CYBER LIABILITY: DEFENDING THE DATA BREACH
LAWSUIT
Stuart T. O’Neal, Esq.
Anthony S. Cottone, Esq.
1
Why Data Breach and Cyber Liability
• Data Breach and Cyber Liability a Hot Topic
• Every business or professional organization stores vast
amounts of consumer and other business information
digitally.
• Information is vulnerable to breaches, and compromises
privacy.
• The number of publicized breaches continues to grow, and
we see stories in the news constantly regarding the serious
fall outs from data breaches.
• Being prepared in the event of a breach is vitally important to
bounce back from the breach, and/or defend against potential
liability.
2
What We Will Discuss Today…
• Current Business Trends involving Personal
Identifiable Information (PII)
• What is PII?
• How Can Data Security be Breached?
• The Danger of PII Being Compromised
• Data Breach Lawsuits
• Plaintiffs’ Attorney’s Strategy/Causes of Action
3
What We Will Discuss Today… (cont.)
• Successful Theories of Defense
• Current State of Case Law/Precedent
• What can we Learn from the Current Case
Law/Precedent
• What can we Anticipate moving Forward
• Resources
• Questions and Answers
4
What is PII?
• Definition of “Personally Identifying Information”
– Any information which can be used to distinguish or
trace a natural person’s identity
– Including but not limited to financial and/or health
information
– Which is linked or linkable to a specific natural person.
5
How Can Data Security be Breached?
• Domestic/International Hackers
• Internal Leaks
• Accidental Leaks
• Actual, physical theft of information
6
The Danger of PII Being Compromised
• Bad Press/Future Impact on Business
• Potential Civil and Criminal Penalties
• Costs of Correction
• Costs of Litigation
• Potentially Large Settlement/Judgment Values
7
Data Breach in the News…
• Home Depot – 56 Million Credit Card Numbers
• Staples – 1.16 Million Customer Payment Cards
• Target – 40 Million Credit Card Numbers (recent
settlement)
• South Carolina Dept. of Revenue
• TRICARE Management Activity – Largest HIPAA
breach in history
8
Most Recent Cases in Litigation
• Ashley Madison Data Breach
– Hackers compromise personal information of users,
including personal information and private messages
– Some even paid fee to have their information deleted
– Users from California, Texas, Missouri, Georgia,
Tennessee and Minnesota seek class-action
certification
– Estimated class of 37 million users
– Claims of negligence, breach of contract, violations of
privacy in failure to take reasonable steps to protect
the security of its subscribers
9
Most Recent Cases in Litigation• Sony Pictures Entertainment Data Breach
– PII disclosure perpetrated by North Korean Hackers in
retaliation for the release of the movie “The Interview”
– Not simply consumer financial information, but employee PII
– Plaintiff’s alleged, inter alia, the possibility of identity theft
– Employees provided $1 million in identity theft insurance
protection
– Sony asserted no successful identify theft has occurred
– Also argued the difficulty in proving fraud being traced to
breach
– Settlement pending Court approval
10
Plaintiffs’ Causes of Action
• Individual Lawsuits or Class Actions?
• Breach of Express/Implied Contract
• Breach of Fiduciary Duty
• Unjust Enrichment
• Negligence
• State Statutory Claims
• Federal Statutory Claims
11
Current State of Case Law/Precedent
• Injury in Fact – No Article III Standing
– In Re: Google Inc. Cookie Placement Consumer
Privacy Litigation, 988 F.Supp.2d 434 (USDC Del.
2013)
– Reilly v. Ceridian Corp., 664 F.3d 38 (3d. Cir. 2011)
– Clapper v. Amnesty International, 133 S. Ct. 1138
(2013)
13
Injury in Fact – No Article III Standing
• Clapper v. Amnesty International (2013)
– Challenge to provision of FISA, regarding authorization
of government electronic surveillance of non-U.S.
persons outside the U.S. for foreign intelligence.
– Article III standing did not exist, as there was no injury
in fact.
– “Thus, we have repeatedly reiterated that threatened
injury must be certainly certainly impending to
constitute injury in fact.” Id. at 1147 (citations and
quotations omitted)
– While factually not related to data breach, Clapper has
been applied many times, requiring dismissal.
14
Current State of Case Law/Precedent
• Injury in Fact Found
– In Re: Sony Gaming Networks and Customer Data
Security Breach Litigation, 996 F.Supp.2d 942 (S.D. Ca.
2014)
• Plaintiffs “plausibly alleged a ‘credible threat’ of impending
harm[.]” Id. at 963.
– Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th
Cir. 2015)
• In addition to future injuries, Plaintiffs asserted lost time and
money protecting against future identity theft and fraud.
• “The injuries associated with resolving fraudulant charges
and protecting oneself against future identity theft” satisfy
injury in fact. Id. at 696.
15
Current State of Case Law/Precedent
• Class Certification
– In re Hannaford Bros. Co. Customer Data Breach
Security Breach Litigation, 293 F.R.D. 21 (D. ME
2013)
• Data breach disclosing customer credit card information.
• Predominance element for class action not found, as “without
an expert, they cannot prove total damages, and the
alternative. . . is a trial involving individual issues for each class
member as to what happened to. . . data[.]” Id. at 33.
• Actual effect and mitigating steps taken by class members
differed too much to be certified as class.
• Cited by Sony Pictures Entertainment in challenge to class
certification of data breach litigation.
16
What Can We Learn?
• Defense attorneys have two strong arguments, arising
early in litigation, to defeat data breach lawsuits.
• Challenges to Injury in Fact and Class Action
Certification could significantly devalue such cases,
thus leading to a desirable result for your client.
• This is evidenced by the relative value of settlements
early in litigation in comparison to the number of class
members.
• HOWEVER…..
17
What Can We Anticipate Moving Forward?
• Plaintiffs’ Attorneys– Altered strategies to counter attack the negative precedent
– Federal district courts and circuit courts are already distinguished
themselves from Clapper. (See California)
• Legislature– New statutes and initiatives are out there that could strengthen and
broaden the ability to bring litigation for Data Breach.
• California Voters voting on “presumption of harm” in privacy breach
cases.
• Data Security and Data Breach Notification Act in front of the Senate.
• Federal Trade Commission Bringing Lawsuits for lazy cyber security.
• Closely monitor your Jurisdiction to be aware of new
developments.
18
Top Related