Data Breach Class Actions

Defeating Class Certification in Consumer Data Breach Class Actions Begins with Understanding How They OccurConsumer data breach class actions, for all of their popularity on dockets and especially in headlines, can make difficult cases for plaintiffs. Issues like standing and damages often keep these cases from getting off the ground (as we have discussed previously), but we see far larger predominance problems looming for plaintiffs—chiefly in the area of causation. Companies in 2018 know how difficult a data breach can be to prevent, detect, and fix. These same difficulties can also flummox plaintiffs trying to sue companies in the wake of a data breach.

Consumer data breach cases, particularly those resulting from large breaches, involve a complex chain of independent actors. Take a payment card attack such as the one that occurred at Target in 2013. Through a virus sent by email to a vendor that had access to Target’s store-level computer network, hackers installed a program on virtually all of Target’s point-of-sale consoles that customers use to swipe their payment cards. That program copied information from the card—things such as the card number, expiration date, and CCV codes––and stored it on Target’s network. Then, the program sent the copied data through a chain of servers in different jurisdictions to the hackers. The hackers (or others who had purchased information from the hackers) were then able to sell the payment card data on the so-called “dark web.” A prospective purchaser would buy card information and have it printed on a counterfeit card, which could then be used to make purchases. Thieves obtained stolen information on 40 million payment cards using this method without ever necessarily setting foot in a Target store.

But hackers can use several other methods as well. A local thief can install a “skimmer” device that copies data from payment cards. These devices are often installed on gas pumps or ATMs. A single rogue employee could copy information from a business’ customers’ cards, or the employee could steal information from the business records (paper or electronic). Hackers can also attack other parts of the payment card infrastructure, such as payment card processors or issuing banks. Online stores can be hacked directly, and hackers can also obtain payment card data by accessing a consumer’s computer and stealing information stored on it. The personal data stolen from Equifax would allow criminals to open fraudulent payment card accounts. If these weren’t enough, a deft pickpocket can still steal a physical card.

While these various kinds of attacks can be prevented or interrupted, most of these breaches and thefts remain secret until fraudulent cards appear on the market or a pattern of fraudulent charges begins. Once fraudulent cards or charges appear, banks, processors, or the card associations (such as Visa and MasterCard) can look for common characteristics in the fraudulent charges: Did the customers all shop at a particular merchant at a particular time? Was the customers’ data routed through a common processor that could have been hacked? Are the fraudulent cards being used in one geographical area, or are they dispersed throughout the country? Are the fraudulent cards being used exclusively online? The answers to these questions allow industry and government investigators to narrow the list of possible causes of the breach.

Further complicating matters, stolen information or cards can be sold and resold on the black market before appearing in commerce. While thieves usually try to move quickly before the cards are cancelled, some thieves are sophisticated enough to balance speed with avoiding detection—they know a spike in fraud might trigger an investigation.

At first blush, the investigation of a data breach sounds much like how the CDC might go about tracking a salmonella outbreak to a particular food item. This analogy is attractive, but ultimately unsatisfactory for a few reasons:

  • For one thing, there are too many overlapping breaches to draw neat causal lines. Because criminals prefer to remain anonymous, and companies suffering hacks are not anxious to publicize them, accurate records of data breaches are hard to obtain. But one estimate we reviewed suggested that there were nearly 180 million records at risk in known data breaches in 2017 alone. In other words, we know thieves stole more than one record for every two people in the United States in a single year. And that number does not include the three billion records stolen from Yahoo! across several years, or the nearly limitless number of records made vulnerable through the Heartbleed bug. This constant flow of breaches and thefts results in a constant flow of fraud. Large breaches cause fraud to spike, but accurately tying a particular instance of fraud to a particular breach is very difficult.
  • While a patient suffering a medical condition will seek help, a data breach victim might not even know he or she has been affected. A payment card breach can lie dormant for a long time. Not only do thieves strategically time their use of stolen payment card information, they also use other personal information (such as Social Security numbers or access to an email account) to perpetrate fraud months or years later.
  • Unlike disease-causing germs, criminal hackers actively avoid detection. Intrusions, data exports, and data transfers are all done with maximum secrecy. Moreover, a computerized attack can come from anywhere in the word through a lengthy chain of anonymized servers in different jurisdictions.

