In mid-December, Target announced that it had suffered a wide-reaching security breach that potentially affected the accounts of millions of credit and debit card holders. Later reports indicated that the data breach affected even more people than the retailer had originally announced, perhaps as many as 110 million consumers, and that the stolen information included customer names, credit and debit card numbers, card expiration dates, and encrypted personal identification numbers (PINs).
The Target data breach made headlines across the country and did not escape the attention of the plaintiffs’ bar. Two days after Target disclosed the security breach, three separate purported class actions were filed in Minnesota, New York, and California, and many more were filed later in December and in January with most claiming that Target was negligent in its handling of credit and debit card data by failing to protect consumers’ private information. As of mid-January, over fifty purported class action suits against the retailer were pending across the nation.
Plaintiffs traditionally have a difficult time sustaining privacy class action cases because they often cannot plead, let alone show, actual injury flowing from a data breach — a necessary component of Article III standing and jurisdiction. Some of the newly filed cases against Target and other companies have tried to establish standing by alleging injuries from fraudulent charges, including the cost of monitoring credit and, for financial institution plaintiffs, the costs of notifying customers about compromised debit cards, closing customer accounts, and reissuing cards. However, the U.S. Supreme Court decision last February in Clapper v. Amnesty International USA, a government surveillance case, raises the possibility that at least one of these alleged injuries — the cost of credit monitoring — may be too speculative to satisfy Article III standing requirements. As Justice Alito opined in that case, allowing plaintiffs to bring an “action based on costs they incurred in response to a speculative threat” would “improperly water[ ] down the fundamental requirements of Article III.” The other purported injuries alleged in the Target cases may likewise be bound to be speculative, and the future of negligence–based data breach class actions is therefore uncertain.
Companies should not get too comfortable, however. Privacy class actions in which plaintiffs seek statutory damages are on the rise, and some courts are ruling that this type of claim can satisfy Article III standing requirements. For example, in Harris v. comScore, one of the largest privacy class action suits ever filed, the lead plaintiffs were found to have standing, and the purported class was accordingly certified, based on statutory damages under the Electronic Communications Privacy Act, also known as the Wiretap Act, and the Stored Communications Act. Since the decision in comScore, there has been a rise in privacy class action litigation alleging statutory claims such as the ones asserted in comScore (the Wiretap Act, and the Stored Communications Act), the Telephone Consumer Protection Act, the Video Privacy Protection Act, and the Computer Fraud and Abuse Act.
Every company that maintains, houses, or moves personal information is at risk of a data breach, but the legal consequences of a breach can be minimized by taking at least the following three steps:
- Free credit monitoring. Both to alleviate reputational injury and minimize alleged damages, follow Target’s approach and offer free credit-monitoring services to at-risk customers. While it is still too early to tell whether the Clapper decision will effectively foreclose the availability of this remedy in litigation, paying for such services will go a long way towards restoring good will with potentially impacted customers, and will eliminate, at the pleading stage, an allegation of harm arising from such costs.
- Engage security breach counsel. Have a security breach response team in place before a breach occurs, including counsel who can provide critical legal guidance with respect to your company’s breach notification obligations. When a data breach occurs, there is very little time to select new counsel so having your attorneys lined up in advance will prove invaluable.
- Formulate an incident response plan. Since a major data security breach puts any size entity at substantial risk, prevention is the best defense. Formulate a data breach plan. Consider working with privacy counsel. And while it may not be possible to prevent every data breach, being able to demonstrate that reasonable care was taken to avoid the risk will help reduce company liability.