Courts restrict ability of customers and employees to sue companies following a data breach, but risks of other liabilities remain

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.lexology.com/library/detail.aspx?g=aa4a0653-2d40-4369-be3c-8f76da0bab1b

Among the multitude of unpleasant issues facing a company whose network has
been breached is potential liability to customers and employees whose
personal information has been compromised. However, recent district court
decisions from around the country continue to limit the opportunity of
those customers and employees to have their day in court. Specifically,
these cases have held that, in order for a customer or employee whose data
has been stolen to gain standing to sue the company that experienced the
breach, the customer or employee must show that the stolen data was, in
fact, used to the customer or employee’s financial detriment. And such
financial detriment must be “concrete.” Increased risk of future harm does
not suffice, damages are not recoverable for “mitigation” measures – such
as the purchase of credit monitoring services – taken to protect against
speculative future harm, and an individual’s allegations that he fears such
future harm will generally not be enough to establish a claim for emotional
distress.

In Green v. eBay Inc., the U.S. District Court for the Eastern District of
Louisiana dismissed a putative class action brought on behalf of eBay
customers whose data was stolen when eBay user information was hacked. The
suit alleged that, as a result of eBay’s security failure, Plaintiffs
suffered (a) actual identity theft, (b) improper disclosure of their
personal information, (c) out-of-pocket expenses incurred to mitigate the
increased risk of identity theft and/or identify fraud, (d) the value of
the time they had spent mitigating identity theft and/or identity fraud,
and (e) the deprivation of the value of their personal information. eBay’s
failure, Plaintiffs alleged, violated the Federal Stored Communications
Act, the Fair Credit Reporting Act, the Gramm-Leach-Billey Act, and several
state laws. The Court disagreed. Noting that the “mere increased risk of
identity theft or identify fraud alone does not constitute a cognizable
injury[,] unless the harm alleged is certainly impending,” the Court
dismissed the suit in its entirety.

Similarly, in Strautins v. Trustwave Holdings, Inc., the U.S. District
Court for the Northern District of Illinois granted Defendant’s motion to
dismiss Plaintiffs’ class action lawsuit seeking damages stemming from the
hacking of the South Carolina Department of Revenue. The data breach had
exposed in excess of 3.5 million social security numbers, 380,000 credit
and debit card numbers, and the tax records of more than 650,000
businesses. Plaintiffs alleged that they had not received timely and
adequate notification of this breach, and that the breach had resulted in
the improper disclosure of their personal information, loss of privacy, the
need to incur out-of-pocket mitigation expenses (relating both to dollars
spent and time expended), and deprivation of the value of their personal
identifying information. They also alleged that Defendant, by failing to
protect their data, had violated their rights under the Fair Credit
Reporting Act. The Court, however, found that Plaintiffs’ “claims of injury
. . . [were] too speculative to permit the complaint to go forward.”
“Allegations of possible future injury are not sufficient to establish
standing,” the Court held. Instead, the “threatened injury must be
certainly impending.” (Emphasis in original.)

Even if a plaintiff can show that a hacker used the data it stole from
plaintiff’s employer or merchant, such use may not suffice to confer
standing on the plaintiff, unless he can also show that he suffered
financial harm as a result. In Peters v. St. Joseph Services Corp., for
example, hackers infiltrated a health care system provider’s network and
accessed personal information of patients and employees, including names,
social security numbers, birthdates, addresses, medical records, and bank
account information. Even though there was an attempted purchase on
Plaintiff’s credit card, which she declined when she received a fraud
alert, the U.S. District Court for the Southern District of Texas held that
Plaintiff did not have standing to bring suit. The basis for the Court’s
holding was that Plaintiff’s allegation that the breach exposed her to
certainly impending or substantial risk of identity fraud/theft was too
speculative and attenuated to constitute injury-in-fact. Notably, she was
unable to “describe how [she would] be injured without beginning the
explanation with the word ‘if.’”

Notwithstanding the above decisions, companies should continue striving to
establish legal and technological protections against data breaches and
exposure to related liability. Even where class actions and other
litigations fail, federal agencies and state attorneys general may continue
to investigate data breaches and take enforcement actions. (Many have, the
Massachusetts Attorney General being one example.) These actions can
include, among other things, significant fines and increased oversight of
the company’s data privacy and security compliance. And, of course, the
potential consequences of data breaches do not end there. Companies that
experience a breach may also suffer damage to their brand and to employee
morale.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!