The complexity of tying a particular breach to a particular instance of fraud has led leading security journalist Brian Krebs to write, “All that said, it’s really not worth it to spend time worrying about where your card number may have been breached, since it’s almost always impossible to say for sure and because it’s common for the same card to be breached at multiple establishments during the same time period.” Finding the actual perpetrators of a breach will often be impossible, and in the present technological and legal environment, plaintiffs almost universally resort to circumstantial proof.

A company that is a victim of a data breach should be aware of these complex problems in defending against class claims. Consider a traditional negligence claim, which requires the plaintiff to prove that a breach of duty proximately caused the plaintiff’s injury. Plaintiffs often assert that any fraud happening after a breach happened because of the breach, but that conclusion is not only a logical fallacy, it should be legally insufficient. And chances are that a particular card has been the subject of more than one breach.

The Eleventh Circuit hinted at how important information about other causes can be in a data breach case. In Resnik v. AvMed, Inc., the court reversed dismissal of a complaint alleging that the plaintiffs suffered identity theft after a laptop with their personal information was stolen. The plaintiffs in that case had extensively alleged that they took a wide range of preventative measures to keep their identities safe. These allegations were taken as true for purposes of the appeal and “[h]ad Plaintiffs alleged fewer facts, we doubt whether the Complaint could have survived a motion to dismiss.” The Middle District of Alabama expanded on the Eleventh Circuit’s discussion in Smith v. Triad of Alabama, LLC, where (even though it certified a class), the court recognized that proving causation “may require a review of any prior thefts of each class member’s identity” and would involve member-by-member mini-trials.

As more data breach cases are filed—and especially as more of them get to the summary judgment and trial phases of litigation—plaintiffs’ theories will mature. In the meantime, however, companies should seek to understand the complex chain of events that occur before, during, and after a data breach. Not only will this information help companies secure their own systems against a breach, but it will also guide them in developing a strategy to oppose class certification. The plaintiff’s discovery efforts will be driven towards showing that the breach had a simple cause and had relatively uniform effects on a homogenous population of class members. To counter this narrative, companies must identify and discover variations within the plaintiff’s proposed class.  Instead of automatically adopting a passive, defensive posture, companies should consider being more aggressive in developing a counter-narrative. In appropriate circumstances, this could include investigation into preventive measures the named plaintiffs did or didn’t take with regard to their information or data, other data breaches occurring at roughly the same time as the subject breach, and whether plaintiffs’ or class members’ data might have been exposed to multiple unrelated breaches.

Such strategies may even prove helpful in those jurisdictions (such as the Seventh and Ninth Circuits) that have found standing in data breach cases where plaintiffs’ stolen information has not actually been used, but is alleged to create increased risk of identity theft alone (see our post on that subject). While pointing out factual complexities of the breach and other contemporaneous but unrelated breaches might not suffice to defeat Article III standing, such proof could well be beneficial in showing that common factual issues do not predominate and that individualized proof will be necessary. The proven prospect of thousands of mini-trials on causation and damage might give even a class-friendly judge pause.

Courts are still figuring out how consumer data breach cases fit into traditional tort categories. The theories asserted and damage items claimed in data breach cases are always changing, and that trend should continue. An effective defense strategy in this environment requires staying on top of the evolving ways in which criminals are stealing, selling, and using data.

The Economic Loss Doctrine as a Barrier to Data Breach RecoveryWe recently commented on one hotly contested legal issue being addressed by the courts in data breach class action litigation, that of plaintiffs’ standing. Another issue that has been the subject of recent court activity in class cases is that of the economic loss doctrine: Can a data breach plaintiff in a contractual relationship with the data breach defendant recover under a negligence or other tort theory, or are its remedies confined to the contract? The issue of course does not arise in situations where the data breach plaintiff is not in contractual privity with the data breach defendant. But in other cases – in particular, cases involving compromised credit card data brought by the financial institutions that issued the cards against merchants who are part of the same payment card network – the issue is very much a live one.

