Lightning may not strike twice in the same place, but the same cannot be said of class action lawsuits.<\/p>\n
For this reason companies caught in class actions stemming from data breaches would do well to consider the precedents they could set by agreeing to over-generous terms.<\/p>\n
The good news for defendants is that the hurdles plaintiffs must surmount to bring a case to trial are significant. Numerous lawsuits have been dismissed on the grounds that the plaintiffs failed to show that they were harmed by a data breach.<\/p>\n
One such case occurred last year and is worth reading for the clarity with which Judge James E. Boasberg of the U.S. District Court for the District of Columbia analyzes the \u201cthorny … issues regarding when, exactly, the loss or theft of something as abstract as data becomes a concrete injury.\u201d<\/p>\n
The case involved data tapes, among other items, stolen from a car parked in a San Antonio garage in September 2011. The car was owned by an employee of information technology company Science Applications International Corp., which handles data for the federal government. The tapes contained personal information and medical records relating to 4.7 million members of the U.S. military and their families enrolled in Tricare, the armed forces health care program.<\/p>\n
There is no question that the loss of the data was embarrassing. According to letters mailed to affected service members by SAIC in November 2011, it included names, Social Security numbers, addresses, dates of birth and phone numbers, as well as a variety of medical information. It did not, however, include any financial data. Moreover, SAIC considered that the chance of the data being accessed by the thieves or any other unauthorized party was low because to do so would require \u201cspecific hardware and software.\u201d<\/p>\n
Numerous individuals sued, and their lawsuits were consolidated into a single action. SAIC and three government defendants \u2014 Tricare, the U.S. Department of Defense and its then-secretary, Chuck Hagel \u2014 sought to dismiss the complaint on the grounds that the plaintiffs could show no injury based on the data breach and therefore lacked standing to sue in federal court.<\/p>\n
The key question then addressed by the court was whether, as alleged by the plaintiffs, the mere fact that their data had been stolen constituted \u201ca distinct and palpable harm.\u201d A number of the plaintiffs also claimed that the time and money they had spent checking their credit (though SAIC had offered them free credit monitoring) and talking to their banks should be compensable.<\/p>\n
In his ruling, Judge Boasberg gave these arguments short shrift, citing a variety of court opinions, including a U.S. Supreme Court decision in\u00a0Clapper v. Amnesty International USA<\/em>\u00a0in 2013, that supported the view that a threatened injury must be \u201ccertainly impending\u201d to afford plaintiffs standing to sue. If those caught up in a data breach, or any untoward event, were so alarmed that they spent time and money to protect themselves from potential harm, that would not, in itself, give them standing. In the trenchant language of the Supreme Court: \u201c(R)espondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.\u201d<\/p>\n The plaintiffs’ attorneys shot back that, due to the data breach, their clients were 9.5 times more likely than the average person to become victims of identity theft. But Judge Boasberg was unmoved. A heightened risk of identity theft, he said, is not the same as a harm that is \u201ccertainly impending\u201d \u2014 the litmus test endorsed by the Supreme Court.<\/p>\n This was not quite the end of the story. The Supreme Court had also acknowledged that it had sometimes \u201cfound standing based on a “substantial risk’ that harm will occur,\u201d prompting plaintiffs to \u201creasonably incur costs to mitigate or avoid that harm.\u201d But Judge Boasberg concluded that the plaintiffs in the SAIC litigation did not clear that hurdle either.<\/p>\n