CHAPTER MENU
For good reason, businesses pay close attention to the FTC's statements about data security. After all, the FTC is, by far, the leading regulator when it comes to data security. However, businesses are just as concerned about the threat of class action litigation arising from data breaches and other cybersecurity incidents. Using centuries-old common law claims such as negligence, misrepresentation, and breach of contract – as well as private actions available under some state consumer protection statutes – plaintiffs' lawyers are increasingly seeking large damages from companies that they argue failed to adequately safeguard customer data. Indeed, after high-profile data breaches, it is common to see plaintiffs' lawyers battle to represent the class of individuals whose data was exposed (entitling the lawyers to a rather hefty fee if they prevail).
To understand the concepts in this chapter, it is helpful to briefly review the key procedural stages of civil lawsuits. Civil litigation in U.S. federal courts begins with the filing of a complaint, in which the plaintiffs provide a short and plain statement of the facts of their lawsuit, and describe why the defendant's actions violated either a common-law cause of action (e.g., negligence or breach of contract) or a statute (e.g., a state consumer protection law). The defendant then has a chance to file a motion to dismiss, in which the defendant argues that even if all of the facts in the complaint were true, the plaintiff does not state a viable legal claim. Even if a defendant has a strong argument, it may not succeed on a motion to dismiss because, at that stage, the judge must accept all facts as pleaded by the plaintiff, and the defendant does not have the opportunity to present its own evidence. If a judge does not grant a motion to dismiss, the case will proceed to discovery, in which both parties will have the opportunity to request relevant information from each other and third parties through document requests, interrogatories, and depositions. After discovery, either party may file for a motion for summary judgment, in which they present evidence gathered in discovery to the judge, and argue that, even when viewing the evidence in the light most favorable to the other party, no reasonable jury would find in favor of the opponent. Typically in breach cases, the defendant moves for summary judgment. If the judge does not grant summary judgment, the case proceeds to trial. Quite often, parties in data breach cases reach a settlement after a ruling on a motion to dismiss or summary judgment motion but before trial.
Although data breach lawsuits commonly are brought by consumers, businesses that suffer breaches face other potential plaintiffs. Often, banks that provide or process credit card payments will sue retailers for failing to adhere to payment card industry data security standards.
Fortunately, for companies, there are a number of legal obstacles to plaintiffs in class-action lawsuits that arise after data breaches. In short, plaintiffs often have a difficult time demonstrating that they actually have suffered damage that entitles them to compensation by the company that failed to safeguard their personal data. As we demonstrate below, customers who have suffered a concrete harm – such as identity theft – are more likely to prevail than those who only can demonstrate that their data merely was stolen.
Before examining the specific types of lawsuits that companies could face for data breaches and inadequate data security, we first must consider whether the plaintiffs even have the constitutional right to sue. In many recent data breach cases, this has been among the primary barriers to private litigation.
Under Article III of the U.S. Constitution, federal courts only have jurisdiction over actual “cases” and “controversies.” More than four decades ago, the United States Supreme Court stated that “[n]o principle is more fundamental to the judiciary's proper role in our system of government than the constitutional limitation of federal-court jurisdiction to actual cases or controversies.”1
Among the most prominent requirements for demonstrating an Article III case or controversy is a concept known as “standing.” As the Supreme Court has stated, the inquiry into whether a plaintiff has standing “focuses on whether the plaintiff is the proper party to bring this suit … although that inquiry often turns on the nature and source of the claim asserted.”2
For a plaintiff to demonstrate that he or she has standing, the plaintiff “must allege personal injury fairly traceable to the defendant's allegedly unlawful conduct and likely to be redressed by the requested relief.”3 In other words, the plaintiff has the burden of demonstrating three separate prongs in order to prove standing: (1) that she has suffered an injury-in-fact, (2) that the injury-in-fact is fairly traceable to the defendant's unlawful conduct, and (3) redressability.
Although courts allow plaintiffs to make general factual allegations to establish standing, their complaints still must “clearly and specifically set forth facts sufficient to satisfy” the standing requirement.4
The primary barrier to establishing standing in data breach cases is the requirement that the plaintiff demonstrate that he or she suffered an actual injury. Also known as the “injury-in-fact” requirement, the plaintiff must demonstrate “an invasion of a legally protected interest which is “(a) concrete and particularized … and (b) “actual or imminent, not conjectural or hypothetical.”5 Courts have held that mere “[a]llegations of possible future injury” are not sufficient to demonstrate the injury-in-fact that is necessary to establish Article III standing.6 A threatened injury may constitute an injury in fact, but only if it is “certainly impending.”7
Although the Supreme Court has ruled on the injury-in-fact standing requirement many times over the years, it has not issued any decisions in data breach litigation regarding Article III standing. Therefore, we do not know with certainty whether the Supreme Court would conclude that the mere possibility of identity theft after a data breach is sufficient to establish an injury-in-fact for Article III standing. However, two recent privacy-related Supreme Court opinions shed some light on the factors that the Supreme Court likely would consider if it were to hear a data breach case.
In 2016, the Supreme Court issued its opinion in Spokeo v. Robins,8 which many believed had the potential to completely change the landscape for standing in private litigation. However, the decision was fairly narrow and did not cause a major revolution in standing jurisprudence, perhaps because the Court was operating with only eight members, after the death of Justice Antonin Scalia. However, the Spokeo case is important because it provides some insight into the Supreme Court's overall thought process about standing in cases that do not clearly involve harm that has already occurred.
The case involved Spokeo, a website that provides detailed information about individuals, such as their home addresses, phone numbers, age, finances, and marital status. Spokeo is available to the general public. Plaintiff Thomas Robins alleged that an unidentified individual searched for Robins's name on Spokeo and obtained a profile that contained incorrect information about his family status, age, employment status, and education. He filed a class action lawsuit against Spokeo, alleging that the company violated the Fair Credit Reporting Act's requirements that consumer reporting agencies follow reasonable procedures to ensure the accuracy of their information and to limit the circumstances in which their reports are used for employment purposes. Spokeo moved to dismiss the lawsuit, arguing that Robins had not alleged an injury-in-fact, and the district court granted that motion. The U.S. Court of Appeals for the Ninth Circuit reversed the dismissal, concluding that Robins alleged that Spokeo violated his rights under the FCRA – not only the statutory rights of others, and that was sufficient to establish an injury-in-fact and standing.
The Supreme Court sent the case back to the Ninth Circuit for further analysis, concluding that the appellate court did not apply the proper test for standing. As discussed above, an injury-in-fact must be both (1) concrete and particularized, and (2) actual or imminent. The Supreme Court concluded that although the Ninth Circuit concluded that the alleged injury was particularized (i.e., that Robins claimed his statutory rights were violated), the Ninth Circuit failed to also consider whether the alleged injury was “concrete,” which the Supreme Court said is a separate inquiry from particularization. For an injury to be “concrete,” the Supreme Court ruled, it “must actually exist.”
In a partial victory to plaintiffs' lawyers, the Supreme Court in Spokeo said that “concreteness” does not necessarily require an injury be tangible. For instance, the Court noted that violations of free speech or free exercise of religion may be sufficiently concrete to constitute injuries-in-fact. The Court also left open the door for the possibility of satisfying Article III's standing requirement with the allegation of the “risk-of-real-harm.”9
However, the Court in Spokeo indicated that there are some limits to this ruling. The Court concluded that an allegation of a “bare procedural violation,” without any further indication of harm, is not sufficiently concrete to constitute an injury-in-fact. 10
Applying these principles to the dispute between Spokeo and Robins, the Supreme Court ordered the Ninth Circuit to analyze whether the violations of Robins's FCRA rights were sufficiently concrete. The Supreme Court indicated that such analysis could result in either dismissing the lawsuit or allowing it to proceed:
On the one hand, Congress plainly sought to curb the dissemination of false information by adopting procedures designed to decrease that risk. On the other hand, Robins cannot satisfy the demands of Article III by alleging a bare procedural violation. A violation of one of the FCRA's procedural requirements may result in no harm. For example, even if a consumer reporting agency fails to provide the required notice to a user of the agency's consumer information, that information regardless may be entirely accurate. In addition, not all inaccuracies cause harm or present any material risk of harm. An example that comes readily to mind is an incorrect zip code. It is difficult to imagine how the dissemination of an incorrect zip code, without more, could work any concrete harm.11
Another recent Supreme Court opinion to address standing and the injury-in-fact issue was Clapper v. Amnesty International USA,12 issued in 2013. In that case, a group of attorneys, media organizations, labor groups, and others that often communicate with individuals abroad filed a lawsuit against the federal government, challenging the Foreign Intelligence Surveillance Act, which allows surveillance of non-U.S. persons reasonably believed to be located abroad.13 At issue in this case was both the requirement that the plaintiffs allege an injury-in-fact and that they allege the injury was fairly traceable to the surveillance program.
The plaintiffs did not argue that the government actually intercepted their communications; rather, they argued that (1) there is a “reasonable likelihood” that the government will obtain their communications at some point, and (2) this risk is so great that they will be forced to “take costly and burdensome measures to protect the confidentiality of their international communications[.]”14
The Supreme Court rejected the plaintiffs' first argument, concluding that the plaintiffs' “speculative chain of possibilities does not establish that injury based on potential future surveillance is certainly impending or is fairly traceable” to FISA.15 The Court focused on the plaintiffs' failure to allege that the government had actually targeted any of them for surveillance. Instead, the Court wrote, the plaintiffs “merely speculate and make assumptions about whether their communications with their foreign contacts will be acquired[.]”16
Likewise, the Court rejected the plaintiffs' second argument, reasoning that “allowing respondents to bring this action based on costs they incurred in response to a speculative threat would be tantamount to accepting a repackaged version of respondents' first failed theory of standing.”17
The Court concluded that standing simply does not exist because the plaintiffs “cannot demonstrate that the future injury they purportedly fear is certainly impending and because they cannot manufacture standing by incurring costs in anticipation of non-imminent harm.”18
Taken together, Spokeo and Clapper demonstrate that the Supreme Court has set a very high bar for plaintiffs who bring a lawsuit based on the risk of a future, intangible injury. However, the Court has not entirely ruled out the possibility of allowing such lawsuits to proceed, provided that the potential risk of harm is particularized as to the plaintiffs bringing the lawsuit, and sufficiently concrete.
These standing rules matter immensely for lawsuits arising from data breaches, since in many of these cases the plaintiffs are alleging that the defendants' inadequate data security left them open to future harm. It would not be surprising if the Supreme Court eventually agrees to hear a standing challenge to a data breach lawsuit. Until then, the lower federal courts are free to develop their own rules as to whether a plaintiff has standing in a data breach case.
The lower courts of appeals are not unified in their standing requirements for data breach lawsuits. Some courts will only allow a lawsuit to proceed if the defendant has demonstrated that a breach already has led to actual harm, such as identity theft. Other courts, however, have found standing when plaintiffs concretely allege that the breach could reasonably lead to future harm.
The decisions often are difficult to reconcile, and the practical effect is that data breach class actions are more likely to be dismissed for lack of standing in some federal courts than in others.
