Prepare for the inevitable: Post-data breach class actions

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.businessinsurance.com/article/20150913/ISSUE0401/309139992/business-insurance-perspectives-preparation-for-post-data-breach

Lightning may not strike twice in the same place, but the same cannot be
said of class action lawsuits.

For this reason companies caught in class actions stemming from data
breaches would do well to consider the precedents they could set by
agreeing to over-generous terms.

The good news for defendants is that the hurdles plaintiffs must surmount
to bring a case to trial are significant. Numerous lawsuits have been
dismissed on the grounds that the plaintiffs failed to show that they were
harmed by a data breach.

One such case occurred last year and is worth reading for the clarity with
which Judge James E. Boasberg of the U.S. District Court for the District
of Columbia analyzes the “thorny ... issues regarding when, exactly, the
loss or theft of something as abstract as data becomes a concrete injury.”

The case involved data tapes, among other items, stolen from a car parked
in a San Antonio garage in September 2011. The car was owned by an employee
of information technology company Science Applications International Corp.,
which handles data for the federal government. The tapes contained personal
information and medical records relating to 4.7 million members of the U.S.
military and their families enrolled in Tricare, the armed forces health
care program.

There is no question that the loss of the data was embarrassing. According
to letters mailed to affected service members by SAIC in November 2011, it
included names, Social Security numbers, addresses, dates of birth and
phone numbers, as well as a variety of medical information. It did not,
however, include any financial data. Moreover, SAIC considered that the
chance of the data being accessed by the thieves or any other unauthorized
party was low because to do so would require “specific hardware and
software.”

Numerous individuals sued, and their lawsuits were consolidated into a
single action. SAIC and three government defendants — Tricare, the U.S.
Department of Defense and its then-secretary, Chuck Hagel — sought to
dismiss the complaint on the grounds that the plaintiffs could show no
injury based on the data breach and therefore lacked standing to sue in
federal court.

The key question then addressed by the court was whether, as alleged by the
plaintiffs, the mere fact that their data had been stolen constituted “a
distinct and palpable harm.” A number of the plaintiffs also claimed that
the time and money they had spent checking their credit (though SAIC had
offered them free credit monitoring) and talking to their banks should be
compensable.

In his ruling, Judge Boasberg gave these arguments short shrift, citing a
variety of court opinions, including a U.S. Supreme Court decision in
Clapper v. Amnesty International USA in 2013, that supported the view that
a threatened injury must be “certainly impending” to afford plaintiffs
standing to sue. If those caught up in a data breach, or any untoward
event, were so alarmed that they spent time and money to protect themselves
from potential harm, that would not, in itself, give them standing. In the
trenchant language of the Supreme Court: “(R)espondents cannot manufacture
standing merely by inflicting harm on themselves based on their fears of
hypothetical future harm that is not certainly impending.”

The plaintiffs' attorneys shot back that, due to the data breach, their
clients were 9.5 times more likely than the average person to become
victims of identity theft. But Judge Boasberg was unmoved. A heightened
risk of identity theft, he said, is not the same as a harm that is
“certainly impending” — the litmus test endorsed by the Supreme Court.

This was not quite the end of the story. The Supreme Court had also
acknowledged that it had sometimes “found standing based on a "substantial
risk' that harm will occur,” prompting plaintiffs to “reasonably incur
costs to mitigate or avoid that harm.” But Judge Boasberg concluded that
the plaintiffs in the SAIC litigation did not clear that hurdle either.

While a more recent Seventh Circuit decision, in Remijas v. Neiman Marcus
Group L.L.C., upheld plaintiffs' standing to sue due to “injuries
associated with resolving fraudulent charges and protecting oneself against
future identity theft” after a data breach, that case involved theft of
credit card numbers that allegedly resulted in actual fraudulent charges on
the affected individuals' cards. This contrasts with the SAIC case, where
no financial data was lost. It would still be quite difficult to establish
standing in a case where the victim of a breach can show only some fear of
future fraud perpetrated at his or her expense. After all, anxiety is still
a far cry from the “concrete, particularized and actual or imminent” harm
that the Supreme Court required.

> From this, it should be clear that the precise circumstances of data
breaches need to be carefully analyzed to assess the risk of successful
litigation. Specialty insurer Beazley P.L.C. has helped more than 2,200
organizations manage data breaches and address the third-party liability
risks they pose. From this experience we can identify the following factors
that frequently serve to diminish the third-party risk:

• More than half of the data breaches we have helped clients handle have
been caused by errors or inadvertence in the organization — not theft. In
these situations, it is, of course, possible that the data will fall into
the wrong hands. But it is unlikely that a court would find the mere fact
of such a breach constituted “certainly impending” harm or a “substantial
risk” of harm.

• Data, in all likelihood, were not the principal target of many thieves.
This certainly seemed possible in the SAIC case: The judge, in a
characteristically colorful turn of phrase, said the tapes could be “lying
in a landfill in Texas” after the thief had achieved his or her “main goal
of boosting the car stereo and GPS.”

Of course, there are situations in which these defenses will not apply. In
January, Judge Paul A. Magnuson of the U.S. District Court for the District
of Minnesota allowed a class action against the retailer Target Corp. — the
victim of a massive hacking attack in 2013 — to proceed on the grounds that
the plaintiffs suffered injuries that afforded them standing.

“Target ignores much of what is pled,” the judge wrote, “instead contending
that because some plaintiffs do not allege that their expenses were
unreimbursed or say whether they or their bank closed their accounts,
plaintiffs have insufficiently alleged injury. These arguments gloss over
the actual allegations made and set a too-high standard for plaintiffs to
meet at the motion-to-dismiss stage.”

Based on Judge Magnuson's decision, Target in March agreed to settle the
lawsuit for $10 million. That $10 million is nevertheless modest relative
to the magnitude of the approximately 110 million Target customers
allegedly affected by the data breach. Other settlements have been likewise
low, such as LinkedIn's $1.25 million deal over the exposure of 6.5 million
logins and passwords. Plaintiffs' difficulty in proving damages in these
types of cases ultimately mean they pose limited financial threat.

But that will not deter plaintiffs attorneys from continuing to file
putative class actions after a data breach thanks in large part to
attorneys fees. The Target settlement agreement, by way of example, permits
plaintiffs attorneys to recover as much as $6.75 million, in addition to
the $10 million.

Data breaches can cause consumers massive harm, as well as great anxiety.
The best insurance for businesses addresses both dimensions of the problem,
offering expertly coordinated first-party services to manage the breach and
robust financial protection against third-party liability. In the latter
arena, the distinction between harm and anxiety may prove crucial.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!