Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Welcome
Go
Free Newsletter Sign Up

ANALYSIS: Breach Damages Fight Goes On, Except for CCPA Suits

Nov. 4, 2019, 11:21 AM

Data privacy litigators have clashed over one question above all others in 2019: Does a consumer suffer a legally cognizable harm once a data breach occurs, or does the harm—and the resulting damages—kick in only after the consumer suffers an adverse effect of that breach?

It’s an issue that will remain contentious in 2020 in both federal and state courts—except when the plaintiffs are California residents.

Standing Battles Continue

At the federal level, U.S. Circuit Courts are split on whether a consumer whose data has been exposed, but has not yet been the subject of fraudulent activity, has constitutional standing to sue in the wake of a data breach.

Plaintiffs have been arguing for years that there’s already enough harm—from both the heightened risk of post-breach identity theft and the cost of taking identity protection measures to avoid such crimes—to qualify a data breach as an injury-in-fact. Thus far, the Sixth, Seventh, Ninth and D.C. Circuits have agreed with such plaintiffs, while the Second, Fourth and Eighth Circuits generally have not. The Third Circuit has straddled the issue.

Until the U.S. Supreme Court weighs in or Congress answers the growing calls for federal privacy legislation, standing battles will likely continue.

Duels on Damages

Some defendants, on the other hand, have tried to get cases dismissed by arguing that plaintiffs failed to allege “actual damages.” Rather than focus on the injury-in-fact threshold required for standing, which some courts view as a lower bar to meet, defendants have had some success focusing on actual damages as a required element of a claim.

In early 2019, for example, the D.C. District Court dismissed, for a second time, all of the claims that alleged only future harm on the grounds that those plaintiffs failed to identify the actual damages to support the relevant claims. (An appeal on the damages dismissal is currently pending.)

Defendants are likely to take notice of this strategy, and may increasingly focus on it in the coming year.

California Flips the Script

Similar debates also are percolating at the state court level, including the supreme courts of Georgia and Illinois.

But in California, where the California Consumer Privacy Act (CCPA) goes into effect Jan. 1, privacy-related litigation is expected to surge in 2020.

That’s because the CCPA establishes a private right of action for California residents for breaches arising from a business’s failure to implement and maintain “reasonable security measures” and “cure” an alleged violation, even if the consumer is not harmed by the disclosure.

Under this action, a California consumer can recover the greater of $100 – $750 per incident or actual damages, statutorily bypassing the lack-of-standing fight and limiting damages-related defense strategies.

Because data breaches can involve millions of individuals, and each individual can collect statutory damages, the enormous potential payouts under the CCPA will likely draw a huge increase in class action filings.

But businesses are unlikely to go down without a fight in 2020. Some defendants may argue that California’s law is unconstitutionally vague and doesn’t comport with due process because it does not define “reasonable security measures,” nor what qualifies as a “cure.” Others may argue that their organization is not covered under the law’s definition of “business.”

Defendants may also argue that consumers’ claims are subject to binding arbitration. The law can be read as prohibiting arbitration clauses and class action waivers, but defendants can point to a growing number of U.S. Supreme Court cases that enforce arbitration agreements and class action waivers, arguing that the Federal Arbitration Act preempts the CCPA.

The CCPA authorizes California’s Attorney General to begin enforcing the statute in mid-2020. So there’s not much time before businesses subject to a data breach may begin to face both private and public actions.

Read about other trends our analysts are following as part of our Bloomberg Law 2020 series.

With assistance from Mark Smith.