The Article III standing requirement – and, particularly, the injury-in-fact requirement – has proved to be a significant hurdle for data breach lawsuits. In the cases in which courts have found plaintiffs to have standing, the plaintiffs have made substantial and concrete demonstrations of injury. However, the result often depends on whether the courts have taken a broad or narrow view of the types of harms that constitute an injury-in-fact.
Two opinions in which federal appellate courts have found plaintiffs to have Article III standing to sue over data breaches – Krottner v. Starbucks Corp from the Ninth Circuit and Pisciotta v. Old National Bancorp from the Seventh Circuit – present the most useful roadmap for demonstrating injury-in-fact. However, the results in these cases also depend on a court's willingness to consider the mere risk of harm as an injury-in-fact.
In Krottner v. Starbucks Corp.,19 an unencrypted Starbucks laptop containing nearly 100,000 current and former Starbucks employees' names, addresses, and Social Security numbers was stolen. Three current and former employees filed a putative class action lawsuit against the company, in which they alleged claims of negligence and breach of implied contract. The first plaintiff claimed in the complaint that she spent a “substantial amount of time” monitoring her banking and retirement accounts because of the breach. The second plaintiff claimed that he “has spent and continues to spend substantial amounts of time checking his 401(k) and bank accounts” and “has generalized anxiety and stress regarding the situation.” The third plaintiff stated that within a few months of the laptop theft, he was alerted by his bank of a third party's attempt to open a bank account with his Social Security number. The district court dismissed the case, finding that the plaintiffs failed to demonstrate the injury necessary to establish Article III standing.
The Ninth Circuit reversed the dismissal, finding that the plaintiffs' complaints sufficiently alleged injury because they “have alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data.” However, the Court noted that “more conjectural or hypothetical” allegations of harm may not have established Article III standing – “for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future.”
The Krottner case quickly made it easier for data breach plaintiffs to establish standing in the Ninth Circuit. For instance, in 2014, the U.S. District Court for the Southern District of California found that plaintiffs had standing to bring a class action lawsuit against Sony Computer Entertainment America, LLC for a breach of the network that stores personal and financial information of Play Station Network customers.20 The only injuries claimed by the named plaintiffs were the inability to access the Play Station Network while Sony was responding to the breach, and the cost of credit monitoring. Ten of the 11 named plaintiffs did not allege unauthorized charges on their financial accounts or other identity theft resulting from the breach.21 One of the named plaintiffs alleged that he later received two unauthorized charges on his credit card, but the complaint did not state whether he was reimbursed for those charges.22 Sony moved to dismiss the lawsuit, alleging that the plaintiffs did not sufficiently allege an injury-in-fact to establish Article III standing. Applying the Ninth Circuit's standard from Krottner, the Court held that the plaintiffs' claims that Sony collected and later wrongly disclosed it is “sufficient to establish Article III standing at this stage in the proceedings.”23 The Court held that even though the plaintiffs did not claim that a third party actually accessed their personal information, Krottner only requires a plausible allegation of “a ‘credible threat’ of impending harm based on disclosure of their Personal Information following the intrusion.”24 Notably, the Court held that even though the Supreme Court appeared to tighten its standing requirement in Clapper – decided after Krottner – the Clapper decision did not overrule the Krottner framework for analyzing standing in data breach cases.25 One court, however, said that in the post-Clapper era, “courts have been even more emphatic in rejecting ‘increased risk’ as a theory of standing in data-breach cases.”26
In Pisciotta v. Old National Bancorp,27 two plaintiffs brought a putative class action lawsuit against a bank whose website allegedly was hacked, enabling a hacker to obtain a great deal of personal information about thousands of customers, including names, Social Security numbers, birth dates, financial account numbers, and mothers' maiden names. In their complaint, the two named plaintiffs – consumers whose data was disclosed – did not allege that they already had suffered a financial loss because of the breach. Instead, the complaint stated that the plaintiffs “have incurred expenses in order to prevent their confidential personal information from being used and will continue to incur expenses in the future.”28 They sought compensation “for all economic and emotional damages suffered as a result of the Defendants' acts which were negligent, in breach of implied contract or in breach of contract,” and “[a]ny and all other legal and/or equitable relief to which Plaintiffs … are entitled, including establishing an economic monitoring procedure to insure [sic] prompt notice to Plaintiffs … of any attempt to use their confidential personal information stolen from the Defendants.”29 The district court granted the bank's motion to dismiss, concluding that the plaintiffs' complaint did not allege a cognizable injury-in-fact, and that “expenditure of money to monitor one's credit is not the result of any present injury but rather the anticipation of future injury that has not yet materialized.”30 On appeal, the Seventh Circuit upheld the dismissal of the case but, importantly, disagreed with the district court's ruling on Article III standing. The Court concluded that a data breach plaintiff can establish an injury-in-fact by alleging “a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions.”31 Courts nationwide have relied on the Pisciotta ruling to find that plaintiffs have standing in data breach cases.32
Indeed, since Pisciotta, the Seventh Circuit has found standing in two other large data breach class actions. In Remijas v. Neiman Marcus Grp., LLC,33 the Seventh Circuit allowed a lawsuit to proceed against a department store chain that experienced a breach of a system that stored payment card data. Although the plaintiffs did not allege that any identity theft or fraud had actually occurred, they claimed that the fear of future charges prompted them to take “immediate preventative measures.”34 The department store argued that the plaintiffs had not alleged an injury-in-fact and, instead, merely speculated without any actual evidence of impending harm. The Seventh Circuit rejected this claim, reasoning that the department store's customers “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood‘ that such an injury will occur.”35 The next year, the Seventh Circuit extended this pro-plaintiff holding when it refused to dismiss a data breach class action lawsuit brought against a restaurant chain.36 The restaurant argued that there was no standing because, unlike the plaintiffs in Remijas, the restaurant's customers were only at risk of unauthorized credit card – not identity theft – and therefore they had not suffered an injury-in-fact. The Court found this distinction irrelevant.37
Other courts, however, have gone to great lengths to distinguish other data breach cases from Krottner and Pisciotta and hold that plaintiffs do not have Article III standing. For instance, in Reilly v. Ceridian Corp.,38 plaintiffs filed a putative class action lawsuit against their employer's payroll processing company, Ceridian, after Ceridian experienced a data breach that exposed the personal and financial data of approximately 27,000 people.39 There was no evidence in the record as to whether the hacker read or copied the breached information.40 The district court granted Ceridian's motion to dismiss for lack of standing, and the U.S. Court of Appeals for the Third Circuit affirmed the dismissal, holding that “allegations of an increased risk of identity theft resulting from a security breach are therefore insufficient to secure standing.”41 The Third Circuit reasoned that hypothetical harm – and nothing more – does not establish an injury-in-fact: “we cannot now describe how Appellants will be injured in this case without beginning our explanation with the word ‘if’: if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully, only then will Appellants have suffered an injury.”42 Some federal district courts have adopted similar reasoning for data breach cases and held that the mere risk of identity theft after a breach – without any additional showing of imminent or actual harm – is insufficient to establish an injury-in-fact.43
The Third Circuit acknowledged that the courts in Pisciotta and Krottner found that data breach victims had standing to sue, but differentiated those cases because the harm was more “imminent” and “certainly impending” than the harm alleged by the plaintiffs suing Ceridian:
In Pisciotta, there was evidence that “the [hacker's] intrusion was sophisticated, intentional and malicious.” … In Krottner, someone attempted to open a bank account with a plaintiff's information following the physical theft of the laptop. … Here, there is no evidence that the intrusion was intentional or malicious. Appellants have alleged no misuse, and therefore, no injury. Indeed, no identifiable taking occurred; all that is known is that a firewall was penetrated. Appellants' string of hypothetical injuries do not meet the requirement of an “actual or imminent” injury.
Accordingly, at least according to the Third Circuit, a data breach plaintiff cannot have standing unless there has been some indication of potential harm, such as an attempt to open a credit account or a high level of sophistication of the hacker. The distinction seems a bit artificial, and suggests that it may be easier for data breach plaintiffs to establish standing in certain circuits – such as the Seventh and the Ninth – than other circuits – such as the Third.
The courts that have held that a data breach – and nothing more – is insufficient proof of injury-in-fact have reasoned that the mere possibility of identity theft or other harm is far too uncertain and depends on unknown variables. The U.S. District Court for the Eastern District of Missouri articulated this concern when it dismissed a lawsuit against a prescription drug benefit provider that suffered a security breach:
For plaintiff to suffer the injury and harm he alleges here, many “if's” would have to come to pass. Assuming plaintiff's allegation of security breach to be true, plaintiff alleges that he would be injured “if” his personal information was compromised, and “if” such information was obtained by an unauthorized third party, and “if” his identity was stolen as a result, and “if” the use of his stolen identity caused him harm. These multiple “if's” squarely place plaintiff's claimed injury in the realm of the hypothetical. If a party were allowed to assert such remote and speculative claims to obtain federal court jurisdiction, the Supreme Court's standing doctrine would be meaningless.44
Moreover, if a plaintiff sues a company for inadequate data security but a breach has not yet occurred, it is unlikely that the court will conclude that an injury-in-fact exists. For instance, in Katz v. Pershing,45 the plaintiff sued a financial services company because she believed that the company did not implement adequate data security safeguards, and that, as the court described it, “her nonpublic personal information has been left vulnerable to prying eyes[.]”46 However, she did not allege that her information actually had been exposed to an unauthorized party. The First Circuit swiftly affirmed the dismissal of her lawsuit for lack of standing, concluding that “because she does not identify any incident in which her data has ever been accessed by an unauthorized person, she cannot satisfy Article III's requirement of actual or impending injury.”47
Even if a data breach plaintiff can demonstrate an injury-in-fact, the plaintiff also must credibly allege that the injury is “fairly traceable” to the defendant's failure to adopt adequate data security measures.
For instance, in Resnick v. AvMed, Inc.,48 laptops containing patients' personal information were stolen from AvMed, a healthcare company, exposing personal information such as Social Security numbers of more than one million customers. Customers who later were victims of identity theft – and had credit accounts opened in their names without their authorization – sued AvMed. The company filed a motion to dismiss claiming, and the district court dismissed the complaint, briefly stating that the complaint “fails to allege any cognizable injury.”49 On appeal, the U.S. Court of Appeals for the Eleventh Circuit disagreed, and found that plaintiffs established an injury-in-fact because they “allege that they have become victims of identity theft and have suffered monetary damages as a result.”50 The more difficult questions for the Court, however, was whether this injury was “fairly traceable” to the company's actions and whether the injury was redressable through the litigation. The Court concluded that a “fairly traceable” finding “requires less than a showing of ‘proximate cause,’” and therefore the plaintiffs established this prong by alleging that they “became the victims of identity theft after the unencrypted laptops containing their sensitive information were stolen.”51
Finally, in order to demonstrate that standing exists, a plaintiff must sufficiently allege that the injury likely could be redressed by a ruling favorable to the plaintiff. As with the fairly traceable requirement, this prong is relatively easy for plaintiffs to satisfy.
