Lightning may not strike twice in the same place, but the same cannot be said of class action lawsuits.
For this reason companies caught in class actions stemming from data breaches would do well to consider the precedents they could set by agreeing to over-generous terms.
The good news for defendants is that the hurdles plaintiffs must surmount to bring a case to trial are significant. Numerous lawsuits have been dismissed on the grounds that the plaintiffs failed to show that they were harmed by a data breach.
One such case occurred last year and is worth reading for the clarity with which Judge James E. Boasberg of the U.S. District Court for the District of Columbia analyzes the “thorny … issues regarding when, exactly, the loss or theft of something as abstract as data becomes a concrete injury.”
The case involved data tapes, among other items, stolen from a car parked in a San Antonio garage in September 2011. The car was owned by an employee of information technology company Science Applications International Corp., which handles data for the federal government. The tapes contained personal information and medical records relating to 4.7 million members of the U.S. military and their families enrolled in Tricare, the armed forces health care program.
There is no question that the loss of the data was embarrassing. According to letters mailed to affected service members by SAIC in November 2011, it included names, Social Security numbers, addresses, dates of birth and phone numbers, as well as a variety of medical information. It did not, however, include any financial data. Moreover, SAIC considered that the chance of the data being accessed by the thieves or any other unauthorized party was low because to do so would require “specific hardware and software.”
Numerous individuals sued, and their lawsuits were consolidated into a single action. SAIC and three government defendants — Tricare, the U.S. Department of Defense and its then-secretary, Chuck Hagel — sought to dismiss the complaint on the grounds that the plaintiffs could show no injury based on the data breach and therefore lacked standing to sue in federal court.
The key question then addressed by the court was whether, as alleged by the plaintiffs, the mere fact that their data had been stolen constituted “a distinct and palpable harm.” A number of the plaintiffs also claimed that the time and money they had spent checking their credit (though SAIC had offered them free credit monitoring) and talking to their banks should be compensable.
In his ruling, Judge Boasberg gave these arguments short shrift, citing a variety of court opinions, including a U.S. Supreme Court decision in Clapper v. Amnesty International USA in 2013, that supported the view that a threatened injury must be “certainly impending” to afford plaintiffs standing to sue. If those caught up in a data breach, or any untoward event, were so alarmed that they spent time and money to protect themselves from potential harm, that would not, in itself, give them standing. In the trenchant language of the Supreme Court: “(R)espondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”
The plaintiffs’ attorneys shot back that, due to the data breach, their clients were 9.5 times more likely than the average person to become victims of identity theft. But Judge Boasberg was unmoved. A heightened risk of identity theft, he said, is not the same as a harm that is “certainly impending” — the litmus test endorsed by the Supreme Court.
This was not quite the end of the story. The Supreme Court had also acknowledged that it had sometimes “found standing based on a “substantial risk’ that harm will occur,” prompting plaintiffs to “reasonably incur costs to mitigate or avoid that harm.” But Judge Boasberg concluded that the plaintiffs in the SAIC litigation did not clear that hurdle either.
Read the full article on Business Insurance.