The US Supreme Court recently rejected an appeal by a US-based online retailer in a proposed data breach class action lawsuit. The appeal is seen as a setback for companies looking to limit their liability to data breaches.
The case centres on a 2012 data breach, in which customers’ names, email addresses, phone numbers, and credit card information were compromised. At the time, the retailer took immediate action to mitigate the impact of the breach, notifying customers and asking them to change their passwords.
In the six years since the breach, only a very small number of the millions of affected customers have reported that their data had been misused. Despite few customers suffering concrete injury, the retailer faces a class action lawsuit.
Difficulty in proving injury should be a major hurdle in bringing legal actions in the US. However, cases such as this continue to push boundaries, as the plaintiff bar seeks ways to bring class actions for data breaches involving personal data.
Question of Harm
The company has the case hinged on whether customers affected by a data breach can sue a company, even if their data has not been misused and they have not suffered any real damage, such as identity theft or fraud.
Consumers affected by a data breach are required to demonstrate actual or impending harm in order to sue. However, in the case in question, the customers of the online retailer argued their personal information could theoretically be misused at any time.
A district court in Nevada previously found that customers that had suffered a financial loss had legal standing to sue, but the rest did not. However, a California-based federal appeals court reversed the district court’s decision, saying customers could sue if they are able to show there is an impending substantial risk of harm.
US courts are divergent in their view of standing in data breach cases. Several US courts have adopted a plaintiff-friendly view, giving consumers legal standing on the basis of potential for future harm. Others, by contrast, have concluded that fear of future harm is too speculative to meet standing requirements.
It was hoped that this recent case might go before the Supreme Court, potentially resulting in a landmark decision on standing in data breach class actions to provide some much needed guidance. However, the Supreme Court denied the petition at the end of March 2019.
Data breach class actions are also an emerging trend in Europe, where the EU’s General Data Protection Regulation (GDPR) has made it easier for consumers to seek compensation. In addition to increased privacy rights for consumers, the GDPR includes provisions for collective actions and allows affected individuals to seek compensation for non-financial damage, such as emotional distress.
A number of data breaches in the past year have sparked proposed class actions in the UK, against airlines, retailers and technology companies.
Even before the GDPR, a large UK supermarket retailer was sued following a data breach involving its employees’ personal data. In October 2018, the Court of Appeal dismissed the retailer’s attempt to overturn a previous ruling, which held the company vicariously liable for the actions of a former employee, who stole employee data and published it online.
The case - the UK’s first data breach class action – also involved employees seeking compensation for a data breach, even though they had not suffered financial loss. In April, the retailer was granted permission to appeal to the UK’s Supreme Court.
In many cases, individuals that have their personal data compromised in a data breach do not suffer significant financial loss, which has proved a hurdle to consumer-based data breach class action in the US. Companies that suffer a data breach typically would mitigate the impact through expedient notification and the provision of free services, like credit monitoring or identity theft protection. However, plaintiff attorneys continue to pursue data breach actions in the US.
The US Chamber of Commerce noted that data breach litigation, where personal information is accessed, but almost no identity theft or fraud has occurred, is increasingly common. It said a number of other companies face similar suits over alleged vulnerabilities in internet-connected cars, home security systems, children’s toys and medical devices.
The Supreme Court’s denial and recent appeal court ruling leaves the door open for expensive litigation against companies that experience a cyber security breach and suffer the loss of personal data. Even where a business takes reasonable steps to prevent a data breach and mitigates the impact when they do happen, they are open to costly litigation.
The California Consumer Privacy Act, which comes into force on January 1, 2020, could also have implications for data breach litigation. According to law firm Hogen Lovells, the CCPA provides a limited private right of action for data breach suits. In certain circumstances, consumers may seek actual damages or statutory damages between US$100 and US$750 per incident, whichever is greater.
The law firm said the plaintiffs’ bar is likely to argue that the CCPA’s statutory damages provision dispenses with their obligation to show actual injury and particularised harm.
In February, a bill was introduced to the California State Senate that would amend the CCPA to expand the private right of action. If the bill is passed as drafted, consumers would be able to file suit for any alleged violation of their CCPA rights, without any demonstration of harm, Hogen Lovells said.
TALK TO AN EXPERT
DOWNLOAD AND SHARE