In AvMed, the Court also found that the plaintiffs satisfied the final prong, redressability, because they “allege a monetary injury and an award of compensatory damages would redress that injury.”52 Accordingly, the Court concluded that the plaintiffs had standing to sue AvMed for harm arising from the data breach. Similarly, in 2014, a federal district judge in Minnesota held that plaintiffs had standing to sue Target after the retail chain's massive 2013 data breach because they alleged “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.”53 The Court concluded that these are injuries-in-fact that are fairly traceable to Target's data security measures and redressable through the litigation.54
Similarly, in the data breach lawsuit against P.F. Chang's,55 the Seventh Circuit concluded that the plaintiffs had pleaded redressability because they “have some easily quantifiable financial injuries: they purchased credit monitoring services.”56
In short, Article III standing often is the largest barrier for plaintiffs in data breach cases. Especially since the Supreme Court's decision in Clapper, courts are reluctant to allow a lawsuit to proceed merely because of the remote possibility that identity theft or another harm might occur at a later point. Many – but not all – courts will require a greater showing of harm, such as actual or imminent identity theft. However, as described above, the courts are somewhat split on this issue, and some courts are more likely to find that a plaintiff has standing than other courts.
If a court concludes that a plaintiff has standing to sue over a data breach, the court then must consider the merits of the plaintiff's claims, and whether the plaintiff credibly alleges the violation of any legal duties.
Private litigation arises from two types of law: common law and statutes. First, common-law claims are created by state courts in decades or centuries of legal precedent. They include negligence, breach of contract, some warranty cases, and negligent misrepresentation. Second, statutes are passed by legislatures. State consumer protection laws – which prohibit unfair and deceptive trade practices – frequently are cited as the basis for class action lawsuits after data breaches.
A common claim related to data breach-related lawsuits is negligence. This common-law claim is a frequent basis for lawsuits against companies. Customers frequently claim that retailers are negligent if the customers slip on freshly washed or waxed floors. Similarly, plaintiffs who are injured in car accidents may sue the driver for negligence. In recent years, customers have claimed that companies' inadequate data security measures also are negligent.
Because negligence is a common-law tort, precise rules have developed over centuries by court rulings. Accordingly, the exact requirements for negligence vary by state (the highest courts in each state – and not federal courts – ultimately are responsible for creating common-law torts). Typically, common-law negligence requires that a plaintiff demonstrate four elements: (1) the defendant owed a “legal duty” to the plaintiff (e.g., a duty to protect the plaintiff's personal information), (2) the defendant breached that duty (e.g., by failing to adequately safeguard the plaintiff's personal data), (3) the defendant's breach caused (4) a “cognizable injury” to the plaintiff.57
The first two elements typically are not the subject of significant dispute in data breach litigation. Courts have generally assumed that businesses have a legal duty to safeguard the personal information of their customers and employees, and that a failure to meet that duty constitutes a breach. For instance, in the Sony data breach litigation, the district court held that finding a legal duty is supported not only by state law but by “common sense:”
[B]ecause Plaintiffs allege that they provided their Personal Information to Sony as part of a commercial transaction, and that Sony failed to employ reasonable security measures to protect their Personal Information, including the utilization of industry-standard encryption, the Court finds Plaintiffs have sufficiently alleged a legal duty and a corresponding breach.58
If the court is subject to mandatory security requirements, such as an industry standard set of protocols, courts may view those requirements as a legal duty for the purposes of a negligence lawsuit. For instance, the retailer Michaels experienced a breach of the PIN code entry system for its in-store debit and credit card processing systems. Michaels had not been in compliance with the payment card industry's PIN Security Requirements, which, among other things, required retailers to ensure that counterfeit devices were not collecting PIN numbers from retail terminals. The Court reasoned:
Plaintiffs allege that Michaels failed to comply with various PIN pad security requirements, which were specifically designed to minimize the risk of exposing their financial information to third parties. Because the security measures could have prevented the criminal acts committed by the skimmers, Michaels' failure to implement such measures created a condition conducive to a foreseeable intervening criminal act.59
As the Michaels case demonstrates, companies must be aware of industry best practices and suggested security standards, as those are likely to create a standard of care that could trigger liability in negligence lawsuits.
Defendant companies occasionally argue that if their computer systems were hacked by a third party, the defendant did not breach a duty of care to the plaintiffs. The gravamen of this argument is that the harm was caused by a third party, and not the defendant. Courts generally reject such an argument in data breach cases. Target made this argument in its attempt to dismiss the class action that arose out of its 2013 data breach and was brought by financial institutions. The Court rejected Target's position, concluding that “[a]lthough the third-party hackers' activities caused harm, Target played a key role in allowing the harm to occur.”60 The Court considered the following factors in determining whether a duty exists: “(1) the foreseeability of harm to the plaintiff, (2) the connection between the defendant's conduct and the injury suffered, (3) the moral blame attached to the defendant's conduct, (4) the policy of preventing future harm, and (5) the burden to the defendant and community of imposing a duty to exercise care with resulting liability for breach,” and ultimately concluding that imposing a legal duty on Target to protect customers' personal information “will aid Minnesota's policy of punishing companies that do not secure consumers' credit- and debit-card information.”61
Perhaps the largest barrier to plaintiffs in negligence claims arising from data breaches is demonstrating that the breach of the legal duty caused a cognizable injury. That is due to a rule known as the Economic Loss Doctrine, which applies in many – but not all – state common law negligence claims. The Doctrine dates back to a 1927 opinion in which the United States Supreme Court concluded that “a tort to the person or property of one man does not make the tortfeasor liable to another merely because the injured person was under a contract with that other, unknown to the doer of the wrong.”62 As the Pennsylavania Supreme Court stated in 1985, this general rule leads to the conclusion that “negligent harm to economic advantage alone is too remote for recovery under a negligence theory.”63
Over the past century, state courts have determined how – and if – to adopt this doctrine for common-law negligence claims. Keep in mind that the Economic Loss Doctrine can differ greatly by state, and therefore a data breach plaintiff who might have a viable claim in one state might be unsuccessful in a state that has a more defendant-friendly Economic Loss Doctrine. For instance, in the Target data breach consumer class action lawsuit, Target moved to dismiss negligence claims from consumers in 11 states, citing those states' Economic Loss Doctrines.64 After an extensive analysis of the common law in each of those states, the Court concluded that the Economic Loss Doctrine requires dismissal of the negligence claims from five of the 11 states, while the claims in the remaining states should not be dismissed under those states' versions of the doctrine.65 The court noted two primary differences among the various versions of the Economic Loss Doctrine. First, some states recognize an “independent duty” exception to the doctrine, meaning that “the rule does not apply where the duty alleged is an independent duty that does not arise from commercial expectations.”66 Second, some states recognize an exception to the doctrine if there is a “special relationship” between the plaintiff and defendant.67
The most stringent (and defendant-friendly) formulation of the doctrine “bars recovery unless the plaintiffs can establish that the injuries they suffered due to the defendants' negligence involved physical harm or property damage, and not solely economic loss.”68 For instance, a data breach of the payment card data at retailer BJ's Wholesale Club, Inc. resulted in unauthorized charges at a number of credit unions. The credit unions, and the insurer that partially reimbursed the credit unions, sued BJ's for negligence arising from costs of replacing breached credit cards. The Massachusetts Supreme Judicial Court affirmed the dismissal of the negligence claims under the Economic Loss Doctrine, concluding that the credit cards were “canceled by the plaintiff credit unions for the purpose of avoiding future economic losses.”69 Other courts similarly have relied on the Economic Loss Doctrine to dismiss negligence claims filed by companies against businesses that have experienced data breaches that have led the plaintiffs to experience financial losses.70
The Economic Loss Doctrine also presents a barrier to customers who are suing businesses for failing to adequately safeguard their personal information. For instance, despite finding that Michaels had breached a legal duty to protect payment card PIN data, the Illinois federal judge dismissed the negligence claim filed by customers. The judge noted that “other courts dealing with data breach cases have also held that the economic loss doctrine bars the plaintiff's tort claim because the plaintiff has not suffered personal injury or property damage.”71 Similarly, in the Sony Play Station Network data breach litigation, the court relied on the Economic Loss Doctrine for its dismissal of negligence claims under California and Massachusetts laws.72
In some states, in contrast, the Economic Loss Doctrine is more limited. For instance, in Maine, the doctrine means that courts “do not permit tort recovery for a defective product's damage to itself.”73 A federal court in Maine, applying Maine common law, refused to dismiss a negligence claim arising from a breach of the defendant's computer system, concluding that “[t]his is not a case about a defective product that [the defendant] has sold to the customer.”74 In these states, it may be easier for a plaintiff to successfully bring a claim for negligence arising from a data breach.
As with establishing Article III standing, plaintiffs suing for data breaches or inadequate data security face their best chances at succeeding in negligence claims if they can demonstrate actual harm that has occurred as a result of the defendant's poor data security. However, it still is possible to recover even if harm such as identity theft has not occurred, depending on the scope of the state's Economic Loss Doctrine and other legal rules surrounding negligence.
Even if a negligence plaintiff has demonstrated that the defendant breached a duty to safeguard the plaintiff's information, and that the plaintiff suffered cognizable injury, the plaintiff still must demonstrate that the breach of duty caused the injury. In other words, the defendant must link the inadequate data security to the identity theft or other harm. Causation is not disputed nearly as frequently as the other elements of negligence in data breach lawsuits; however, it potentially could present a barrier to an otherwise successful claim.
Nevertheless, courts are willing to make reasonable assumptions if the allegations in a lawsuit led to the likely conclusion that the breach caused harm to the plaintiffs. For example, in the AvMed case discussed above, the two plaintiffs were victims of identity theft approximately one year after an unencrypted laptop with their personal information was stolen.75 Both plaintiffs stated that they take a number of steps to protect their personal information, and that they had not previously been the victims of identity theft.76 The Court recognized that whether the breach caused the identity theft was a close call, particularly because the breach occurred approximately a year before the identity theft. The plaintiffs succeeded in convincing the Eleventh Circuit that they plausibly alleged causation because the information that was used in the identity theft was identical to the information on the stolen laptop.77 Applying “common sense” to the allegations, the Court concluded that the plaintiffs' allegations of causation “move from the realm of the possible into the plausible,” and it therefore denied AvMed's motion to dismiss.78 However, the Court noted that if the Complaint had contained fewer factual allegations, the negligence claim likely would have been dismissed.79
Causation is easier to establish when the duration between the data breach and the identity theft is shorter. For instance, in Stollenwerk v. Tri-West Health Care Alliance,80 the plaintiff suffered identity theft six weeks after computers containing his personal information were stolen from defendant Tri-West's headquarters. The Ninth Circuit concluded that the plaintiff had demonstrated causation because “(1) he gave Tri-West his personal information; (2) the identity fraud incidents began six weeks after the hard drives containing Tri-West's customers' personal information were stolen; and (3) he previously had not suffered any such incidents of identity theft.”81 However, the court cautioned that plaintiffs cannot prove causation merely because two incidents occurred within weeks of each other. Here, causation also was logically plausible because “[a]s a matter of twenty-first century common knowledge, just as certain exposures can lead to certain diseases, the theft of a computer hard drive certainly can result in an attempt by a thief to access the contents for purposes of identity fraud, and such an attempt can succeed.”82
In a claim somewhat related to general negligence, some consumers and businesses bring data breach lawsuits against companies for misrepresenting their data security practices or omitting crucial details about their failure to adequately safeguard customer data.