In Community Bank of Trenton v. Schnuck Markets, Inc., the Seventh Circuit considered the application of the economic loss doctrine in this context. The court ultimately dismissed the suit, holding under both Illinois and Missouri law that merchants, card processors and banks voluntarily linked in a card payment system—a network of contracts that expressly allocates risk and defines remedies for data breach incidents—could not sue their card payment partners in tort.

Background

A 2012 data breach led to the compromise of over 2.4 million credit and debit cards, affecting nearly 80 percent of Schnuck’s Midwestern supermarkets. Plaintiffs subsequently brought suit, asserting common law claims under theories of negligence, contract, and other consumer protection laws. Affected customers brought a class suit, but they were not alone: Financial institutions that were exposed to the expense of issuing new cards to customers and reimbursing the costs associated with the hacker’s account fraud also sued the supermarket chain.

Schnuck, the aggrieved financial institutions, and the card processors are all linked through a system of contracts that help streamline consumer payment transactions. Within those contracts, and as part of the bargain, the agreeing parties voluntarily assume some liabilities and voluntarily limit their contractual remedies and recovery. Of note, participants must adhere to the PCI DSS—Payment Card Industry Data Security Standards. As part of that, participants agree to a sharing of the expenses of a network data breach. Based on the cost-sharing provision, Schnuck faced over $1 million in reimbursement fees, which would have then been apportioned throughout the network.

The Seventh Circuit had to determine how best to interpret and apply the economic loss doctrine, and whether Illinois or Missouri laws offered the banks additional remedies beyond those stipulated in the contract. The complaining banks brought negligence claims and alleged that they had been exposed to millions in damages, such as employee time, customer reimbursements, and transaction fees. The payment card agreements’ remedies did not cover the full amount of these losses. The Seventh Circuit, noting that the banks and Schnuck were linked through the payment system, held that the allegation of contractually uncovered losses was insufficient to allow the banks to recover beyond the amounts provided in their “network of contracts.” The banks thus could not escape the contractual limitations on their recovery by suing in tort.

The court reiterated that state courts typically decline to impart tort liability in instances where one business inflicts purely economic loss on another and their interactions are governed by contract. In making this distinction, the court then turned to the issue of duty, stating that neither Illinois nor Missouri would impose a common law data security duty upon Schnuck. The court systematically dismissed the banks remaining common law claims for similar reasons, concluding that the contracts signed by the participating institutions governed all rights and remedies as between the parties.

The banks attempted to argue that they were not in privity with Schnuck, thus making the economic loss doctrine inapplicable. The court disagreed, however, pointing again to the voluntary nature of the payment network system and the parties’ conscious choice to participate in the system—a system with written rules and procedures governing all participants— with both its benefits and allocated risks.

Looking Forward

The Seventh Circuit’s dismissal of the banks’ claims in Schnuck teaches that financial institutions, despite the obvious costs they incur on the back end of data breaches, cannot expect extra judicial help in the realm of recovery beyond the contractual terms to which they agreed in issuing payment cards. Sophisticated plaintiffs that had opportunities to negotiate and contract for their share of the risk and liability prior to data breach incidents will not likely be permitted to reapportion such risks through tort claims after a breach has occurred.

While this summary focuses primarily on the economic loss doctrine, another holding is worth noting:  Schnuck offers support for the proposition that merchants have no common law duty to protect data. It remains to be seen whether this state law holding will be confined to scenarios where merchants have expressly negotiated to allocate the risk of a breach.  In any event, however, statutory and contractual duties will often still exist, and we would not expect the pure “no duty” position to gain quick acceptance across the country, as it has far-reaching implications for all data breach cases.

Two More Circuits Find Data Breach Standing without Proof that Plaintiffs’ Data Was MisusedData breaches have become commonplace. Despite the best efforts of many, identity thieves and hackers always seem to find a new vulnerability somewhere in the system of virtually every company that conducts business online. And, as the recent Facebook debacle reveals, sometimes data is even shared with legitimate third parties in ways customers neither realized nor anticipated.

The Battle for Standing

Standing is a hotly contested battleground when a data breach spawns class action litigation. After all, we regularly give our credit cards to waiters and store clerks; we regularly publicize our email addresses in all sorts of unsecure ways; and much of our other personal information is readily available in one public forum or another. In all likelihood, after years of recurring data breaches, each of us has probably had our personal information exposed in more than one of these privacy incidents. So, why should the compromise of personally identifiable information absent misuse of that data traceable to a specific breach confer standing on anyone to sue any particular data breach defendant?

