Time for defendants to reassess risk in data breach class actions?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blogs.reuters.com/alison-frankel/2015/01/05/time-for-defendants-to-reassess-risk-in-data-breach-class-actions/

Based on sheer numbers of people affected, I doubt there’s any litigation
bigger than data breach class actions. Information on hundreds of millions
of consumers has been exposed by hackers who overcame corporate
cyber-defenses at banks and retailers such as JPMorgan Chase, Home Depot
and eBay. That’s an awful lot of plaintiffs for privacy breach defendants
to face.

For the past two years, corporations have had a very effective way to get
out of these cases early. As I’ve told you in a bunch of previous posts,
data breach defendants were quick to capitalize on the U.S. Supreme Court’s
2013 decision in Clapper v. Amnesty International, which tweaked the
criteria for standing to sue in federal court. (The vast majority of big
class actions are litigated in federal court under the Class Action
Fairness Act of 2005.) In Clapper, the justices said that Article III of
the U.S. Constitution requires plaintiffs in federal court to allege an
actual or “certainly impending” threat of injury from the defendant’s
conduct. Plaintiffs can’t establish standing by speculating that they might
be harmed in the future, according to the Supreme Court opinion, nor even
by showing that they spent time and money to ward off that potential harm.

Since Clapper, more than a half-dozen federal judges have dismissed data
breach class actions, concluding that consumers don’t have constitutional
standing to sue just because their personal data was compromised. Last
January, after Target disclosed that hackers had stolen information on tens
of millions of its customers, I predicted that Clapper would also spell
doom for consumer class actions against the retailer.

I turned out to be completely wrong – and that’s making me question whether
I’ve been too quick to assume that data privacy class actions are more of a
nuisance than a real risk for hacked companies.

Last month, U.S. District Judge Paul Magnuson of Minnesota ruled that
consumers can move forward with their nationwide class action against
Target. (The judge did dismiss some state-law claims against the retailer.
He previously denied Target’s motion to dismiss a parallel class action by
financial institutions suing over the cost of replacing customers’ credit
and debit cards.) Magnuson said class counsel at Heins Mills & Olson had
provided sufficient allegations that name plaintiffs suffered actual harm
from the compromise of their personal information, including “unlawful
charges, restricted or blocked access to bank accounts, inability to pay
other bills, and late payment charges or new card fees.” Those claims were
enough to establish their constitutional right to sue in federal court,
according to Magnuson.

The Target decision doesn’t do much to clarify the law on Article III
standing in data breach class actions. Judge Magnuson disposed of the issue
in a mere few paragraphs. He didn’t so much as mention Clapper v. Amnesty
International, even though Target’s motion to dismiss and the class memo in
opposition each devote many pages to discussing Clapper’s impact on the
case. (The judge instead referred in his analysis of constitutional
standing to the 1992 Supreme Court case Lujan v. Defenders of Wildlife.) In
that regard, Magnuson’s Target opinion is a missed opportunity to use one
of the biggest data breach cases in the courts to shape precedent.

But the ruling certainly shows that plaintiffs’ lawyers in privacy class
actions should pick name representatives carefully. Target’s lawyers at
Ropes & Gray had argued that half of the more than 100 named plaintiffs in
this case hadn’t even alleged any actual injury. Magnuson focused instead
on the complaint’s allegations of the concrete harm the data breach caused
in other plaintiffs’ finances. Heins Mills deserves credit for a smart,
strategic pleading that anticipated Target’s standing defense.

Magnuson, moreover, is at least the fourth federal judge to find that
Clapper doesn’t preclude standing for data breach class action plaintiffs.
(I incorrectly reported last month that only one privacy class action
ruling before Target distinguished Clapper.) Judges presiding over cases
against Sony (for a previous hack of its gaming system data), Michaels
Stores and Adobe Systems all permitted class actions to proceed to
discovery despite defense challenges under Clapper to the plaintiffs’
constitutional standing to sue. More judges have gone the other way, as
Target documents in its filings before Judge Magnuson. But the tally isn’t
as lopsided as it used to be.

And that means additional risk for data breach defendants. As Magnuson said
in his opinion, Target can still argue on summary judgment that the
plaintiffs don’t have standing. The retailer can also, of course, contest
the certification of a class of consumers who haven’t all suffered the same
supposed harm. The reality of leverage in class actions, however, is that
when defendants lose a motion to dismiss, they start to think more
seriously about settling. Sony, for instance, agreed earlier this year to
pay $15 million to settle a class action over the PlayStation hack after
its dismissal motion was denied last January. Think about it: If Target
owes just $1 to everyone supposedly affected by the compromise of its
systems, the class action is a $100 million case.

Proskauer partner Margaret Dale, who specializes in privacy litigation
defense but is not involved in the Target case, said Magnuson’s decision
suggests that as class action lawyers learn to draft complaints to get past
challenges to plaintiffs’ standing, data breach cases will be harder for
defendants to dispose of quickly. “I think these cases are going to go on a
little longer and we’ll see more factual development,” she said. “That’s
because of the ripening of this area of the law.” Defendants will still win
quick dismissals of cases based on speculative abuse of customers’
information, Dale said, but good plaintiffs’ lawyers are going to choose
named representatives who can claim the breach caused them actual harm.

Class counsel Vincent Esades of Heins Mills wasn’t immediately available
for comment. Target counsel Douglas Meal of Ropes & Gray didn’t return my
phone call.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!