In many states, negligent misrepresentation claims require the same elements as general negligence claims: legal duty, breach, causation, and injury. But some states allow negligent misrepresentation claims to proceed even if the plaintiffs only allege economic losses. This makes it easier, in those states, for plaintiffs to bring claims under the tort of negligent misrepresentation than general negligence.
For instance, a Nevada federal judge refused to dismiss negligent misrepresentation claims that customers brought against online retailer Zappos.com after a data breach. Quoting a Nevada Supreme Court case, the federal judge reasoned that liability “is proper in cases where there is significant risk that the law would not exert significant financial pressures to avoid such negligence,” and that such cases include “negligent misstatements about financial matters.”83 The Court reasoned that because the customers did not have a “highly interconnected network of contracts” outlining the company's data security obligations, the customers did not have the ability to exert pressure to prevent such negligence, and therefore the tort of negligent misrepresentation should be available to them.84
Many state courts have adopted the definition of negligent misrepresentation from the Restatement (Second) of Torts, which states that negligent misrepresentation occurs under the following circumstances:
One who, in the course of his business, profession or employment, or in any other transaction in which he has a pecuniary interest, supplies false information for the guidance of others in their business transactions, is subject to liability for pecuniary loss caused to them by their justifiable reliance upon the information, if he fails to exercise reasonable care or competence in obtaining or communicating the information.85
In the banks' lawsuit against TJX, negligent misrepresentation was among the claims against the retailer. The banks claimed that because TJX accepted Visa and Mastercard credit cards, the retailer had implied that it would comply with credit card companies' data security rules. To determine whether this amounted to negligent misrepresentation, the U.S. Court of Appeals for the First Circuit applied Massachusetts common law, which has adopted the Restatement's test for negligent misrepresentation. The Court was highly skeptical about the banks' argument that merely accepting credit cards constitutes a representation about TJX's data security, stating that the “implication is implausible and converts the cause of action into liability for negligence – without the limitations otherwise applicable to negligence claims.”86 Although conduct “can be part of a representation,” the Court reasoned, “the link between the conduct and the implication is typically tight.”87 However, because the Court only was considering a motion to dismiss – a stage at which all factual claims must be viewed in the light most favorable to the plaintiff – the Court allowed the negligent misrepresentation claim to survive “on life support.”88
The financial institutions suing Target alleged that Target “failed to disclose material weaknesses in its data security systems and procedures,” and therefore was liable for negligent misrepresentation by omission.89 The district court concluded that the plaintiffs plausibly alleged that Target owed a duty to disclose because it “knew facts about its ability to repel hackers that Plaintiffs could not have known, and that Target's public representations regarding its data security practices were misleading.”90 The Court also found that the plaintiffs complied with Federal Rule of Civil Procedure 9(b), which requires plaintiffs alleging fraud or mistake to “state with particularity the circumstances constituting fraud or mistake.” The Court concluded that the plaintiffs complied with this rule because they “have identified the omitted information, namely Target's failure to disclose that its data security systems were deficient and in particular that Target had purposely disengaged one feature of those systems that would have detected and potentially stopped the hackers at the inception of the hacking scheme.”91 However, the Court ultimately found that the financial institutions' Complaint fell short of properly alleging negligent misrepresentation because it did not plead that the institutions relied on Target's omissions. The Court rejected the plaintiff's claims that they were not required to plead reliance, and held that although securities fraud-by-omission claims do not require such an allegation, “courts have not extended this presumption of reliance outside of the securities fraud context.”92
Consumers whose information has been compromised in a data breach often allege claims that the companies with which they entrusted their information breached a contract with the customer. As with torts, the precise elements of breach of contract may vary by state. For services, contract laws are set by courts under the common law, and for the sale of goods, contract laws are set by the state legislature's adoption of the Uniform Commercial Code. Typically, however, a plaintiff must demonstrate (1) a contract between the plaintiff and defendant, (2) the defendant's breach of a duty imposed by that contract, and (3) damage caused to the plaintiff as a result of that breach.93
If a company enters into a contract in which it guarantees a specific level of data security, then the company fails to provide that data security, and a breach exposes customers' information and leads to identity theft or other harm, the customer would have a fairly strong claim for breach of contract. The company would have breached an express duty in the contract, and that breach would have caused damage to the plaintiff. However, breach of contract claims in data breach cases often are not so clear-cut.
Data breach plaintiffs have attempted to bring breach of contract claims against companies for promises that they have made in their privacy policies or other public statements. Such claims will fail unless the plaintiff can prove that these statements are part of the bargained-for agreement between the plaintiff and defendant. For example, in 2016, a California district court dismissed a breach of contract claim in the class action lawsuit against Anthem, Inc., the health insurer that had experienced a large data breach. The plaintiffs alleged that Anthem had failed to adhere to a statement in its privacy notice, which stated “We keep your oral, written and electronic [PII] safe using physical, electronic, and procedural means.”94 The court dismissed this claim, concluding that the plaintiffs' Complaint fails to “allege that the privacy notices or public website statements were part of or were incorporated by reference” into the plaintiffs' contracts with Anthem.95
In some cases, the plaintiff alleges that a company – such as a service provider – breached an agreement with an intermediary by failing to safeguard information, and that in turn caused harm to the plaintiff. In that case, the plaintiff must convince a court that he was a third-party beneficiary to this agreement. Unless a contract explicitly names a third party as a beneficiary of a contract, a court must determine whether a third party was an “intended beneficiary” of the contract's data security provisions.
A number of state courts have adopted the test for intended beneficiaries as articulated in Section 302 of the Restatement (Second) of Contracts:
Intended and Incidental Beneficiaries
In 2008, the U.S. Court of Appeals for the Third Circuit applied this definition of intended beneficiary in a case arising from the BJ's retailer data breach described above. A number of lawsuits arose out of that breach, including a lawsuit by Sovereign Bank, a credit card issuer, against BJ's and the retailer's bank, Fifth Third. Among the many claims by Sovereign was a breach of contract action, alleging that Fifth Third breached its agreement with Visa to ensure that BJ's adequately secured credit card information. Sovereign claimed that BJ's breached this agreement, and banks whose customers' data were breached – such as Sovereign – were intended third-party beneficiaries of the agreement between Fifth Third and Visa.97 Fifth Third argued that the contract was not intended to benefit issuing banks such as Sovereign, but instead to “benefit the Visa system as a whole.”98 The district court dismissed this claim, but the Third Circuit reversed, finding that a Visa executive's testimony that the data security requirements are intended to benefit “the members that participate in it” was sufficient to allow a reasonable jury to conclude that Sovereign was an intended beneficiary, and therefore could sue Fifth Third for breach of contract.99
Some contracts, however, clearly preclude third-party beneficiary claims. For instance, Pershing LLC, which provides an electronic platform for financial services institutions, was sued by the customer of a financial institution that used Pershing's platform. The plaintiff filed a lawsuit against Pershing, alleging that the company failed to adequately secure her personal information by using safeguards such as encryption and proper end-user authentication.100 Among her legal claims was that Pershing breached the data confidentiality provision of an agreement between Pershing and the plaintiff's financial institution. The U.S. Court of Appeals for the First Circuit swiftly rejected this claim, noting that the agreement stated that it “is not intended to confer any benefits on third-parties[.]'”101 The Court held that when the intent to preclude third-party beneficiaries is “unambiguously disclaimed, a suitor cannot attain third-party beneficiary status.”102
In many data breach cases, there is not an express contract between a consumer and company. For instance, if a customer walks into a store and purchases a product with her credit card, the customer typically does not first require the retailer to agree to adequately safeguard her credit card number and other personally identifiable information. However, in many states, it is possible to allege that a company's failure to safeguard data breaches an implied term of a contract.
For instance, in the Hannaford case, which consumers brought against a retailer after a breach of payment card information, the plaintiffs relied on Maine common law, which states that contracts can include “all such implied provisions as are indispensable to effectuate the intention of the parties and as arise from the language of the contract and circumstances under which it was made,” provided that the provision is “absolutely necessary to effectuate the contract.”103 In the Hannaford case, the plaintiffs allege that when they provided their credit cards to the grocers' cashier at the cash register, they entered into an implied contract for the grocer to protect their credit card numbers. The grocer moved to dismiss this claim, stating that such an assumption is not absolutely necessary to engage in the payment transaction. The district court disagreed with the grocer and refused to dismiss the claim. The judge reasoned that a jury “could reasonably find that customers would not tender cards to merchants who undertook zero obligation to protect customers' electronic data.”104 However, the judge recognized that such an implied contract is limited, because “in today's known world of sophisticated hackers, data theft, software glitches, and computer viruses, a jury could not reasonably find an implied merchant commitment against every intrusion under any circumstances whatsoever (consider, for example, an armed robber confronting the merchant's computer systems personnel at gunpoint).”105 In short, the court held that a jury could find an implied contract for the grocer to enact reasonable safeguards, similar to the negligence standard. However, the court does not believe that the implied contract creates an absolute prohibition on all data breaches because such a duty would be impossible in light of modern cyber threats. Nor did the judge agree with the plaintiff that there is an implied contract for the grocer to notify consumers of data breaches because such notification is not “absolutely necessary” for the contract.106 The grocer appealed the district court's refusal to dismiss the claim entirely, and the U.S. Court of Appeals for the First Circuit affirmed the district court's conclusion, stating that a jury “could reasonably conclude, therefore, that an implicit agreement to safeguard the data is necessary to effectuate the contract.”107
In contrast, the plaintiff in the case against Pershing, described above, claimed that in addition to being a third-party beneficiary to an express contract between Pershing and her service provider, she had an implied contract with Pershing, in which Pershing implicitly agreed to protect her personal information.108 The First Circuit rejected this argument, holding that a contract did not exist between the plaintiff and Pershing because there was not any consideration (i.e., the plaintiff did not provide a “bargained-for benefit,” nor did she suffer any “bargained-for detriment in exchange for the defendant's supported promises.”109
In sum, there are three primary methods that a plaintiff could attempt to bring a breach of contract lawsuit arising from a data breach or poor data security. First, the plaintiff could sue for breaching an express contract between the plaintiff and a defendant in which the defendant agreed to provide a specified level of data security. This is the most likely route for success for the plaintiff, but in many recent data breach cases, such contracts did not exist. Second, the plaintiff could claim that she was the intended third-party beneficiary of a contract between the defendant and another party, in which the defendant agreed to provide a certain level of data security. As demonstrated above, it often is difficult to prove that the plaintiff was an intended third-party beneficiary of a contract. Third, the plaintiff can claim that even though there was not an express contract with the defendant, the parties had an implied contract in which the defendant agreed to provide a reasonable level of data security. Such claims are fact-specific and their success is difficult to predict with great certainty.
Consumers also have claimed that companies breached implied warranties by failing to safeguard their data. Under this claim, plaintiffs typically argue that by selling the plaintiffs a product, the defendants provided an implied warranty that the good was fit for a particular purpose. The defendants breached that warranty, they argue, by failing to provide proper data security.
In the United States, there are two general sources of implied warranties: Article 2 of the Uniform Commercial Code, which applies to the sale of goods, and the common law (rulings by state court judges over many decades), which applies to the sale of services. Implied warranties under both the Uniform Commercial Code and the common law have arisen in data breach cases.
Most states have adopted the implied warranty provisions of Article 2 of the Uniform Commercial Code, which governs the sale of goods. Article 2 creates two implied warranties that are relevant to data breach cases: warranty of merchantability and warranty of fitness for a particular purpose.
