’ derivative suits in 2016

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/look-for-additional-data-breach-class-15275/

2015 was a banner year for data breaches and associated class action
litigation. Toward the end of the year, class action cases were filed the
same day as the notification (related post here). Based upon the data
breach fallout in 2015, there is no doubt that 2016 is setting itself up to
be another frenzied year of data breaches.

It used to be that class actions weren’t filed or didn’t make it past a
Motion to Dismiss for lack of standing, and the case law was pretty uniform
until this year. Now, plaintiffs’ attorneys are using new theories of
liability such as benefit of the bargain or state law statutes to defeat
Motions to Dismiss, and several cases, including Tabata, are considered
outliers.

Not only do we predict that data breaches will explode in 2016, but the
corresponding class actions filed following the breaches will be assumed
and not a surprise. We also predict that more decisions will be handed down
at both the federal and state level on standing to sue in a data breach
case, and when you have more cases, it is inevitable that there will be
more outliers. I used to comment frequently about how the case law on
standing in data breach cases is surprisingly consistent. Unfortunately, I
am not sure I will be able to continue to say this in 2016.

And on top of that, companies can also assume that a shareholder’s
derivative suit is in the mix as well. Although the derivative suit against
Wyndham Worldwide was dismissed in October of 2014, these suits have been
filed against Target and Home Depot following those data breaches.

Companies can learn from the Wyndham dismissal now. In that case, Wyndham
was able to show that the directors discussed cybersecurity during board
meetings and did not disregard the risk, because the minutes of the
meetings reflected the discussion of the risk. Cybersecurity is a risk that
boards would do well to pay attention to and document that the board is
questioning whether the organization is taking appropriate measures to
protect its data in order to combat shareholders’ derivative suits.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.