Security Technology Executive

MAY-JUN 2018

Issue link:

Contents of this Issue


Page 11 of 79

12 SECURIT Y TECHNOLOGY E XECUTIVE • May/June 2018 • www. CYBERTECH By Christopher E . Har t A data breach is a business crisis that can have enduring ramifications. While the discovery of a breach can initiate a fire drill – investigating what happened, reme- diating the security gaps, engaging law enforcement, and complying with state and federal notification laws – even following these steps carefully and thoroughly might not be the end of a company's headaches. Any company dealing with a data breach also needs to be concerned about follow-on litigation. While litigation can come in the form of defend- ing against a government enforcement suit, litigation can also come in the form of private actions: against employees, consumers, or third parties. This article pro- vides an overview of the kinds of litigation companies have been facing, what legal theories have been used, and what defenses might be employed. Who Sues? First, who sues? Consumers, financial institutions, and third parties that have contracts with the companies maintaining personal confidential information or patient health information are the prime candidates. While it might seem obvious that consumers will sue, it is becoming increasingly common to see financial institutions – banks and credit unions that have to issue new credit cards or reimburse consumers – fil- ing class actions lawsuits to recoup their (alleged) costs and lost business. A recent example of this is in the Home Depot data breach litigation, a consolidated multidistrict litigation in the federal district court in the Northern District of Georgia. The actions there included both a consumer class action and a financial institution class action. As discussed below, consumer class action cases can stand at a disadvantage over financial institution class actions because consumers can have a difficult time proving standing or injury: to the extent, they have already been reimbursed or cannot prove identity theft, they might not be able to keep their claims in court. Financial institutions might be on firmer footing if they can demonstrate that their costs were somehow caused by the breached company's lack of diligence or unreasonable actions before, during, or after a breach. Is the Lawsuit Legit? Second, when do courts allow for lawsuits? This can depend on whether the litigants are in state or fed- eral court. In federal court, plaintiffs must contend with standing requirements: that is, they overcome the defense that there is no "case or controversy," as required by Article III of the federal Constitution. Once they overcome that hurdle, they must normally also overcome whether they have an injury that is cogni- zable by a court. These can be difficult hurdles to overcome. The question of whether plaintiffs have standing in data breach class actions often rises or falls on the question of whether the plaintiffs have alleged actual injury, and not simply the risk or possibility of injury. In a 2013 case, Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), the Supreme Court held that, in order for a plaintiff who alleges future harm to have the necessary Article III standing to sue in federal court, the plain- tiff must meet the stringent bar that the harm being claimed is "certainly impending." This has often been successfully used to defeat plaintiffs' claims as being untethered from any actual injury, where a breach has been discovered but plaintiffs could not point to any specific identity theft or other injury that had occurred, only the possibility of such harm. Having said that, not all plaintiffs have been doomed by bringing a suit where actual injury might be hard to prove. In 2015, the Seventh Circuit decided the impor - tant case Remijas v. Neiman Marcus Group, 794 F.3d 688 (7 th Cir. 2015), holding that "Clapper does not . . . fore- close any use whatsoever of future injuries to support Article III standing," and that "substantial risk" of harm could be sufficient. Since the Seventh Circuit's decision in Remijas, some sister circuits have made similar rul- ings – such as the Sixth Circuit, which in one case held that plaintiffs had standing when their personal infor- mation was stolen from the Nationwide Mutual Insur- ance Company computer network. Galaria v. Nation- wide Mutual Insurance Co., 663 Fed. Appx. 384, 2016 WL 2728027 (6 th Cir. 2016). Nevertheless, the Article III standing hurdle can be particularly nettlesome. So too can the question of whether any such injury is compensable. Although the legal doctrines might sound arcane to the uninitiated (and I will avoid dis- entangling these doctrines here), suffice it to say that plaintiffs not only have to show that federal courts have jurisdiction over their claims – that is, that they can claim more than the mere possibility of a future harm – but they also have to show that the harm they are alleging is the kind that a court can hear and that it would be possible for the court to actually remedy the injury if the claims are proven successful. This gives defendants some openings and counsels in favor of prudent data security management and After Your Data Breach How to defend against private litigation in State and Federal Court About the Author: As counsel at Foley Hoag in Boston, Christopher Hart's practice centers on three areas: civ il commercial and business litigation, data privacy and cybersecurit y, and representation of foreign sovereigns in U.S. courts and international tribunals. As an experienced litigator, Chris has represented Fort une 500 companies, start- up companies, indiv iduals, and sovereign nations in a wide variet y of contexts for over a decade. Continued on page 15

Articles in this issue

Links on this page

Archives of this issue

view archives of Security Technology Executive - MAY-JUN 2018