US Data Breaches and Class Actions – It’s No Game
January 15, 2013
Andrew Hill, cyber claims technician at Hill Dickenson, and Paul Schrieffer, founding partner at P.K. Schrieffer LLP
US class action litigation in the aftermath of a data breach is not an “if” but a “when” proposition. Certainly, data breaches significant enough to he reported in the worldwide media are likely to be followed up by plaintiffs’ lawyers in the hope of securing a cash windfall.
Should a business find itself defending a class action arising out of a data breach, exorbitant plaintiff counsel lees are inevitable; but what recovery does the allegedly damaged class have to support these large attorneys’ fees claims?
The now infamous PlayStation Network (PSN) online gaming data breach, perhaps more than any other breach, alerted the international business community to the inherent risks that come with collecting and storing personal information.
The magnitude of the breach, where some 69 million personal and credit card accounts were exposed, together with Sony’s prominent profile as one of the goliaths of the technology sector, led lo unprecedented levels of press coverage (not to mention a sharp fall in Sony’s share price).
Therefore a recent federal court order arising from the In re: Sony Gaining Networks litigation in the US District Court for the Southern District of California of particular interest and should represent a welcome (albeit potentially temporary) development for insurers writingcyber-liability insurance in the US.
The District Court lawsuit was brought by a class based on their fear of future identify theft following the PSN data breach. Sony filed a motion to dismiss the putative class action lawsuit.
While the court determined improperly disseminated information does increase the risk ol future harm and as such is a loss sufficient to satisfy standing (locus standi) (in doing so the District Court acknowledged the somewhat controversial Ninth Circuit decision in Krottner v Starbucks Corp), the courtroom door was swiftly slammed shut when the court held under Cali-fornia law the plaintiffs did not have a cause of action for negligence.
In reaching its conclusion, the District Court observed “danger of future harm, unaccompanied by present damage, will not support a negligence action”.
Remarkably, despite the potential pool of putative class representatives, only two of the named plaintiffs alleged they had suffered a loss; the first, Howe, alleged unauthorized charges were applied to his account and the second, Johnson, alleged he had incurred costs of taking preventative measures.
Howe did not, however, allege the charges resulted from the data breach and Johnson did not allege any “actual” misuse of his data.The District Court noted in the absence of any factual evidence personal information had been misused, such allegations were insufficient to sustain a negligence claim.
I his should be contrasted with Anderson v Hannaford Bros Co, where it was established the plaintiffs’ data was actually used to commit fraud, resulting in unauthorized charges to their accounts. In that case the First Circuit held the plaintiffs’ efforts to mitigate were reasonable and on that basis constituted foreseeable damages.
The District Court’s decision in Hannaford to find standing regardless of whether any actual harm has been established will likely give much encouragement to any plaintiff’s lawyer on the lookout for the next big breach. However, the In re: Sony decision will hopefully deter any frivolous class actions unless the plaintiffs can demonstrate economic loss or some other cognizable injury. All the more reason for companies to purchase data protection insurance to minimize the risk of class action lawsuits should it fall victim of a breath.
The District Court gave the plaintiffs until November 26, 2012 to amend their complaint in an attempt to overcome the District Court’s order.
We will report further as events in this potentially groundbreaking litigation continue.