Beginning Next Week: InsideCounsel will become part of Corporate Counsel. Bringing these two industry-leading websites together will now give you comprehensive coverage of the full spectrum of issues affecting today's General Counsel at companies of all sizes. You will continue to receive expert analysis on key issues including corporate litigation, labor developments, tech initiatives and intellectual property, as well as Women, Influence & Power in Law (WIPL) professional development content. Plus we'll be serving all ALM legal publications from one interconnected platform, powered by, giving you easy access to additional relevant content from other InsideCounsel sister publications.

To prevent a disruption in service, you will be automatically redirected to the new site next week. Thank you for being a valued InsideCounsel reader!


What’s next in consumer data breach litigation? Minimizing the risk

The language of agreements may very well become pivotal in determining whether claims survive the pleadings stage

In this series of articles, we examined the challenges plaintiffs historically encountered in bringing privacy and data breach claims, and the recent attempts by plaintiffs’ counsel to overcome these obstacles by casting claims under alternate legal theories. In this final installment we now examine the impact these emerging trends may have on companies and how their own end-user agreements and privacy policies might, unintentionally, create an opening for similar claims.

As we have seen, plaintiffs recently achieved some success by framing their data breach claims in common law misrepresentation and related legal theories. For instance, in the Sony Gaming Network case, the plaintiffs alleged that Sony’s privacy policy and end-user agreements misrepresented the steps Sony would take to secure customers’ personal information by using industry-standard encryption to prevent unauthorized access to sensitive financial information. Upon review, the Sony court held that misrepresentation claims passed legal muster under California state law and allowed them to proceed. It further observed that, although Sony disclaimed the ability to provide “perfect security,” there was an issue of fact regarding plaintiff’s allegation that “Sony’s representations regarding ‘reasonable security’ were deceptive, in light of Sony’s additional representations regarding ‘industry-standard’ encryption.”

Similarly, in the LinkedIn data breach case, misrepresentation claims survived based on allegations that plaintiff “purchased her premium subscription on the basis of LinkedIn’s statement that its users’ data will be secured with industry standards and technology, … that the statement was false when she read and relied on it, and … that she would not have made the purchase (or that she would have negotiated for a lower price) but for the misrepresentation.” The court concluded that plaintiff’s alleged injury — the very purchase induced by the misrepresentation — was “fairly traceable to LinkedIn’s conduct because LinkedIn made the misrepresentation ….”

These cases underscore that privacy policies and end-user agreements will be subject to increasingly intense scrutiny in the event of a data breach. Indeed, the language of those agreements may very well become pivotal in determining whether claims survive the pleadings stage. It is for this reason that companies should now examine their existing privacy policies and end-user agreements with a critical eye to determine whether they likewise might be vulnerable to misrepresentation and omission-style claims.



Security at the desktop: How to save your employees from malware disaster

Cybersecurity and compliance: An unlimited horizon of responsibility

Reasonable expectations


First, policies should be examined with regard to any affirmative statements about the company’s data protection practices. What statements are made in those policies regarding the handling of consumer data? Do they promise more than intended, or more that can be delivered, and how might those statements appear to the average consumer? In this regard, companies should never assume that their policies will not be read or will not impact a purchasing decision. As the LinkedIn case made clear, the mere allegation that plaintiff relied on a written privacy policy in subscribing to LinkedIn’s service was sufficient to constitute a legally-cognizable claim. For better or worse, companies must assume that even the most obscure elements of its policies will impact consumer behavior and potentially give rise to such claims.

Second, companies should look beyond the language used in written policies and examine the actual practice of the company in providing security. Policy language that is clear and direct may nevertheless become misleading when compared against what the company actually does. If the company does not provide the very same level of security set forth in its written policy, or attempts to provide it by means that differ from those stated in its policy, one can be sure that those differences will be exploited by plaintiffs’ counsel. Therefore, if a careful assessment reveals discrepancies between the written policy and actual practice, companies should either revise the policy to conform as much as possible to their practice, or else revise the practice to conform to the policy.

Third, what is not stated in the company’s privacy policies and end-user agreements is just as important as what is stated explicitly. For instance, in the Sony case, the court found that plaintiffs had sufficiently pled fraud-based “omission” claims under California law. Those claims included allegations that Sony omitted material facts regarding the security of its network, including allegations that it failed to install and maintain firewalls and utilize industry-standard encryption. Any review of policy language, therefore, must include consideration of whether the policy, as written, paints an incomplete picture of the company’s actual capabilities or practices. Again, a candid assessment of the company’s day-to-day operations may reveal that additional disclosures should be made to avoid potentially misleading the consumer.

Fourth, and perhaps most importantly, companies should embark on a deliberate program of auditing written policies on a regular basis. Actual day-to-day operations may have a tendency to slip away from the policy over time, or may demonstrate that the language of the policy is unworkable or outdated. In either case, regularly scheduled formal audits may help to identify potential issues and give the company an opportunity to prevent gaps from developing between policy language and its practices.

Ultimately, no privacy policy or end-user agreement may ever be so airtight as to preclude claims such as misrepresentation, but there are common sense steps a company can take to minimize its risk. Further, given the recent traction plaintiffs have been gaining with these claims in court, it is imperative that companies engage knowledgeable counsel to participate in the review, revision or creation of well-written policies that not only accurately capture existing practices, but deter plaintiff’s counsel from targeting the company in the first place.

Contributing Author

author image

Stephen M. Prignano

Stephen M. Prignano is a partner in the Providence, Rhode Island office of Edwards Wildman Palmer LLP.  His practice focuses on the defense of class...

Bio and more articles

Contributing Author

author image

Matthew Murphy

Matthew Murphy is an associate in the Providence, Rhode Island office of Edwards Wildman Palmer LLP.  His practice focuses on commercial litigation, insurance coverage and...

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.