Lawyers: Defendants concede too fast in data breach suits

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.post-gazette.com/business/legal/2014/06/24/Lawyers-Defendants-Concede-Too-Fast-in-Data-Breach-Suits/stories/201406170020

Plaintiffs are increasingly winning in the earlier stages of data breach
litigation and defendants may be helping set unrealistic settlement figures
out of a fear of going through discovery, attorneys on both sides of the
issue agree.

“Instead of thinking of ways to make [the plaintiffs lawyer’s] life more
difficult and fight class certification, people are settling,” said Baker &
Hostetler data privacy lawyer Theodore J. Kobus III. He was speaking on a
panel to a Philadelphia ballroom full of cybersecurity professionals
attending NetDiligence’s annual Cyber Risk and Privacy Liability Forum.

“Are we going to stand up and challenge them on class certification and
summary judgment?” asked Ronald I. Raether Jr., a partner at Dayton,
Ohio-based Faruki Ireland & Cox.

Chandler Givens of Edelson PC was the lone plaintiffs lawyer on the panel —
and the subject of a lot of lighthearted ridicule from the other panelists.
But he may be getting the last laugh as courts across the country,
regardless of state politics or which administration appointed the judge,
are increasingly demonstrating what Mr. Raether described as a lack of
patience with companies’ handling of data.

> From Mr. Givens’ perspective, courts are beginning to realize the impact
that data breaches have on those affected. So when a proposed class of
plaintiffs say their data were breached, but they have yet to suffer harm,
judges are increasingly finding that those plaintiffs still have standing
to sue.

Mr. Givens likened plaintiffs data-breach litigation to Pac-Man — when the
ghost comes, you run the other way.

“There is always going to be a way to plead your case based on what is
happening in other circuits, and we’re going to find those and latch onto
them,” he said.

Mr. Kobus said these cases don’t have to be about fear. He said plaintiffs
are “preying on” defendants’ fear by using “outdated” statutory damages
claims.

He noted one case he settled involved a $1.2 million settlement for a class
of 750,000 people while another case involving 20,000 potential class
members settled for $3.3 million. Pricing is difficult, particularly when
actual harm hasn’t occurred yet, Mr. Givens said. But courts have shown
skepticism toward settlements that consist only of credit monitoring, he
said.

“You are essentially filing a lawsuit knowing you have a class that doesn’t
have damages,” said Robert Parisi, managing director and national cyberrisk
practice leader for insurance and risk management company Marsh.

Robin Campbell, an attorney with Crowell & Moring and founder of Click 4
Compliance, said the biggest trend since the highly publicized Target data
breach has been on cleaning up vendor contracts and ensuring vendors are
going to pay if they are the cause of a company’s breach. Mr. Kobus noted
there is a lot more pushback from vendors now, however, in an attempt to
limit their liability.

Mr. Givens said it is important for companies to have a consistent message
between what it says in its breach notification letter, what it tells the
general public and what its lawyers are saying. If one message says there
were 50,000 people affected by the breach and another says there were
20,000, Mr. Givens said he could paint the picture for the court that the
company doesn’t have a handle on its data.

The first thing plaintiffs lawyers ask for is the company’s written
security policy and vendor management contracts.

“If you live by your policy, it’s difficult for us to make a case,” Mr.
Givens said.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!