Clarity sought on data breach litigation

10 May 2019

The US Supreme Court recently rejected an appeal by a US-based online retailer in a proposed data breach class action lawsuit. The appeal is seen as a setback for companies looking to limit their liability to data breaches.

The case centres on a 2012 data breach, in which customers’ names, email addresses, phone numbers, and credit card information were compromised. At the time, the retailer took immediate action to mitigate the impact of the breach, notifying customers and asking them to change their passwords.

In the six years since the breach, only a very small number of the millions of affected customers have reported that their data had been misused. Despite few customers suffering concrete injury, the retailer faces a class action lawsuit.

Difficulty in proving injury should be a major hurdle in bringing legal actions in the US. However, cases such as this continue to push boundaries, as the plaintiff bar seeks ways to bring class actions for data breaches involving personal data.

Question of Harm

The company has the case hinged on whether customers affected by a data breach can sue a company, even if their data has not been misused and they have not suffered any real damage, such as identity theft or fraud.

Consumers affected by a data breach are required to demonstrate actual or impending harm in order to sue. However, in the case in question, the customers of the online retailer argued their personal information could theoretically be misused at any time.

A district court in Nevada previously found that customers that had suffered a financial loss had legal standing to sue, but the rest did not. However, a California-based federal appeals court reversed the district court’s decision, saying customers could sue if they are able to show there is an impending substantial risk of harm.

US courts are divergent in their view of standing in data breach cases. Several US courts have adopted a plaintiff-friendly view, giving consumers legal standing on the basis of potential for future harm. Others, by contrast, have concluded that fear of future harm is too speculative to meet standing requirements.

It was hoped that this recent case might go before the Supreme Court, potentially resulting in a landmark decision on standing in data breach class actions to provide some much needed guidance. However, the Supreme Court denied the petition at the end of March 2019.


Data breach class actions are also an emerging trend in Europe, where the EU’s General Data Protection Regulation (GDPR) has made it easier for consumers to seek compensation. In addition to increased privacy rights for consumers, the GDPR includes provisions for collective actions and allows affected individuals to seek compensation for non-financial damage, such as emotional distress.

A number of data breaches in the past year have sparked proposed class actions in the UK, against airlines, retailers and technology companies.

Even before the GDPR, a large UK supermarket retailer was sued following a data breach involving its employees’ personal data. In October 2018, the Court of Appeal dismissed the retailer’s attempt to overturn a previous ruling, which held the company vicariously liable for the actions of a former employee, who stole employee data and published it online.

The case - the UK’s first data breach class action – also involved employees seeking compensation for a data breach, even though they had not suffered financial loss. In April, the retailer was granted permission to appeal to the UK’s Supreme Court.

Open door

In many cases, individuals that have their personal data compromised in a data breach do not suffer significant financial loss, which has proved a hurdle to consumer-based data breach class action in the US. Companies that suffer a data breach typically would mitigate the impact through expedient notification and the provision of free services, like credit monitoring or identity theft protection. However, plaintiff attorneys continue to pursue data breach actions in the US.

The US Chamber of Commerce noted that data breach litigation, where personal information is accessed, but almost no identity theft or fraud has occurred, is increasingly common. It said a number of other companies face similar suits over alleged vulnerabilities in internet-connected cars, home security systems, children’s toys and medical devices.

The Supreme Court’s denial and recent appeal court ruling leaves the door open for expensive litigation against companies that experience a cyber security breach and suffer the loss of personal data. Even where a business takes reasonable steps to prevent a data breach and mitigates the impact when they do happen, they are open to costly litigation.

Sign up to our latest  news & insights Sign up to our latest  news & insights


The California Consumer Privacy Act, which comes into force on January 1, 2020, could also have implications for data breach litigation. According to law firm Hogen Lovells, the CCPA provides a limited private right of action for data breach suits. In certain circumstances, consumers may seek actual damages or statutory damages between US$100 and US$750 per incident, whichever is greater.

The law firm said the plaintiffs’ bar is likely to argue that the CCPA’s statutory damages provision dispenses with their obligation to show actual injury and particularised harm. 

In February, a bill was introduced to the California State Senate that would amend the CCPA to expand the private right of action. If the bill is passed as drafted, consumers would be able to file suit for any alleged violation of their CCPA rights, without any demonstration of harm, Hogen Lovells said.



  • Sarah StephensSarah Stephens

    As part of Marsh JLT Specialty's London-based Financial Lines Group, Sarah and her team work both directly with our clients and with network colleagues and independent partners to make sense of cyber, technology, and media E&O (PI) risks and create leading edge bespoke insurance solutions in the London market.

    Prior, Sarah spent 12 years with Aon in a variety of roles. Her last role at Aon was Head of Cyber & Commercial E&O for the Europe, Middle East, and Africa (EMEA) Region, working with colleagues across business groups and clients in the region to identify, analyse, and drive awareness of cyber risks, exposures, and both insurance and non-insurance solutions.

    Previously, Sarah spent seven years with Aon’s US Cyber and Errors & Omissions practice group thinking nonstop about cyber insurance way before it was cool. Her first four years at Aon were spent in the Account Management group working with large clients and developing a keen eye for excellent client service.

    For further information or to learn more about cyber insurance, contact Sarah Stephens, Head of Cyber, on +44 (0)20 3394 0486.

  • For more articles like this, download our Cyber Decoder

    Share this article