CYBER LIABILITY: DEFENDING THE DATA BREACH

LAWSUIT

Stuart T. O’Neal, Esq.

Anthony S. Cottone, Esq.

1

Why Data Breach and Cyber Liability

• Data Breach and Cyber Liability a Hot Topic

• Every business or professional organization stores vast

amounts of consumer and other business information

digitally.

• Information is vulnerable to breaches, and compromises

privacy.

• The number of publicized breaches continues to grow, and

we see stories in the news constantly regarding the serious

fall outs from data breaches.

• Being prepared in the event of a breach is vitally important to

bounce back from the breach, and/or defend against potential

liability.

2

What We Will Discuss Today…

• Current Business Trends involving Personal

Identifiable Information (PII)

• What is PII?

• How Can Data Security be Breached?

• The Danger of PII Being Compromised

• Data Breach Lawsuits

• Plaintiffs’ Attorney’s Strategy/Causes of Action

3

What We Will Discuss Today… (cont.)

• Successful Theories of Defense

• Current State of Case Law/Precedent

• What can we Learn from the Current Case

Law/Precedent

• What can we Anticipate moving Forward

• Resources

• Questions and Answers

4

What is PII?

• Definition of “Personally Identifying Information”

– Any information which can be used to distinguish or

trace a natural person’s identity

– Including but not limited to financial and/or health

information

– Which is linked or linkable to a specific natural person.

5

How Can Data Security be Breached?

• Domestic/International Hackers

• Internal Leaks

• Accidental Leaks

• Actual, physical theft of information

6

The Danger of PII Being Compromised

• Bad Press/Future Impact on Business

• Potential Civil and Criminal Penalties

• Costs of Correction

• Costs of Litigation

• Potentially Large Settlement/Judgment Values

7

Data Breach in the News…

• Home Depot – 56 Million Credit Card Numbers

• Staples – 1.16 Million Customer Payment Cards

• Target – 40 Million Credit Card Numbers (recent

settlement)

• South Carolina Dept. of Revenue

• TRICARE Management Activity – Largest HIPAA

breach in history

8

Most Recent Cases in Litigation

• Ashley Madison Data Breach

– Hackers compromise personal information of users,

including personal information and private messages

– Some even paid fee to have their information deleted

– Users from California, Texas, Missouri, Georgia,

Tennessee and Minnesota seek class-action

certification

– Estimated class of 37 million users

– Claims of negligence, breach of contract, violations of

privacy in failure to take reasonable steps to protect

the security of its subscribers

9

Most Recent Cases in Litigation• Sony Pictures Entertainment Data Breach

– PII disclosure perpetrated by North Korean Hackers in

retaliation for the release of the movie “The Interview”

– Not simply consumer financial information, but employee PII

– Plaintiff’s alleged, inter alia, the possibility of identity theft

– Employees provided $1 million in identity theft insurance

protection

– Sony asserted no successful identify theft has occurred

– Also argued the difficulty in proving fraud being traced to

breach

– Settlement pending Court approval

10

Plaintiffs’ Causes of Action

• Individual Lawsuits or Class Actions?

• Breach of Express/Implied Contract

• Breach of Fiduciary Duty

• Unjust Enrichment

• Negligence

• State Statutory Claims

• Federal Statutory Claims

11

Important Theories of Defense

• Lack of Injury in Fact

• Challenge to the Class Certification

12

Current State of Case Law/Precedent

• Injury in Fact – No Article III Standing

– In Re: Google Inc. Cookie Placement Consumer

Privacy Litigation, 988 F.Supp.2d 434 (USDC Del.

2013)

– Reilly v. Ceridian Corp., 664 F.3d 38 (3d. Cir. 2011)

– Clapper v. Amnesty International, 133 S. Ct. 1138

(2013)

13

Injury in Fact – No Article III Standing

• Clapper v. Amnesty International (2013)

– Challenge to provision of FISA, regarding authorization

of government electronic surveillance of non-U.S.

persons outside the U.S. for foreign intelligence.

– Article III standing did not exist, as there was no injury

in fact.

– “Thus, we have repeatedly reiterated that threatened

injury must be certainly certainly impending to

constitute injury in fact.” Id. at 1147 (citations and

quotations omitted)

– While factually not related to data breach, Clapper has

been applied many times, requiring dismissal.

14

Current State of Case Law/Precedent

• Injury in Fact Found

– In Re: Sony Gaming Networks and Customer Data

Security Breach Litigation, 996 F.Supp.2d 942 (S.D. Ca.

2014)

• Plaintiffs “plausibly alleged a ‘credible threat’ of impending

harm[.]” Id. at 963.

– Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th

Cir. 2015)

• In addition to future injuries, Plaintiffs asserted lost time and

money protecting against future identity theft and fraud.

• “The injuries associated with resolving fraudulant charges

and protecting oneself against future identity theft” satisfy

injury in fact. Id. at 696.

15

Current State of Case Law/Precedent

• Class Certification

– In re Hannaford Bros. Co. Customer Data Breach

Security Breach Litigation, 293 F.R.D. 21 (D. ME

2013)

• Data breach disclosing customer credit card information.

• Predominance element for class action not found, as “without

an expert, they cannot prove total damages, and the

alternative. . . is a trial involving individual issues for each class

member as to what happened to. . . data[.]” Id. at 33.

• Actual effect and mitigating steps taken by class members

differed too much to be certified as class.

• Cited by Sony Pictures Entertainment in challenge to class

certification of data breach litigation.

16

What Can We Learn?

• Defense attorneys have two strong arguments, arising

early in litigation, to defeat data breach lawsuits.

• Challenges to Injury in Fact and Class Action

Certification could significantly devalue such cases,

thus leading to a desirable result for your client.

• This is evidenced by the relative value of settlements

early in litigation in comparison to the number of class

members.

• HOWEVER…..

17

What Can We Anticipate Moving Forward?

• Plaintiffs’ Attorneys– Altered strategies to counter attack the negative precedent

– Federal district courts and circuit courts are already distinguished

themselves from Clapper. (See California)

• Legislature– New statutes and initiatives are out there that could strengthen and

broaden the ability to bring litigation for Data Breach.

• California Voters voting on “presumption of harm” in privacy breach

cases.

• Data Security and Data Breach Notification Act in front of the Senate.

• Federal Trade Commission Bringing Lawsuits for lazy cyber security.

• Closely monitor your Jurisdiction to be aware of new

developments.

18

Questions?Stuart T. O’Neal

Anthony S. Cottone

Burns White, LLC

(484) 567-5700

100 Four Falls Building, Suite 515

1001 Conshohocken State Road

West Conshohocken, PA 19428

19