Trial Magazine
Theme Article
In The Breach
Large-scale data breaches are consistently in the news, and the resulting litigation is evolving. As more clients seek help, you should know what elements to consider before moving forward.
September 2017A potential client calls and says that she was the victim of a data breach. What should she do? Can she sue? Will you represent her? It’s hard to predict a data breach case’s likely outcome. At the outset, you often are limited to publicly available information. You should consider early on a few issues common to these cases.1
Type of Data
What type of data was involved in the breach? This can affect everything from standing to the standard of care to damages. The data could be information that identifies a person, such as a name, address, Social Security number, or other unique identifier. It could be financial data, such as a debit or credit card number, expiration date, or security code. And it could be health data, such as a person’s diagnoses, treatments, or other medical history.
This is not an exhaustive list, but settlements reached so far indicate that damages usually are highest when health data is implicated because of the highly personal information involved and lowest when only credit card data was stolen. Consumers can cancel stolen cards and get new ones, but it’s not as easy to get a new Social Security number. Stolen identifying information can haunt a consumer, requiring ongoing vigilance to watch for identity theft. The more persistent the harm caused by compromised identifying information, the greater the damages.
For example, compare the results in the Heartland Payment Systems and T.J. Maxx data breach cases. Heartland involved only card data, while T.J. Maxx involved card data and identifying information. A notorious hacker known by the moniker “Cumbajohnny” carried out both attacks—Heartland impacted approximately 130 million debit and credit cards, and T.J. Maxx affected at least 45 million.2 Despite involving almost three times the amount of card data, the Heartland breach resulted in a settlement that the court valued at $500,000, while the T.J. Maxx case ended in a settlement that was valued at $6.1 million.3
What accounts for this difference? While rooting around T.J. Maxx’s network, Cumbajohnny and his crew accessed a file containing the identification card numbers of nearly 455,000 people, including Social Security and driver’s license numbers.4 The T.J. Maxx settlement drew 86 percent of its value from this much smaller pool of information, and only part of the remaining 14 percent of the settlement’s value can be attributed to the 45 million breached card records.
Another example is the Anthem, Inc. data breach. The Wall Street Journal recently reported that “Anthem has agreed to pay $115 million to settle a class action filed in the wake of a 2015 data breach that exposed information—including names, dates of birth, Social Security numbers, and health care identification numbers—belonging to more than 78 million people.”5
Despite identifying information’s substantial value, health data typically contributes the most value to data breach settlements. This difference may reflect the fact that some of the most sensitive details of a person’s life can be found in medical records. It may also reflect legislative attention that is given to particularly sensitive data.
For example, in 2012, St. Joseph Health System notified patients that it had inadvertently posted more than 31,000 patient records, including diagnoses, prescriptions, and medical histories on the internet. The resulting litigation led to a settlement that included nearly $7.5 million in direct cash payments.6
Because of these variations, properly evaluating a data breach case requires determining the categories of compromised data.
Identity Theft
Cases involving substantial allegations of identity theft will generally fare better than those without.7 Identity theft allegations may be important to establish standing, especially in jurisdictions that are resistant to finding Article III standing unless plaintiffs have alleged that the breach caused them to suffer identity theft.8 Some jurisdictions do not require consumers to “wait until hackers commit identity theft . . . to give the class standing.”9 Others ask whether it is “known whether the hacker read, copied, or understood” the information, or if there is any indication that the “intrusion was intentional or malicious.”10
Keep in mind that the jurisdiction where you initially file your case may not be the one that will decide standing. Many large data breaches result in cases being filed all over the country, which may lead to consolidation in a single federal district court for multidistrict litigation. You may end up in a district that is far from where you initially filed, so you must be prepared to litigate the case under the standing rules of any federal court, including ones that have held that identity theft must be alleged for plaintiffs to have standing.11
Prospective and Injunctive Relief
Valuing data breach cases requires looking beyond monetary relief for actual losses. Prospective relief, such as credit monitoring and mandatory security improvements, may also be needed to foil future identity theft or ensure that the same company isn’t breached again. Could the breach victims benefit from robust injunctive relief that requires the company to implement better security software, hardware, or practices? Injunctive relief can be beneficial to plaintiffs if the company refuses to fix the holes in its security.
