The last 12 months saw more than 1,100 reported data breaches, many of them large in terms of the number of impacted individuals and volume of data acquired.
Data breaches frequently make headlines and engender litigation brought by consumers and financial institutions, as well as regulatory enforcement actions.
As we move into the second quarter of this year, we can expect that not only will data breaches remain a common occurrence, but the scale of litigation and regulatory investigations directed towards data security will continue to expand
Here, we highlight four trends that could impact data breach litigation in the coming months.
The Circuit Split on Standing Will Likely Continue
The first order of business in any data breach litigation is assessing the plaintiffs’ standing. In recent years, a consensus has been growing among federal courts that plaintiffs alleging actual fraud—e.g., account fraud or identity theft—satisfy the “injury in fact” requirement for standing. But courts have split on whether a plaintiff who has not suffered fraud establishes standing—e.g., by alleging only a “substantial risk” of future harm.
The Second, Third, and Fourth Circuits have rejected the idea that a data breach victim who has not suffered fraud can proceed with a claim based solely on allegations of a heightened risk of identity theft or prophylactic measures taken to combat that risk.
But in certain circumstances the Sixth, Seventh, Ninth, and D.C. Circuits have found standing based on allegations of a substantial risk of future injury. Other circuits have yet to reach the issue, instead analyzing standing based on the facts of each case.
The U.S. Supreme Court had the opportunity to clarify the law on data breach standing in 2018 but declined to do so. The defendants in Attias v. Carefirst, Inc.—a case where the D.C. Circuit had held that the plaintiffs’ allegations that a data breach had “exposed them to a heightened risk of identity theft” was sufficient to confer standing—petitioned the Supreme Court for review.
Carefirst relied on the above-noted circuit split, citing “growing uncertainty as to what is required to plead an injury in fact.” The Supreme Court denied review, however. Data breach litigants were thus left with continuing uncertainty.
Consumer Data Breach Class Action Settlements Will Likely Continue
Some of the most noteworthy data breach litigation developments in 2018 were large consumer class action settlements. This trend will likely continue, at least until the courts or legislatures provide more clarity.
Two significant settlements in 2018 were in the Wendy’s and Anthem consumer class actions.
In July 2018, Wendy’s settled with the consumer plaintiffs in Torres v. Wendy’s International, LLC, Case No. 6:16-cv-210-PGB-DCI (M.D. Fla.), a class action arising out of the hacking of point-of-sale systems that the restaurant chain announced in early 2016.
Notably, the $3.4 million settlement will provide impacted consumers with up to $5,000 for out-of-pocket losses—one of the largest per-consumer financial benefits ever to be included in a data breach settlement. The settlement came after the court dismissed plaintiffs’ claims on two separate occasions before holding that an amended complaint could proceed.
In August 2018, Judge Lucy Koh of the Northern District of California approved a $115 million settlement in the Anthem data breach MDL, which centralized claims of consumers whose personal information was stolen in the 2015 breach of the health insurer. In contrast, Judge Koh rejected a proposed $50 million settlement in the Yahoo data breach MDL, finding that the proposal failed to adequately disclose the size of the settlement fund or settlement class.
Financial Institution Plaintiffs Will Likely Face Difficulties
Financial-institution plaintiffs suffered a setback last year with the Seventh Circuit’s decision in Community Bank of Trenton v. Schnuck Markets, Inc. There, financial-institution plaintiffs alleged that Schnuck Markets negligently allowed hackers to steal payment card data for 2.4 million cards and that impacted cards were used in fraudulent transactions “around the globe.”
The Seventh Circuit nonetheless affirmed the dismissal of the complaint, reasoning that tort law “did not recognize a ‘remedy to card-holders’ banks against a retail merchant who suffered a data breach, above and beyond the remedies provided by the network of contracts that link merchants, card-processors, banks, and card brands to enable electronic card payments.”
The Court explained that under the economic-loss doctrine, courts should “refuse to recognize tort liabilities for purely economic losses inflicted by one business on another where those businesses have already ordered their duties, rights, and remedies by contract.”
It remains to be seen whether Schnuck Markets will gain traction outside the Seventh Circuit, but no court has rejected the Seventh Circuit’s reasoning and one district court has relied on Schnuck Markets to dismiss financial institutions’ claims. If broadly applied, Schnuck Markets could all but end data breach lawsuits brought by financial institutions.
Regulatory Enforcement Actions are Likely to Continue
Regulators often bring enforcement actions against companies that suffer data breaches. Under the FTC Act, the FTC has asserted broad authority to initiate enforcement actions based on companies’ alleged failure to safeguard personal information and related deceptive practices.
In 2018, for example, the FTC approved a settlement with Uber regarding allegations that the ride-share company deceived riders about how it handles personal information. The settlement requires Uber to implement a privacy program and obtain regular privacy assessments.
Further, while the FTC suffered a setback in LabMD, Inc. v. Federal Trade Commission when the Eleventh Circuit ruled that an FTC cease-and-desist order issued to LabMD following a data breach was insufficiently specific, that narrow holding is unlikely to slow the pace of FTC enforcement actions.
Meanwhile, state attorneys general frequently investigate data breaches to determine whether a company violated unfair-and-deceptive-trade-practices laws and statutory requirements for notifying consumers following a breach. In large data breaches, state AGs may form a multistate attorneys general (MSAG) group to conduct a joint investigation and seek a consolidated settlement. In September 2018, a 50-state MSAG group announced a record settlement of $148 million with Uber.
David Balser is a partner at King & Spalding and specializes in trying high-stakes business cases for Fortune 500 companies and other leading businesses in state and federal courts throughout the country.
Phyllis Sumner is a partner at King & Spalding and is the firm’s Chief Privacy Officer.
Stewart Haskins is a partner at King & Spalding and specializes in defending class actions and other complex commercial litigation, particularly cases involving consumers and data privacy issues.
John Toro is a partner at King & Spalding and litigates complex commercial disputes on behalf of his clients.