Section 2-314 of the Uniform Commercial Code, which creates an implied warranty of merchantability, requires goods to be “merchantable,” which the statute defines as:[
The implied warranty of merchantability only applies to merchants who sell “goods of that kind.” In other words, a car dealer implicitly warrants the merchantabilities of cars that it sells, but if it sells an old desk that it had used in its office, it will not imply merchantability of the desk.
Section 2-315 of the Uniform Commercial Code, which creates an implied warranty of fitness for a particular purpose, states:
Where the seller at the time of contracting has reason to know any particular purpose for which the goods are required and that the buyer is relying on the seller's skill or judgment to select or furnish suitable goods, there is unless excluded or modified under the next section an implied warranty that the goods shall be fit for a particular purpose.111
Data breach plaintiffs have alleged that by failing to provide adequate security for personal information, the company breached both the implied warranties of merchantability and fitness.
The UCC allows merchants to “disclaim” implied warranties – and thus avoid the obligations imposed by these requirements. To do so, the UCC states, the disclaimer must be “by a writing and conspicuous.”112 To disclaim implied warranties, the UCC states that it is sufficient for the written disclaimer to use expressions such as “with all faults,” “as is,” or “There are no warranties which extend beyond the description on the face hereof.”113 Many states prohibit disclaimers from being buried in contracts; therefore, user agreements often contain the disclaimers in capital letters.
However, the UCC is only a model for states to use as a framework for adopting their own laws governing the sale of goods. Some states do not allow companies to disclaim the UCC's implied warranties. For instance, Massachusetts' version of the UCC states that any attempts to limit or exclude the implied warranties of merchantability or fitness for a particular purpose are “unenforceable.”114 This prohibition of such disclaimers makes Massachusetts a particularly attractive venue for implied warranty claims.
However, the UCC often does not apply to data breach lawsuits. Many data breach cases arise when customers sue online networks, banks, healthcare providers, and other companies that provide them with services. The UCC only applies to the sale of goods, while the common law (law created by centuries of court rulings) typically applies to the sale of services. Determining whether a data breach arises from a sale of good or a sale of services, however, can be tricky.
For instance, in the Sony Play Station Network data breach class action, among the plaintiffs' many claims was a breach of the implied warranty of fitness for a particular purpose under the Massachusetts UCC.115 Because Sony had disclaimed implied warranties, the Massachusetts statute appeared to be an attractive route for the plaintiffs to bring an implied warranty claim. However, the Court rejected the claim because it involved a breach of the online services that Sony provided via the Play Station Network. The Massachusetts version of the UCC defines “goods” as “all things … which are movable at the time of identification to the contract for sale.”116 The Court concluded that even though the online services could only be accessed by the consumer's purchase of a Play Station Network game console, the “thrust, or purpose of the contract” was to provide access to the Play Station Network, which is not a movable “thing” as defined by the UCC. 117
Similarly, in the Hannaford case,118 a lawsuit arising from the breach of payment card information at a grocery store, the plaintiffs brought a breach of implied warranty claim under Maine's version of the Uniform Commercial Code. They alleged that the retailer's acceptance of card data rendered its electronic payment processing system a “good” that it implicitly guaranteed to securely process card transactions. The Court swiftly dismissed this claim, concluding that “goods” under the UCC would include the retailer's groceries but not the payment system that it uses to process card data.119
Many states also recognize common law implied warranty claims. Because these are not derived from the UCC, the warranties do apply to the sale of services, such as online accounts, but the common law in many states typically allows companies to use clear and prominent disclaimers to avoid being bound by implied warranties.
For instance, in the Sony Play Station Network case, the plaintiffs claimed that Sony breached implied warranties under the common law of Florida, Michigan, Missouri, and New York. Sony argued that these claims are invalid because it disclaimed all warranties both in the Play Station Network User Agreement and Privacy Policy. The user agreement stated:
No warranty is given about the quality, functionality, availability or performance of Sony Online Services or any content or service offered on or though Sony Online Services. All services and content are provided "AS IS" and "AS AVAILABLE" with all fault. SNEA does not warrant that the service and content will be uninterrupted, error-free or without delays. In addition to the limitations of liability in merchantability, warranty of fitness for a particular purpose and warranty of non-infringement, SCEA assumes no liability for any inability to purchase, access, download or use any content, data, or service.120
Likewise, the Play Station Network Privacy Policy stated:
We take reasonable measures to protect the confidentiality, security, and integrity of the personal information collected from our website visitors … . Unfortunately, there is no such thing as perfect security. As a result, although we strive to protect personally identifying information, we cannot ensure or warrant the security of any information transmitted to us through or in connection with our websites, that we store on our systems or that is stored on our service providers' systems.121
The court granted Sony's motion to dismiss, reasoning that the two documents, when read together, sufficiently disclaim any guarantees that consumers' personal information will be secure.122 It is unclear whether one of those documents, standing alone, would be sufficient to avoid all implied warranty lawsuits arising from the data breach. The disclaimer in the User Agreement satisfies the long-standing legal rule that disclaimers of warranties should state that goods and services are provided “as is.” However, the Privacy Policy provides a clear disclaimer that Sony does not guarantee the safety of personal information. Had this language not been in the Privacy Policy, the plaintiffs would have had a strong argument that a reasonable consumer would not expect the User Agreement's “As Is” provision to apply to data security.
Common law implied warranty claims are not as common as UCC implied warranty lawsuits, and many state courts have not ruled on the exact scope of these implied warranties as applied to services such as computing and data storage. Courts have recognized common law implied warranties for construction123 and the repair of goods that were sold by the merchant.124 Courts decide whether to extend implied warranties to services on a case-by-case basis, assessing the public interest in recognizing such obligations.125 Accordingly, it is likely that more precise rules for common law implied warranty claims in data breach cases will emerge over the next decade.
In short, implied warranty claims probably are not the strongest route for plaintiffs in data breach lawsuits. Unless a related data breach loss arises from the plaintiff's purchase of a tangible good, it is unlikely that the UCC's implied warranties will apply. And it remains to be seen whether state supreme courts will conclude that recognizing common law implied warranties for data security is in the public interest. Even if a warranty does apply, many large companies easily address such risk with clear and conspicuous disclaimers.
In some data breach cases, plaintiffs bring a claim under the common-law tort of invasion of privacy due to publication of private facts. These claims will almost definitely fail, absent extraordinary circumstances.
Publication of private facts is one of four common-law privacy torts, and the most applicable to data breaches.126 To state a claim for the publication of private facts, the plaintiff generally must prove "(1) the publication, (2) of private facts, (3) that are offensive, and (4) are not of public concern."127 If plaintiffs' personal data are exposed due to a data breach, they could seek damages under this tort.
However, convincing a court to allow such a lawsuit is difficult, absent demonstration that the materially was widely circulated and the defendant was somehow involved in the publication. For instance, in Galaria v. Nationwide Mutual Insurance Co.,128 plaintiffs filed a class action lawsuit against Nationwide Mutual Insurance, after a breach of Nationwide's computer systems allowed hackers to obtain personal information that the plaintiffs had provided to the insurer. The plaintiffs did not allege misuse of their personal information or identity theft. Among the claims in the plaintiffs' putative class action lawsuit was invasion of privacy due to publication of private facts. The district court dismissed this claim for two reasons. First, the court stated that even though the breach exposed their personally identifiable information, there was no allegation that Nationwide disclosed the data. Instead, the data was allegedly stolen from Nationwide.129 This ruling suggests that only if the defendant in a breach case takes an affirmative action to disseminate information – such as posting it on a website – an invasion of privacy claim will not succeed. Second, the court held that even if Nationwide had disseminated the data, the plaintiffs did not allege publicity of the information. The plaintiffs would have needed to demonstrate “publicity to the public at large or to so many persons that the information is certain to become public knowledge.”130
Even if a plaintiff cannot establish a breach of an express or implied contract due to a data breach or inadequate data security, the plaintiff may attempt to bring a similar type of claim under the theory of “unjust enrichment.”
Unjust enrichment is a theory of recovering damages “when one person has obtained a benefit from another by fraud, duress, or the taking of an undue advantage.”131 As with other common law claims, the precise rules for unjust enrichment vary by state. The U.S. Court of Appeals for the Eleventh Circuit articulated a common framework for unjust enrichment in the AvMed data breach case.132 Applying Florida law, the court held that a plaintiff must demonstrate “(1) the plaintiff has conferred a benefit on the defendant; (2) the defendant has knowledge of the benefit; (3) the defendant has accepted or retained the benefit conferred; and (4) the circumstances are such that it would be inequitable for the defendant to retain the benefit without paying fair value for it.”133 Applying these factors, the Eleventh Circuit concluded that the plaintiffs alleged a viable unjust enrichment claim. The court reasoned that the plaintiffs paid monthly premiums to the company, which AvMed should have used to cover the costs of adequate data security, and that the company failed to do so.134
Similarly, in the consumer class action against Target, the district court refused to dismiss the unjust enrichment claim against the retailer, reasoning that if the plaintiffs “can establish that they shopped at Target after Target knew or should have known of the breach, and that Plaintiffs would not have shopped at Target had they known about the breach, a reasonable jury could conclude that the money Plaintiffs spent at Target is money to which Target in equity and good conscience should not have received.”135 However, the court rejected the plaintiff's other unjust enrichment claim, in which they asserted that they were overcharged for their products because the goods that Target sold “included a premium for adequate data security.”136 The court found that this allegation did not support an unjust enrichment claim because Target charges the same price to customers who pay with credit cards as it charges to customers who pay with cash, and the customers who paid with cash were not harmed by the data breach. This unjust enrichment claim, the Court concluded, might be more viable if Target charged a higher price to credit card customers.
Typically, unjust enrichment is not available to plaintiffs if another cause of action covers the same claim.137 So, for example, if a plaintiff's unjust enrichment claim regarding a data breach arises primarily out of the defendant's failure to abide by the terms of a contract, then the unjust enrichment claim would not succeed.138
Besides the court-created common-law claims that companies face after data breaches, state consumer protection statutes provide plaintiffs with an additional cause of action. All fifty states and the District of Columbia have enacted consumer protection laws. Although the exact wording of the statutes – and courts' interpretations of them – varies by state, they generally prohibit unfair competition, unconscionable acts, and unfair or deceptive acts of trade or commerce. The state consumer protection laws are similar to Section 5 of the FTC Act, but unlike Section 5, most of the state consumer protection laws allow private plaintiffs to bring lawsuits.