Courts have struggled with this issue over the years. On the one hand, Article III requires concrete actual injury or at least impending actual injury in order for a plaintiff to have standing to invoke federal jurisdiction. On the other hand, though, there is a growing concern in America that those who collect customer data should pay a price for not properly safeguarding it.

These tensions are reflected in a wide variety of standing decisions in the data breach context.  Some courts (see decisions in Reilly v. Ceridian and Beck, et al. v. McDonald, et al.) have taken a dim view of the threat of future harm, i.e., an increased likelihood of future identity theft, as a proffered basis of Article III standing. Others (see decision in In re SuperValu, Inc. Customer Data Security Breach Litigation) have questioned the basis for standing where breaches only involve credit card information, but not enough information for bad actors to open new credit accounts. Still though, other courts have bent over backwards to find standing in the data breach context, arguing that time spent protecting oneself from a data breach (see Galaria/Hancox v. Nationwide Mut. Ins. Co.) or even the increased likelihood of data misuse (see Attias v. CareFirst, Inc.) is enough to confer Article III standing. Earlier this year, the Supreme Court declined to still the waters, denying CareFirst’s cert position challenging the D.C. Circuit’s conclusion that fear of future data misuse was enough to confer standing, despite clear circuit splits over that analysis.

So, the lower court disarray over standing continues to fester. In recent days, two more circuits have joined the side of class action plaintiffs in finding standing without data misuse.

The Ninth Circuit

The Ninth Circuit, in In re Zappos.com, found sufficient standing where plaintiffs’ allegations were based on an “increased risk of identity theft.” Early 2012, the servers of an online retailer were breached. During the breach, the personal information—names, account numbers, passwords, credit card information, etc.— of over 24 million customers was compromised. Several of the affected customers filed class actions, which were consolidated at the pretrial proceedings stage. Specifically, the plaintiffs involved with the recent ruling did not allege that they experienced any kind of financial loss from identity theft. Initially, the trial court dismissed the plaintiffs’ claim for lack of Article III standing. On appeal, the Ninth Circuit was tasked with deciding whether plaintiffs had standing based on the alleged risk of future harm.

Previously, the Ninth Circuit handled Article III standing of victims of data theft (see Krottner v. Starbucks Corp.). There, a laptop containing the personal information of almost 100,000 employees was stolen. Some of the affected employees sued, alleging that their harm was an “increased risk of future identity theft.” The Ninth Circuit held that the increased risk was enough to merit standing, finding that plaintiffs had “alleged a credible threat of real and immediate harm” due to the theft of the laptop containing their personally identifiable information.

In Zappos.com, the retailer asserted that the Supreme Court’s latest finding (see Clapper v. Amnesty International USA) meant that Krottner was inapplicable to the case at hand. The Clapper plaintiffs argued that for Article III standing, alleging that “there [was] an objectively reasonable likelihood that their communications [would] be acquired ‘at some point in the future.’” The Supreme Court ruled that “an objectively reasonable likelihood” of injury was insufficient where plaintiffs argument depended on a series of inferences that was “too speculative” to comprise a cognizable injury. In Krottner, unlike Clapper, no speculation was needed where the laptop thief already had all the information necessary to open accounts and cause financial harm to plaintiffs.

Accordingly, the Ninth Circuit, having decided that Krottner and Clapper were not irreconcilable, concluded that Krottner was applicable to the Zappos plaintiffs’ claims. The Zappos plaintiffs alleged both that the compromised information could be used to commit identity theft and that their credit card numbers had been breached, leading the Ninth Circuit to find that bad actors could immediately cause plaintiffs harm. The court also pointed to other plaintiffs within the case who had already suffered identity theft as a result of the breach. The court determined that the Zappos plaintiffs sufficiently alleged an injury in fact under Krottner.