Before initiating a case, you should research what the company has already done in the aftermath of a breach. Has it offered credit monitoring to the victims? If yes, for how long? Does it last long enough to truly protect people against the threat of identity theft? The answer may depend on the type of data. Stolen Social Security numbers place a victim at long-term risk of identity theft, but stolen card data poses a much smaller risk once the card is canceled.
Companies often offer one year of free credit monitoring, which may seem inadequate to consumers facing ongoing increased credit risk. The quality of the credit monitoring service can also matter greatly. To cut costs, some companies offer a service that covers only one of the three credit bureaus (Equifax, Experian, and TransUnion), leaving consumers unprotected against fraudulent financial transactions that show up on another bureau’s credit report.
Similarly, you should also ask whether the company shored up its security after the breach. This information is often difficult to find without the benefit of discovery. Press reports typically focus on the size of the breach, not which security controls the company implemented in the aftermath. Technology and cybersecurity blogs, such as the one run by cybersecurity researcher Brian Krebs, may be a better resource.12 These may provide additional technical details, including how the hackers got into the company’s network and what the company subsequently did to bolster its security.
When there is substantial room for the company to improve its security or credit monitoring offer, the potential settlement value may be higher.13 In fact, the value of credit monitoring and injunctive relief may dwarf the monetary recovery. After the Target data breach, the consumer litigation settled for more in injunctive relief than in monetary relief. The settlement required Target to hire and retain a chief information security officer, perform regular risk assessments, monitor its systems for security events, and provide security training to its employees for five years.
As a result, class members could rest easier knowing that their information on Target’s network was better protected. In addition to the Target settlement, cybersecurity improvements and credit monitoring have increased settlement values in other high-profile data breach cases, including the St. Joseph Hospital and T.J. Maxx settlements.
And the settlement stemming from the Adobe data breach derived 100 percent of its value from its robust (though largely confidential) injunctive mandates, including an independent security auditor’s verification that Adobe had implemented the mandatory security improvements.14
Entity At Fault
Often, the breached company insists that it had state-of-the-art security, and a breach happened anyway. Nevertheless, discovery often reveals glaring security gaps that the hackers used to get in or get out with the data.
While the company that held the data is the obvious defendant, it is important to consider early on whether other parties may be the main cause of the breach, such as a third-party vendor. Vendor-caused breaches raise additional considerations. Establish early on the relationship between the vendor and the company it services and whether the vendor, if primarily responsible, can satisfy all or part of a possible judgment.
For example, in the Stanford Hospital data breach, one of Stanford’s vendors posted 20,000 patient records on the internet.15 Tasked with making a graph using patient data, one of the vendor’s employees posted a spreadsheet containing real patient information on a help website, asking how to graph it.16 Stanford took the position that the vendor was at fault, and in the settlement, it paid only the administration costs. Vendors may have fewer resources than the companies they service, which affects the settlement amount.
The Stanford breach was a public disclosure case that allegedly happened because sensitive data was made publicly accessible online. In contrast, hacking cases are rarely so simple that a vendor can be held solely at fault. While hackers may gain entry to a company’s network through a vendor’s systems, many security controls are designed to foil hackers after this initial breach.
In fact, some cybersecurity experts consider the initial breach one of the least preventable stages of a cyberattack.17 Modern cybersecurity efforts typically focus more on detecting and expelling hackers as quickly as possible and limiting what hackers can do on the network if they get inside, rather than preventing the initial breach.18
For example, in the Target data breach, hackers gained entry to Target’s systems by compromising the account credentials of a vendor that Target used to maintain its heating, vacuuming, and air conditioning (HVAC) systems. But the plaintiffs pursued Target, not its vendor. The plaintiffs’ complaint alleged, for example, that Target should have segmented its network so that hackers who gained access to Target’s HVAC system would stay trapped inside that system and prevented from jumping from the HVAC system to Target’s credit and debit card processing system.19
If you believe a vendor is involved in a data breach, it doesn’t necessarily mean the case is problematic. Before filing, you should research the publicly known causes of the breach to determine whether a vendor was involved, and if so, the vendor’s relative level of culpability.