State consumer protection law claims in data breach cases often allege that the defendant fraudulently misrepresented its data security practices. However, such claims typically will only succeed if the court concludes that the misrepresentations likely would deceive a reasonable person. For instance, in the Sony Play Station Network breach litigation, the plaintiffs brought claims under California consumer protection laws, alleging that Sony misrepresented the following aspects of its products and services:
The court ruled that the first two alleged misrepresentations were not valid grounds for a consumer protection lawsuit because a reasonable consumer would not believe that Sony promised “continued and uninterrupted access” to its online services,140 in part because its Terms of Service explicitly stated that Sony “does not warrant that the service and content will be uninterrupted, error-free or without delays.” However, the Court concluded that the third and fourth statements provided a sufficient basis for consumer protection claims, as Sony's policies had promised “reasonable security” and “industry-standard” encryption”.141
Common among the obstacles to cybersecurity-related consumer protection law claims is the demonstration that the consumer suffered a financial loss. For instance, in the Sony Play Station Network litigation, the plaintiffs also brought a claim under Florida's consumer protection statute, which requires consumers to demonstrate “actual damages.” Florida state courts have defined “actual damages” as the “difference in the market value of the product or service in the condition in which it was delivered and its market value in the condition in which it should have been delivered according to the contract of the parties.”142 The Sony plaintiffs sought to recover three costs: (1) the amount that they overpaid for their game consoles, (2) the monthly premiums for the services when they were unavailable, and (3) the value of their breached personal information. The district court dismissed this claim, concluding that none of these claims constitutes actual damages under the Florida law. The plaintiffs failed to demonstrate that they overpaid for the consoles or the services because of Sony's alleged misrepresentations about its data security, the court concluded.143 Moreover, the court concluded that personal information “does not have an apparent monetary value” and therefore is not a proper basis for a claim of actual damages under the Florida law.144
However, the injury requirement is surmountable for plaintiffs, particularly during the early stages of litigation. For example, in the Target consumer class action arising from the 2013 data breach, the plaintiffs alleged violations of the consumer protection laws of forty-nine states and the District of Columbia. They claimed that Target violated these laws by failing to implement adequate data security, failing to disclose its inadequate data security, failing to notify consumers of the breach, and continuing to accept credit and debit cards after it knew, or should have known, of the breach. Twenty-six of the consumer protection laws require economic injury, and Target argued that the claims under those statutes therefore should be dismissed. However, the district court denied this motion, concluding that plaintiffs alleged that they suffered fees for new credit cards, late fees, and other charges as a result of the breach.145
State consumer protection laws are primarily designed to be enforced by state officials, such as state attorney general, just as the FTC enforces Section 5 of the FTC Act. Accordingly, courts are hesitant to allow private lawsuits under consumer protection statutes when common-law remedies such as negligence are available. In the Hannaford grocery store data breach case, the plaintiffs brought a claim under the Maine Unfair Trade Practices Act, which provides that “[u]nfair methods of competition and unfair or deceptive acts or practices in the conduct of any trade or commerce are declared unlawful.”146 The provision of the statute creating a private right of action states that “[a]ny person who purchases or leases goods, services or property, real or personal, primarily for personal, family or household purposes and thereby suffers any loss of money or property, real or personal,” due to the defendant's actions, may sue for damages and other relief.147 The First Circuit affirmed the district court's dismissal of the claim under the Maine law, concluding that the substantial injury requirement, combined with the requirement that a plaintiff suffer a loss of money or property, requires a narrow reading of the Maine statute. Claims for breach of contract and negligence are more appropriate for the data breach in which the plaintiffs are not seeking damages for restitution.148
Even if plaintiffs demonstrate that they have standing and that they have stated a sufficient common-law or statutory claim, they usually face an additional hurdle: class certification. Most data breach complaints are filed as putative class action cases, in which the plaintiffs seek to represent all of the people who were harmed by a data breach.
This is largely a matter of economy. Assume that a breach of a retailer's payment card systems led to damages of $250 per consumer. It would make little sense for an attorney to take on the case on behalf of a single plaintiff, since the $250 that the plaintiff might eventually win in litigation would not come close to covering the costs of the attorney's time. A class action lawsuit allows the plaintiff's attorney to file a lawsuit on behalf of all similarly situated consumers. If the attorney sues on behalf of 100,000 customers whose data was compromised in the breach, then $25 million is at stake. Plaintiff's attorneys who work on contingency often recover one-third of a damages award plus costs, so, suddenly, this case is quite lucrative for the attorney. Because of the large number of individuals often affected by data breaches, breach litigation has become an increasingly popular form of class action litigation.
Class actions typically begin with a small group of plaintiffs – known as “class representatives” – who file a class action complaint on behalf of the entire class of affected individuals. If the judge does not grant the defendant's motion to dismiss or motion for summary judgment, the case may proceed to trial, which could lead to a verdict that is divided among all class members (minus attorney fees and costs, of course). However, if a court denies a defendant's motion to dismiss or for summary judgment, it is common for the plaintiffs and defendants to reach a settlement, avoiding trial altogether.
However, plaintiffs are not automatically entitled to receive damages – or settle – on behalf of similarly situated individuals. They first must meet a set of requirements known as “class certification.” Since 2005, when Congress passed a law that makes it easier to bring class action litigation in federal courts,149 most class action cases have been brought in federal courts, rather than state courts. To receive class certification in federal court, plaintiffs must convince the judge that they satisfy the requirements of Federal Rule of Civil Procedure 23.150 Federal Rule of Civil Procedure is divided into two sections: 23(a) and 23(b).
Under Rule 23(a), plaintiffs must satisfy four prerequisites before being permitted to sue on behalf of a class:
Perhaps the biggest barrier under Rule 23(a) is demonstrating commonality, due to a 2011 United States Supreme Court opinion. In Wal-Mart v. Dukes,155 a massive employment discrimination case, the Supreme Court held that three plaintiffs did not satisfy the commonality requirement to represent a class of 1.5 million female Wal-Mart employees who allegedly were denied promotion or equal pay because of their gender. The gist of the class action lawsuit was that Wal-Mart's “corporate culture” – and not an explicit corporate policy – leads to discrimination against female employees. Instead, the plaintiffs argued that the corporate policy of allowing local supervisors to have discretion in pay and promotions led to common discrimination throughout the company. Despite the plaintiffs' statistical evidence of companywide discrimination, the Supreme Court held that a policy that provides discretion to local supervisors is not enough to demonstrate commonality.156 The Supreme Court noted that merely raising common questions is not sufficient: class action lawsuits must be able “to generate common answers apt to drive the resolution of the litigation.”157 Although an employment discrimination case is quite different from a standard data breach case, the Wal-Mart case is important for data security because it demonstrates that high bar that all class representative face in establishing commonality. For instance, if a company has suffered multiple data breaches, Wal-Mart makes it more difficult for class representatives whose data was compromised in Breach A to sue on behalf of plaintiffs whose data was compromised in Breaches B and C, unless the class representatives can demonstrate a common cause for all three of the breaches.
In addition to satisfying all four requirements of Section 23(a), the class representatives must demonstrate that their case falls into one of four categories provided in Rule 23(b). They are:
The final type of Rule 23(b) claim, known as “predominance,” is the most common avenue through which data breach plaintiffs seek class certification.
As with other areas of data breach litigation, courts vary in their approaches to class certification. Unlike environmental litigation and other common forms of class action lawsuits that have existed for decades, data breach litigation does not have the same depth of judicial precedent, causing widely different results. Some courts easily find that plaintiffs satisfy Rules 23(a) and 23(b) for all victims of a single data breach, while other courts are much more skeptical of certifying data breach class action lawsuits.
To understand how courts have applied the class certification standards to data breach cases, below are examples of two notable class certification opinions.
In this putative class action lawsuit, described above, the class representatives brought seven claims arising from a large data breach of a grocery store chain. The U.S. Court of Appeals for the First Circuit upheld the district court's dismissal of five claims, but allowed the plaintiffs to proceed on claims of negligence and breach of implied contract. The case returned to the district court, which then faced the task of deciding whether to certify the class.
The district court concluded that the plaintiffs satisfied all four of the Rule 23(a) requirements:
Although the court concluded that the plaintiffs satisfied all of the requirements of Rule 23(a), the court denied class certification because the plaintiffs failed to satisfy Rule 23(b). The plaintiffs argued that their lawsuit satisfies Rule 23(b)(3), a lawsuit in which common questions of law and fact predominate questions regarding individual class members and a class action is superior to other available methods. Accordingly, the court considered both (1) superiority and (2) predominance. The court had little difficulty finding that the class action is superior to individual lawsuits, since “[g]iven the size of the claims, individual class members have virtually no interest in individually controlling the prosecution of separate actions[.]”
However, the judge concluded that the plaintiffs did not satisfy the predominance requirement. Although the class members' alleged injuries arise from the same data breach, the types of injuries (lost card fees, identity theft protection, etc.) varies. The plaintiffs claimed that they could find expert witnessess to testify, based on industry statistics, about the proportion of the fees and costs that could be attributed to the Hannaford breach, and that class administrators would determine how to distribute any proceeds from the case. However, the plaintiffs had not presented the judge with an expert opinion about how the damages would be determined, and therefore, the judge ruled that the plaintiffs cannot prove total damages, and the alternative “is a trial involving individual issues for each class member as to what happened to his/her data and account, what he/she did about it, and why.”
The Hannaford case demonstrates a key barrier to plaintiffs in achieving class certification for data breach cases. Even if all class members are affected by the same data breach, it is quite likely that at least some class members suffered different types of damage. Before seeking class certification, the plaintiff must be able to demonstrate to the court how it can accurately determine the damages that this wide range of class members have suffered.
Heartland, a large processor of payment card data, suffered a breach that exposed approximately 100 million customers' payment card data to hackers. A number of consumer lawsuits were filed across the nation, and they were consolidated into a case in Texas. As with many data breach cases, the parties reached a settlement. However, in order for the settlement to be binding on all of the approximately 100 million affected individuals, the court needed to determine whether to certify the class.
The judge concluded that the plaintiffs met all four requirements of Rule 23(a):
As in the Hannaford case, the plaintiffs here asserted that their lawsuit satisfies the “predominance” and “superiority” requirements of Rule 23(b)(3). The judge ruled that the plaintiffs satisfied both requirements. The class action is superior to individual litigation, the judge ruled. The judge concluded that common questions predominate individual issues. The judge noted that only one member of the 100 million-member proposed class objected. Even though there are some differences in the state laws at issue in the class action, the court concluded that those differences are not so large as to affect any class members' rights. Moreover, because the parties were seeking to settle, the judge concluded that it was unnecessary to be concerned about the manageability of a trial.
It is difficult to entirely square the results of Hannaford and Heartland. In both cases, it is likely that class members suffered different levels of harm from a breach, yet the class was certified in Heartland and denied in Hannaford. One explanation for the difference in results is that Heartland involved a class certification for the purposes of settlement. Therefore, the defendant was not opposing certification. In contrast, Hannaford involved a costly dispute that had been going on for many years, and the defendant vigorously opposed class certification.
When facing these large class action lawsuits – which often carry the potential of break-the-company damages or settlements – companies often seek coverage from their insurance providers under their commercial general liability policies. Unfortunately, such coverage is far from certain, unless the company has purchased special additional cyber insurance. Even with specialized insurance, companies may not be fully covered for the many types of costs that are likely to arise after a cybersecurity incident.
Companies typically have commercial general liability insurance coverage, which covers the businesses for bodily injury, property damage, and other incidents that could cause harm to others and lead to litigation. These policies contain a number of limitations and exceptions to coverage.
Although each insurer determines the precise language of its commercial general liability policy, Insurance Services Office, Inc. offers a standard form, ISO CG, which typically is used as the starting point for insurers' policies. After data breaches, companies most often seek coverage under the policy's promise to pay certain expenses related to “personal and advertising injury,” which the form policy defines as including “[o]ral or written publication, in any manner, of material that violates a person's right of privacy[.]”