The court assessed the remaining Article III requirements: whether the alleged risk of future harm is “fairly traceable” to the conduct challenged, and whether the injury will be redressed by the litigation. Relying on a case (see Remijas v. Neiman Marcus Group, LLC) where the Seventh Circuit ruled “[t]he fact that some other store might [also] have caused the plaintiffs’ private information to be exposed does nothing to negate the plaintiffs’ standing to sue” and their injury was nonetheless “fairly traceable” to the defendant’s data breach, the Ninth Circuit determined that even if plaintiffs suffered identity theft caused by data stolen in other breaches, those compromised would not negate their standing to sue in the case at hand. Further, the court found that the risk of identity theft was redressable by relief that could be obtained through this litigation and compensation through damages. Consequently, the Ninth Circuit reversed the trial court’s judgment as to plaintiffs’ standing and remanded the case for further consideration.

The Seventh Circuit

Similarly, the Seventh Circuit has reinstated a data breach class action filed against Barnes & Noble (see Dieffenbach v. Barnes & Noble, Inc.). The case was previously dismissed—three times— by the U.S. District Court for the Northern District of Illinois for lack of standing.

In 2012, “skimmers” breached the payment terminals in B&N stores, siphoning off customer information, e.g., names, payment card numbers, PINs, etc. Customer card information was stolen from terminals in over 60 B&N stores. Following the breach, plaintiffs filed a putative class action alleging (1) breach of implied contract (to secure payment card data); (2) violation of the Illinois Consumer Fraud & Deceptive Practices Act (ICFA); (3) violation of the California Security Breach Notification Act (DBNA); and (4) violation of the California Unfair Competition Act (UCA). In 2013, the district court first dismissed plaintiffs’ complaint without prejudice for lack of standing, ruling that plaintiffs failed to allege pecuniary harm.

In 2016, B&N submitted a motion to dismiss the amended complaint. Before the motion was submitted, however, the Seventh Circuit decided Remijas. Despite Remijas, the district court again dismissed the complaint, noting that while plaintiffs could merit standing based on the risk of future identity theft, plaintiffs still failed to allege “cognizable damages.” In 2017, the same district court, albeit a different judge, dismissed plaintiffs’ second amended complaint, finding that plaintiffs had not alleged any economic harm as a result of the breach.

The Seventh Circuit vacated the district court’s dismissal, finding that plaintiffs’ second amended complaint satisfied pleading standards relative to the injuries alleged from the breach. The court explained that alleging injury-in-fact for standing also meets the requirement of alleging a cognizable injury and entitlement to damages. Further, the court noted that “the federal rules [of civil procedure] do not require plaintiffs to identify items of loss (except for special damages).” Specifically, Federal Rule of Civil Procedure 8(a)(3) does not require plaintiffs to allege the details of their injury, and Rule 54(c) entitles plaintiffs to any legally available relief, regardless of whether the relief is pled in the complaint.

The court then looked to the injuries alleged by plaintiffs—loss of access to personal funds, time spent with law enforcement and banking representatives, deactivation of card, monthly charges for credit monitoring, etc.—determining that they were sufficient to meet the cognizable damages requirements under several of the plaintiffs’ claims.

Looking Forward

It appears that a new trend is emerging at least in some of the more class-friendly circuits: finding standing in data breach class actions despite the absence of actual financial harm suffered by the plaintiffs. Likely, courts are attempting to respond to the proliferation of larger, more costly data breaches, as well as to a paradigmatic shift in sensitivity and senses of ownership over individual data. Regardless of the reasoning, it is evident that more and more plaintiffs’ counsel in data breach suits will bring their actions in these more favorable venues so as to be more assured of surviving standing inquiries. Businesses need to consider how best to prepare themselves for more vigorous, involved litigation in the data breach context. This includes planning for data breach litigation long before the data breach hits. Businesses should start by identifying and retaining knowledgeable, reliable outside data breach counsel, working with counsel to identify and retain reliable outside data breach response vendors, and doing all of that in coordination with their cyber liability insurance carriers. Those who lack cyber liability coverage should look into the coverage currently available, as this is more of a buyer’s market than it once was. Data breaches are interdisciplinary; they require a comprehensive team of legal, forensic, technological, and marketing professionals to fully and accurately assess, respond to, and ultimately remediate the damage done. Businesses cannot afford to wait until after a breach has occurred to assemble their response teams. The cost of procrastination is simply too high.