Data Breach Litigation – A New Wave of Class Actions by Financial Institutions

[Jeffrey Walton <noloader () gmail com>]

http://www.jdsupra.com/legalnews/data-breach-litigation-a-new-wave-of-c-02451/

Rarely does a day go by without news of a data security breach.
According to the Identify Theft Resource Center, there have been a
total of 447 data breaches to date this year, which represents a 20.5%
increase over the same time period last year (371 breaches).  The
majority of courts ruling on individual common law claims arising from
data security breaches has dismissed the claims primarily based on
lack of standing or lack of damages for failing to prove actual harm.
However, the tide is turning starting with the U.S. District Court for
the Northern District of California denying a motion to dismiss
recognizing an ascertainable value and/or property right inherent in
consumers’ personally identifiable information.  Claridge v. RockYou,
785 F. Supp. 2d 855 (N.D. Cal. 2011).

After several high-profile data breaches, i.e., Target, Neiman Marcus,
eBay, Michaels Stores, there has been an increase in class action
lawsuits filed.  Shareholders are weighing in, too, resulting in
shareholder derivative suits based upon data security breaches.  See,
e.g., Palkon ex rel. Wyndham Worldwide Corp. v. Holmes, No.
2:14-cv-01234 (D.N.J. filed Feb. 25, 2014).

Now, financial institutions are joining the legal battle over data
breaches.  In Winsouth Credit Union v. MAPCO Express, Inc., No.
3:14-cv-01573 (M.D. Tenn. filed July 31, 2014), a retail credit union
who issued Visa debit cards to its customers filed suit on behalf of
all similarly situated financial institutions against a convenience
store corporation and its parent company.  The claims relate to a data
breach of plaintiff’s debit cards used by its customers at the
defendant’s retail stores.  The alleged damages include (i) cancelling
customers’ debit cards, (ii) reissuing debit cards with new account
numbers, (iii) reimbursing fraudulent charges or reversing fraudulent
charges, (iv) lost interest and transaction fees (including lost
interchange fees); (v) administrative expenses associated with
monitoring and preventing fraud; (vi) administrative expenses
associated with addressing customer confusion and fraud claims; and
(vii) “potential damages” to plaintiff’s reputation and lost
customers.

The costs of a data breach can be significant.  According to the 2014
Cost of Data Breach Study: Global Analysis, the average cost to a
company suffering a data breach is $3.5 million in US dollars and 15%
more than what it cost last year.

Given the new threat of financial institutions suing companies for a
data breach, preventative planning is critical.  In-house counsel
should not delay establishing or improving a company’s cyber security
program.  A risk assessment of a company’s data security system
(performed by a third party vendor – not internal IT employees) should
involve outside counsel to preserve the attorney-client privilege
applicable to any reports or other communications relating to the
assessment.  A data breach plan should be instituted before a data
breach occurs and shared with key management, not only C-suite
executives.  A company’s preparation and planning should be with
stakeholders, a critical step often overlooked.

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.