Data Breaches And Litigation: It's The American Way

Article by Larry L. Varn1

Originally published in the December 2011 issue of inFocus, PRISM's Quarterly Journal

1. Introduction

   According to Gartner, Inc., a Stamford, Connecticut-based information technology research and advisory firm, approximately 7.5 per cent of adults in the United States lost money as a result of some sort of financial fraud in 2008, in large part because of data breaches.2 The non-profit Privacy Rights Clearing-house has reported that between April 2005 and November, 2011, more than 542 million records have been breached or compromised from 2,761 data breaches that were made public. Data breaches have involved financial information such as banking or credit card details, personally identifiable information such as names, addresses and social security numbers (PII), personal health information (PHI), trade secrets or intellectual property of businesses, or confidential government information. Data breaches have resulted from inadvertent or accidental incidents, such as the loss or theft (for other purposes) of digital or hardcopy media, including laptops, computer tapes, hard drives, flash drives and medical or financial records, sophistical criminal activities commonly known as "hacking", the inadvertent transfer of information to individuals or entities who are not authorized to receive or view it, or the deliberate transfer of such information to a potentially adverse party, such as a competing business or foreign nation.

   Well-publicized incidents are now legion, and include:

   In April 2011, Sony announced a massive data breach arising from theft by hackers of the Sony Playstation® Network, Sony Entertainment Online and Sony Pictures resulting in the compromise of the credit and debit card data of up to 100 million users involving more than 12 million cards. Sony estimated that breach remediation measures alone would cost it at least $171 million, and no fewer than 55 putative class actions were filed against Sony in the United States and another three such actions were filed in Canada.3 In January 2009, Heartland Payment Systems announced that it had been the victim of a criminal security breach, possibly as part of a "global cyber fraud operation". Estimates were made that up to 100 million cards from more than 650 financial services institutions were compromised. In March 2008, Hannaford Brothers Co., a national grocery chain based in Maine, announced that the security of its information technology (IT) systems had been breached, leading to the theft of as many as 4.2 million debit card and credit card numbers belonging to individuals who had made purchases at more than 270 of its stores. Hannaford also announced that it had already received reports of approximately 1,800 cases of fraud resulting from the theft of those numbers, with authorized charges originating around the globe, including Spain and France. Twenty-six (26) separate lawsuits followed which were consolidated in federal court in Maine. In January 2007, TJX Companies, Inc., a retailer operating major chains such as TJ Maxx and Marshalls, announced the theft by hacking of more than 45 million individual records from its computer system. The scheme ultimately led to criminal charges against 11 individuals and resulted in several class action lawsuits. II. A "Burgeoning Area" of Litigation

   Given these statistics and events – not to mention thousands of other less-publicized incidents – it should come as no surprise that data breaches have led to multitudinous, complex and expensive litigations, many in the form of putative class actions. I am sure that the celebrated and respected English jurist Lord Denning would have predicted cases of this type when he remarked nearly 30 years ago: "As a moth is drawn to the light, so is a litigant drawn to the United States. If he can only get his case into their courts, he stands to win a fortune."4 These claims are thus part of what one judge has dubbed a "burgeoning area of law"5 and another has explained:

   Database breaches appear to provide the basis for a new breed of lawsuits, and especially class action lawsuits, in which plaintiffs allege, as here, that the database handlers' negligence in developing and maintaining security measures have resulted in otherwise personal and confidential information being compromised, thereby increasing the risk of identity theft for those individuals whose information was so compromised. The remedies sought in these actions vary, but generally include costs for credit monitoring, costs for closing and opening financial accounts, and damaged for emotional distress.6

   In addition to being a new area of law, claims arising from data security breaches are almost always brought in federal court.7 To date, however, although the response and remediation costs resulting from data breaches can be very substantial, and the media scrutiny can be unforgiving, the ensuing lawsuits by affected (or potentially affected) consumers have fared very poorly, particularly in those cases where the plaintiffs cannot establish any actual misuse of information or any actual, quantifiable monetary damages but claim only such items as "an increased risk of harm", anxiety, increased apprehension and general aggravation. It is only in those cases where plaintiffs have been able to establish actual, fraudulent misuse of the compromised information that they have had any meaningful success in recovering their actual, provable damages, or where they have incurred actual costs or expenses in response to a credible threat of identity theft.

   In determining whether to allow a claim in this area – generally grounded in theories of negligence or breach of express or implied contract – to go forward, our federal courts are required to answer two questions. First, do these claims involve a sufficient injury-in-fact to confer standing to sue in federal court under Article III of the United States Constitution? It is only if this question is answered in the affirmative that the court must then ask: do these claims involve compensable damages under the governing state's law?8

3. "Standing" Under Article III of the U.S. Constitution

   Article III, Section 2 of the Constitution "limits the federal judicial power to the resolution of 'cases and controversies'". One well-settled element of the "case or controversy"9 requirement is that a plaintiff must establish "standing" to sue, as to which the Supreme Court has held that "the 'irreducible constitutional minimum' of standing under Article III requires a plaintiff to establish three elements an injury in fact..., a causal connection between the injury and the conduct complained of, and substantial likelihood of remedy".10 The first requirement – injury in fact – has been defined by our federal courts as "an invasion of a legally protected interest that is (a) concrete and particularized, and (b) actual or imminent, not conjectural...