Insurers often go to court to challenge companies' attempts to obtain coverage for data breaches under commercial general liability policies. The most common argument is that a data breach – often caused by an unknown hacker – does not constitute a “publication” by the covered company. Courts are divided on this issue.
Some courts easily conclude that any data breach constitutes a “publication” of personal information and therefore is covered under commercial general liability policies. For instance, in Travelers Indemnity Company of America v. Portal Healthcare Solutions, LLC,162 customers had filed a class action lawsuit against Portal, a healthcare company, arising from a data breach that allegedly exposed their medical records on the Internet. Portal sought coverage for the litigation from Travelers, its commercial general liability carrier. The policy required Travelers to pay money arising from Portal's “electronic publication of material that … gives unreasonable publicity to a person's private life[.]” Travelers then sued Portal, seeking a court judgment that it was not required to cover Portal's expenses for the breach. Travelers's primary argument was that the exposure does not constitute “publication.” Travelers pointed to a dictionary definition of “publication as “to place before the public (as through a mass medium).” The insurer argued that no “publication” occurred because Portal had no intent to expose the information to the public, and also because there was no allegation that a third party viewed the information. The district court ordered the insurer to cover Portal, and the Fourth Circuit affirmed. The Fourth Circuit agreed with the district court's conclusion that such distinctions are irrelevant, and that the online exposure of a patient's medical records constitutes publication of material that gives unreasonable publicity to a person's private life.163
Other courts, however, have reached opposite conclusions about similar policy language. For instance, Sony sought coverage under its commercial general liability policy for the Play Station Network breach discussed earlier in this chapter. Its policy required the insurer, Zurich American Insurance, to cover Sony's costs related to “[o]ral or written publication, in any manner, of material that violates a person's right of privacy.” A New York state trial judge indicated that he had a difficult time determining whether to require Zurich to cover Sony.164 On the one hand, the judge stated during a court hearing, in the “electronic age,” allowing exposure of data that a company had promised would be secure might constitute “publication.” On the other hand, the judge ultimately concluded that the policy only covers “publication” by Sony, and because the information was acquired by outside hackers without any affirmative acts by Sony, Zurich was not required to cover Sony for the breach.
Even if personal information is exposed due to the actions of a policyholder, some courts still may conclude that the incident was not “publication” that triggers insurance coverage under commercial general liability policies. For instance, in Creative Hospitality Ventures, Inc. v. United States Liability Insurance Co.,165 the policyholder had been sued for violating the Fair and Accurate Credit Card Transaction Act by printing more than the last five digits of consumers' credit card numbers on their receipts. The policyholder sought coverage from its insurer's commercial general liability policy. The U.S. Court of Appeals for the Eleventh Circuit denied coverage, reasoning that the receipts do not constitute “publication” under the policy. To define “publication,” the Eleventh Circuit looked to a dictionary, which defined the term as “communication (as of news or information) to the public: public announcement” or “the act or process of issuing copies … for general distribution to the public.”166 Although the policyholder allegedly communicated the credit card information on its receipts, it did not disclose the information to the general public, the Eleventh Circuit reasoned. Instead, the policyholder only provided the receipts to the customers. Therefore, the Court concluded, the alleged credit card disclosures do not constitute “publication” and the insurer was not required to cover the costs of litigation.167
Recognizing the uncertainty of coverage under commercial general liability policies, insurers are increasingly offering supplemental cybersecurity insurance policies to companies. These policies cover losses and expenses for a wide range of cyber-related incidents.
For instance, one of the leading cybersecurity insurance policies is CyberSecurity by Chubb, which the insurer marketed as “a flexible insurance solution designed by cyber risk experts to address the full breadth of risks associated with doing business in today's technology-dependent world.” The policy's marketing materials state that it covers a liability for a wide range of harms to third parties, such as disclosure of private information, copyright and trademark infringement, reputational injury, system security failures that harm third-party systems, and injuries arising from systems outages.168 The policy also covers a number of direct costs to the company, including data breach notification, crisis management, forensic consultants, and online vandalism.169
However, even if companies purchase broad cybersecurity-related policies, they may not be guaranteed coverage for all losses. For instance, restaurant chain P.F. Chang's had purchased the CyberSecurity by Chubb policy for approximately $134,000 a year. In 2014, it experienced a data breach that exposed approximately 60,000 customer credit card numbers. The insurer reimbursed P.F. Chang's more than $1.7 million for various costs, including a forensic investigation and defense of a lawsuit brought by customers. However, the insurer refused to pay more than $1.9 million in fees assessed by credit card companies due to the company's failure to comply with the Payment Card Industry Data Security Standards. The U.S. District Court for the District of Arizona concluded that the credit card company fees do not cover the types of “privacy injuries” that the cybersecurity insurance policy is intended to insure. The Court noted that the restaurant chain is “a sophisticated party,” and if it had wanted coverage for such fees, it “could have bargained for that coverage.”170 The Court also concluded that the coverage was barred under an exclusion in the policy, which provides that the insurer is not responsible for any liability assumed by P.F. Chang's “under any contract or agreement.”171
The P.F. Chang's case demonstrates the need for companies to carefully scrutinize cybersecurity insurance policies and, if necessary, attempt to bargain for coverage that they would expect from a cybersecurity policy. Cybersecurity is a particularly complex area of insurance because so many new types of liabilities may arise, many of which were unanticipated at the time that the policy was purchased.
Because of the unpredictability of insurance coverage for cybersecurity, many companies choose to self-insure by setting aside money to cover expenses in the event of a cyber incident.172 Such a strategy has some significant upsides. Rather than being at the mercy of an insurance company – and perhaps paying significant attorney fees to resolve an insurance dispute – self-insurance provides a company with immediate funds to cover cybersecurity expenses. However, self-insurance is quite expensive. A company must have large cash reserves to set aside the amount required to cover breach-related costs. For instance, P.F. Chang's costs from the 2014 data breach exceeded $3 million. Although its insurer only paid $1.7 million of those costs, it obtained that coverage by paying approximately $134,000 a year.
As this chapter has demonstrated, businesses that experience data breaches face a number of legal claims from plaintiffs who often seek tens of millions of dollars.173 Many of the legal claims described above depend on the specific facts of a data breach, such as:
These are just some of the many questions that are bound to arise when plaintiffs are attempting to demonstrate that a company's negligence or other violation of a legal duty caused the plaintiffs' personal information to be exposed.
Unfortunately for companies, answers to many of these questions are readily available in the email inboxes of their executives and information technology staffers, as well as incident reports and assessments of security vulnerabilities. Indeed, companies increasingly hire cybersecurity forensics firms to prevent cybersecurity incidents from occurring. Companies engage cybersecurity professionals to perform penetration tests, which “prove (or disprove) real-world attack vectors against an organization's IT assets, data, humans, and/or physical security.”174 The results of these tests can help a company reconfigure its systems, policies, and processes to guard against security threats.175
Companies also increasingly hire consultants for the more urgent task of remediating and mitigating harm after a security incident has taken place. Cybersecurity professionals must immediately gain full access to a network to determine the extent of the intrusion, and the necessary steps to remediate any damage and prevent further unauthorized access.176 The cybersecurity experts and lawyers must work together to determine whether they are legally required to notify state regulators or consumers of the breach under the state notification laws described in Chapter. Cybersecurity professionals also collaborate with public affairs departments and consultants to publicly explain the incident in a manner that is prompt, complete, and accurate.177
Cybersecurity professionals wear multiple hats, including auditor, technologist, policy maker, strategist, and spokesperson. To perform such wide-ranging duties, cybersecurity professionals must have broad and unfettered access to information that a company or organization may store in a variety of media and formats, and they must be able to candidly communicate with their clients.
Unfortunately for companies, there is strong possibility that cybersecurity professionals' reports and emails can be obtained by plaintiffs and used against them in litigation. In United States civil litigation, parties typically have a broad right of discovery, which allows them to obtain documents, depositions, and other relevant information from the opposing party and third parties. Courts generally have a strong presumption in favor of allowing parties to conduct discovery and present evidence to courts.178 The only way to avoid this presumption in favor of disclosure is to demonstrate that an evidentiary privilege applies. Courts and legislatures have created evidentiary privileges for communications and work products of certain professionals for whom confidentiality is an integral part of their jobs. For instance, the United States recognizes evidentiary privileges, to varying degrees, for attorneys, psychotherapists, clergy, and journalists. No court or legislature has created a stand-alone privilege for the work of cybersecurity professionals, owing partly to the fact that the profession is so new, and evidentiary privileges are slow to develop.179
Despite the lack of a stand-alone privilege for cybersecurity professionals, companies and their forensics experts still have a reasonable chance of getting at least some protection for their communications and reports. To shield this material from discovery, companies attempt to obtain three attorney-related evidentiary privileges. To do so, companies are increasingly hiring attorneys to supervise the work of cybersecurity consultants. The three privileges are (1) the attorney–client privilege, (2) the work product doctrine, and (3) the non-testifying expert privilege. As we will see, these privileges only offer limited protection, and are not always guaranteed to prevent confidential cybersecurity information from being obtained by plaintiffs.
The attorney–client privilege protects from discovery communications between attorneys and clients in the course of seeking and providing legal advice.180 The privilege is nearly absolute and only contains a few limited exceptions, such as instances in which the attorney helped the client perpetrate crime or fraud,181 or if the client disputes the attorney's competence or job performance.182
This broad privilege is intended “to encourage full and frank communication between attorneys and their clients and thereby promote broader public interests in the observance of law and administration of justice.”183 The privilege “exists to protect not only the giving of professional advice to those who can act on it but also the giving of information to the lawyer to enable him to give sound and informed advice.”184
Although the attorney–client privilege is absolute, it only covers certain types of communications.185 The specific elements of the privilege vary slightly by jurisdiction, but the following Ninth Circuit summary generally is an accurate illustration of the privilege's scope of coverage:
(1) When legal advice of any kind is sought (2) from a professional legal adviser in his or her capacity as such, (3) the communications relating to that purpose, (4) made in confidence (5) by the client, (6) are, at the client's instance, permanently protected (7) from disclosure by the client or by the legal adviser (8) unless the protection be waived.186
The privilege, therefore, protects communications from the client to the attorney – or from the attorney to the client – that are exchanged for the purpose of rendering legal advice. The privilege protects communications, and does not protect the evidence underlying the communications. For instance, suppose that a company is reviewing its server logs and discovers an apparent breach. The company's CIO immediately emails a description of the apparent breach to the company's outside counsel. Although the CIO's email to the attorney may be privileged, the server's logs would not be privileged.
Additionally, the attorney–client privilege only applies to communications that seek or provide legal advice. For instance, if a company's lawyers advise on and help implement a business transaction, only the legal advice that they provide will be privileged. Any “business advice” likely will fall outside of the scope of the privilege, though courts may disagree as to whether a specific communication is legal or business advice.187 Applying this framework, if a company emails a cybersecurity consultant with a question about network protection and merely CC's the company's lawyer, a court may find that the communication was unrelated to legal advice, and therefore not protected by the attorney–client privilege.