As data breach law develops, and more cases proceed further along the litigation path or settle, it will be essential to understand the basics before taking on these claims.
Aaron Blumenthal and Andre M. Mura are attorneys with Gibbs Law Group in Oakland, Calif. They can be reached at ab@classlawgroup.com and amm@classlawgroup.com.
Notes
- The views expressed in this article are attributable only to the authors, not their firm, clients, or any other person.
- In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig., 851 F. Supp. 2d 1040 (S.D. Tex. 2012); In re TJX Cos. Retail Sec. Breach Litig., 524 F. Supp. 2d 83 (D. Mass. 2007).
- The courts assigned these values to the settlements.
- In re TJX Cos. Retail Sec. Breach Litig., 2008 WL 2773227 (D. Mass. Jan. 9, 2008).
- Jeff Stone, What Anthem’s Settlement Reveals About Future Data Breach Suits, Wall St. J. (July 3, 2017), https://tinyurl.com/yczl8qqg. In re Anthem, Inc. Data Breach Litig., 162 F. Supp. 3d 953 (N.D. Cal. 2016). The authors’ firm represents the plaintiffs.
- Heather Landi, St. Joseph Health Settles Class Action Data Breach Lawsuit, Healthcare Informatics (Mar. 16, 2016), www.healthcare-informatics.com/news-item/st-joseph-health-settles-class-action-data-breach-lawsuit.
- Identity theft is typically alleged to show injury, whether to support Article III standing or to establish a required element of one of the claims, such as negligence.
- See, e.g., Beck v. McDonald, 848 F. 3d 262 (4th Cir. 2017) (noting that the First and Third Circuits have found that increased risk of identity theft may be too speculative for standing, while the Sixth, Seventh, and Ninth Circuits have held it may be sufficient).
- Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015).
- Reilly v. Ceridian Corp., 664 F. 3d 38, 40, 44 (3d Cir. 2011).
- Id. at 270.
- See Brian Krebs, Krebs on Security, www.krebsonsecurity.com.
- See Thomas R. Peltier, Information Security Risk Analysis (Auerbach Publ’ns 2010); FireEye, Cost and Value of Cyber Security, www.goo.gl/DwPYJz; George Finney, Ponemon Study Shows 50x Yearly ROI on Cybersecurity Training, SecureWorld (Aug. 27, 2015), www.goo.gl/t66XHY.
- Settlement Agreement, In re Adobe Systems Inc. Privacy Litig., No. 5:13-CV-05226-LHK, Dkt. 87-2 at 4–5 (N.D. Cal. June 9, 2015). The authors’ firm represented the plaintiffs.
- See Compl., Springer v. Stanford Hosps. and Clinics, BC470522, Dkt. 1 at 4 (Cal. Super Ct. Los Angeles Cnty. Sept. 28, 2011), www.goo.gl/C0KDIT.
- Michael Lipkin, Stanford, Contractors To Pay $4M To Settle Data Breach Action, Law360 (Mar. 19, 2014), www.law360.com/articles/520220/corrected-stanford-contractors-to-pay-4m-to-settle-data-breach-action.
- See, e.g., Steve Banker, If Preventing a Cybersecurity Attack is Impossible . . . , Forbes (Mar. 3, 2015), www.forbes.com/sites/stevebanker/2015/03/03/if-preventing-cybersecurity-attacks-is-impossible.
- Nicholas D. Evans, The Importance of Zero-Trust and an Adaptive Perimeter in Cyber Fortifications, Computerworld (May 19, 2014), (“[O]rganizations must assumewww.computerworld.com/article/2476276/security0/the-importance-of-zero-trust-and-an-adaptive-perimeter-in-cyber-fortifications.html
- that cyber-criminals will penetrate their perimeter and prepare to protect their critical assets.”).
- First Am. Consol. Class Action Compl. In re Target Corp. Customer Data Sec. Breach Litig., 2014 WL 7531638, para. 148 (D. Minn. Dec. 1, 2014).