Washington Legal Foundation's Legal Backgrounder: Targeting Harm From A Breach: Plaintiffs' Lawyers Get Creative In Data Privacy Suits

One day after retailer Target confirmed hackers had penetrated its computer systems, compromising the personal information of up to 110 million people, the company offered customers free credit-monitoring services and identity-theft insurance. With consumers' trust on the line, Target sought to reassure them it would protect vulnerable personal data by enlisting an outside service to watch for fraudulent activity.

There was more to Target's offer, five days before Christmas, than holiday altruism or crisis-management. Target could anticipate an avalanche of data-privacy lawsuits claiming, among other things, damages stemming from the cost of individuals buying such services. Plaintiffs' attorneys have been energized by a recent federal appellate court finding that a consumer who reasonably responds to a data breach by purchasing identity-theft insurance (or taking similar protective steps) has been "harmed" merely by incurring that expense.1 Indeed, a review by the authors of a dozen data-privacy class-action suits filed against Target following the breach showed that each suit identified credit-monitoring expenses as a basis for damages.

By providing these services free of charge, Target could deprive plaintiffs of one claim of "harm."

Target's offer was the latest in the cat-and-mouse legal game playing out between breached companies and the plaintiffs' lawyers who invariably and instantaneously go after them. Five years ago in a Washington Legal Foundation (WLF) Legal Opinion Letter, Professor Raymond T. Nimmer predicted a wave of data-privacy litigation, and questioned whether the suits would founder on the issue of injury or harm.2 The Target class actions underscore Nimmer was right on both counts, and illustrates the creative new theories plaintiffs' lawyers are developing to show "injury."

In 2012, at least 44 million records were compromised in 621 confirmed data breaches globally.3 In California alone, 2.5 million people experienced breaches of their Social Security numbers, credit card and bank accounts, and other sensitive information through 131 data breaches.4 The resulting litigation trend is growing because plaintiffs' lawyers are increasingly savvy and aggressive in exploiting state and federal law. A recent survey of corporate counsel nationwide indicated nearly half anticipate growth in consumer fraud and privacy class actions, versus 15 percent a year earlier; the companies spend an average of $3.3 million defending class actions of all types.5 A conference of class-action lawyers held last year to share lessons learned from the first wave of privacy-related suits, and to hone new strategies, is another clear signal that such litigation will continue.6

Yet Professor Nimmer also presciently questioned whether plaintiffs could establish actual harm in such cases. And as noted on WLF's blog, The Legal Pulse, for this reason courts have not been very receptive to these lawsuits.7 Companies have defended themselves through a variety of methods, often winning dismissal of the cases in the early stages. One fundamental problem plaintiffs face is proving they were injured by a company's data collection methods, or even by a breach. This requirement of injury trips up plaintiffs as they try to establish standing in federal court, and as they seek to prove they have suffered a cognizable injury, i.e., harm for which the jurisdiction will grant relief.

To show standing under Article III of the U.S. Constitution, a plaintiff must establish "an injury-in-fact" that is "concrete and particularized."8 For years, the "injury-in-fact" requirement was defendants' reliable bulwark against data-privacy suits, resulting in the dismissal of the vast majority of these actions because plaintiffs could not prove concrete injury from privacy "invasions" such as the lost value of information gathered by cookies. The majority of courts continue to reject most of the injury-in-fact theories plaintiffs have advanced. For example, most courts have turned aside claims that data breaches injured plaintiffs merely by increasing the risk of identity theft, or elevating plaintiffs' fear of such theft.9 Courts have also carefully restricted...