Moreover, if a third party receives the communication, a court may find that the attorney–client privilege does not apply in that situation.188 However, communications may still be protected if they include nonlawyers who are assisting the lawyer in the representation. For instance, the communications of an accountant or translator working for a law firm may be protected by the privilege. As Judge Friendly wrote a half-century ago, “[w]hat is vital to the privilege is that the communication be made in confidence for the purpose of obtaining legal advice from the lawyer.”189 Similarly, the attorney–client privilege covers consultants who perform work under the supervision of attorneys, if that work is conducted as part of the attorney's representation of clients.190
Accordingly, if a cybersecurity professional helps an attorney provide legal advice to a client, those communications may be covered by the attorney–client privilege. However, the attorney–client privilege is of limited use for a good deal of the work that cybersecurity professionals perform. Perhaps the largest obstacle for the purposes of cybersecurity consulting is the requirement that the communications relate to legal advice.191 For instance, an email that describes the result of a network vulnerability test, for example, likely would not qualify as legal advice. Even if a cybersecurity professional is supervised by an attorney, there is no guarantee that the professional's communications with the attorney or client would be protected under the attorney–client privilege.
The work product doctrine is more likely to cover some cybersecurity work that is performed at the direction of attorneys, but the doctrine, unlike the attorney–client privilege, is not absolute.
The doctrine was first articulated in 1947, when the Supreme Court ruled in Hickman v. Taylor192 that an attorney's notes and reports based on witness interviews could not later be discovered in litigation involving the attorney's client. Although the Court concluded that the attorney–client privilege does not protect the documents,193 it nonetheless denied discovery, reasoning that the request was “an attempt to secure the production of written statements and mental impressions contained in the files and the mind of the attorney … without any showing of necessity or any indication or claim that denial of such production would unduly prejudice the preparation of petitioner's case or cause him any hardship or injustice.”194
The Hickman work product doctrine was later codified in Federal Rule of Civil Procedure 26(b)(3).195 That rule provides that “[o]rdinarily, a party may not discover documents and tangible things that are prepared in anticipation of litigation or for trial by or for another party or its representative (including the other party's attorney, consultant, surety, indemnitor, insurer, or agent).”196 However, the rule is not absolute: it allows discovery if “the party shows that it has substantial need for the materials to prepare its case and cannot, without undue hardship, obtain their substantial equivalent by other means”197 or if a court otherwise finds good cause to order the disclosure of relevant work product.198 If the Court orders disclosure of work product, “it must protect against disclosure of the mental impressions, conclusions, opinions, or legal theories of a party's attorney or other representative concerning the litigation.”199
The work product doctrine covers more than just communications that are necessary for legal advice. The doctrine protects work product that is prepared in anticipation of litigation or trial. Moreover, Federal Rule of Civil Procedure 26 explicitly states that consultants' work product may be protected, provided that it is prepared in anticipation of litigation. Indeed, courts have held that the work product doctrine applies to materials prepared by environmental consultants,200 medical device safety consultants,201 and insurance claims investigators.202 Similarly, a cybersecurity professional's report might be protected by the work product doctrine.203
However, the exceptions to the work product doctrine limit the extent of the protection that it provides to cybersecurity work. Perhaps most important is the requirement that the work product be prepared in anticipation of litigation or trial. The Second Circuit, reflecting a common approach to the doctrine, interpreted work product to have been created “in anticipation of litigation” if “in light of the nature of the document and the factual situation in the particular case, the document can fairly be said to have been prepared or obtained because of the prospect of litigation.”204 Although this approach is relatively broad and could encompass large swaths of documents, the party asserting the work product doctrine would need to demonstrate that the materials were created because of potential litigation. A consultant's report about the causes of a data breach likely would have a greater chance of being covered by the work product doctrine than the consultant's annual, routine assessment of a company's cybersecurity controls. The company would have a stronger argument that the consultant prepared the data breach report in response to a real threat of actual litigation. The annual, routine assessment, in contrast, is less likely to be likened to a real prospect of litigation. This creates a perverse result: companies likely receive less protection for taking proactive measures to protect their networks from attacks than they do for taking remedial measures after breaches have occurred.
Moreover, even if work product was prepared in anticipation of litigation, a court still could require its disclosure if the court concludes that the party requesting the materials has demonstrated a substantial need or other good cause for the discovery.205 Routine work product is less likely to receive protection under the work product doctrine unless it is “core” or “opinion” work product related to an attorney's conclusions or impressions about particular litigation.206 In the cybersecurity context, this means that a forensics expert's initial evaluation of a data breach most likely could be discovered in subsequent litigation if the opposing party demonstrates substantial need or good cause. In contrast, that consultant's analysis of claims in a pending complaint arising from the data breach is more likely to be protected under the work product doctrine. Again, this dichotomy results in cybersecurity professionals' work receiving less protection if it is not related to ongoing litigation.
Although the work product doctrine has a broader scope than the attorney–client privilege, the work product doctrine is not absolute. Because litigants could successfully argue that a good deal of the work performed by cybersecurity consultants falls within one of the doctrine's exceptions, companies cannot rely on the work product doctrine to prevent the compelled disclosure of cybersecurity material.
A third, narrower privilege prevents the compelled disclosure of certain non-testifying experts. Federal Rule of Civil Procedure 26(b)(4)(D) states that “a party may not, by interrogatories or depositions, discover facts known or opinions held by an expert retained or specially employed by another party in anticipation of litigation or to prepare for trial and who is not expected to be called as a witness at trial,” unless the party can demonstrate “exceptional circumstances under which it is impracticable for the party to obtain facts or opinions on the same subject by other means.”207 The non-testifying expert privilege is “designed to promote fairness by precluding unreasonable access to an opposing party's diligent trial preparation.”208
The non-testifying expert privilege is quite strong, and courts have interpreted the “exceptional circumstances” exemption to be quite limited.209 However, it has limited value for cybersecurity investigations. As the Ninth Circuit recently noted, the rule “shields only against disclosure through interrogatories and depositions[.]”210 Accordingly, the rule would not prevent the disclosure of a report prepared by a cybersecurity expert; it would only prevent that expert from being subjected to interrogatories and depositions. Moreover, like the work product doctrine, the non-testifying expert privilege only applies to anticipated litigation or trial preparation.211 A routine cybersecurity investigation, therefore, likely would not be covered under this privilege. This privilege would, however, apply to an incident assessment that a cybersecurity professional prepares to assess the merits of pending litigation.
Attorney–client privilege | Work product doctrine | Non-testifying expert privilege | |
Type of material protected | Communications between attorneys and clients while providing legal advice | Documents and tangible things that are prepared in anticipation of litigation | Facts known or opinions held by a retained expert |
Individuals to whom it applies | Attorneys and individuals who assist them (such as paralegals or consultants) | Attorney, consultant, surety, indemnitor, insurer, or agent | Expert retained in anticipation of litigation and who is not expected to be called as a witness |
Scope | Absolute, with a few narrow exceptions | Qualified – may be overcome in exceptional circumstances | Qualified – may be overcome in exceptional circumstances |
Few published opinions have directly addressed the application of the attorney–client privilege, work product doctrine, and non-testifying expert privilege to the work of cybersecurity professionals. This is not surprising; discovery disputes often are settled orally in discussions between the parties and magistrate judges; therefore, there is not a written opinion documenting many of these disputes. The most extensive written discussion of the application of these privileges to cybersecurity was in Genesco v. Visa.212
In that case, hackers had accessed customer payment card information that was stored on the network of Genesco, a retail chain.213 Genesco's general counsel, Roger Sisson retained Stroz Friedberg, a cybersecurity consulting firm.214 Genesco's retention agreement with Stroz stated that the retention was “in anticipation of potential litigation and/or legal or regulatory proceedings.”215
After consulting its own investigation, Visa assessed more than $13 million in fines and reimbursement assessments against two banks that processed Genesco's credit card purchases, claiming that Genesco's inadequate data security violated payment card data security standards and Visa's operating regulations.216 Genesco, which had an indemnification agreement with the banks, sued Visa, asserting that the assessments lacked factual basis and violated various state laws.217 In discovery, Visa subpoenaed Stroz for deposition testimony and its work product related to the investigation, and also requested to depose Sisson and that Sisson provide documents related to his investigation of the incident.218
The court largely denied Visa's discovery requests. The court first held that the requests for Stroz's deposition and work product is prohibited by the non-testifying expert privilege.219 Visa argued that Stroz was a fact witness, but the court rejected this argument, concluding that “the Stroz representative would necessarily be applying his or her specialized knowledge,” and that Visa had not established the “extraordinary circumstances” needed to overcome the non-testifying expert privilege.220
The Court also held that the attorney–client privilege and the work product doctrine prevent the compelled disclosure of both the requests to Sisson and to Stroz.221 The court held that “[a]ttorney's factual investigations ‘fall comfortably within the protection of the attorney–client privilege,’”222 and that the privilege “extends to the Stroz firm that assisted counsel in his investigation.”223 The court also recognized that the work product doctrine “attaches to an agent's work under counsel's direction.”224 The court held that the work product doctrine applies because “Genesco's affidavits satisfy that the Stroz firm was retained in contemplation of litigation, as reflected in the express language of the retainer agreement.”225
In 2015, Visa subpoenaed IBM for work product regarding remedial security measures that IBM performed for Genesco after the breach.226 In a brief order, the court rejected this request, concluding that because Genesco “retained IBM to provide consulting and technical services so as to assist counsel in rendering legal advice[,]” IBM's materials are protected by the attorney–client privilege and work product doctrine.227
Commentators hailed the Genesco rulings as a demonstration that cybersecurity work could be privileged, provided that they are conducted under the supervision of an attorney. Lawyers at one large law firm hailed the opinion as “a roadmap for confidentiality protections” that “underscores legal counsel's critical role in today's digital economy where the question is not ‘if’ but ‘when,’ an organization will be breached.”228 Lawyers at another firm advised that the decision “demonstrates how important it is for you to designate experienced privacy counsel to lead cybersecurity initiatives, including determining proactive privacy and security measures, directing forensic investigations, and spearheading data breach response efforts.”229 A news article declared that, in light of the opinion, the “smart and most conservative proactive approach” to cybersecurity risk management is “to have the appropriate law firm take the lead, hire the required consultants, and have all reports, analysis, memos, plans and communications protected under the attorney–client and work product privileges.”230
The commentators were correct, to an extent. The Genesco rulings extend the same protections to communications and work product of cybersecurity consultants as previous court opinions have extended to the work and communications of environmental consultants, product safety experts, and others retained and supervised by counsel for the purposes of providing legal advice or preparing for litigation. The 2015 order regarding IBM, in particular, is encouraging because IBM provided technical consulting to help remediate security flaws on Genesco's network. Although the court viewed these services as part of Genesco's legal strategy, remedial measures for a computer network could have longer lasting effects that help Genesco in the future, entirely unrelated to the Visa litigation.
That said, the Genesco case also illustrates the evidentiary privileges' limits for cybersecurity work. The gravamen of Genesco's argument throughout the discovery dispute was that Stroz and IBM were merely helping Genesco challenge the Visa fees or prepare for its defense in other claims related to the breach.231 Genesco framed its arguments as such for good reason: had it not framed the IBM and Stroz work as part of a legal defense strategy, the communications and work product likely would have been discoverable, as reflected in the court's focus on the three attorney-related privileges.
18.221.20.159