Plaintiffs’ lawyers were falling over themselves last week in a race to the courthouse to sue Target as a result of its recent data breach. By at least one report, over 40 lawsuits have already been filed against Target, the first of which was filed the day after the breach became public.
They were filed before knowing what caused the breach, before knowing when Target learned of the breach, and before knowing what Target did to prevent the breach from occurring in the first place. The developing data-breach legal landscape has shown us that liability from a data breach arises not from the breach itself—almost every company suffers a breach—but from what the company did before or after the breach to prevent it and notify affected individuals.
Generally speaking, the lawsuits are not only premature, but weak for at least two reasons: their legal theories are not sufficiently specific, and almost none of them allege cognizable harm.
The lawsuits contain numerous causes of action (negligence, statutory violations, breach of implied and express contracts, invasion of privacy, bailment, etc.), but the causes of action are based primarily on two legal theories: (1) Target failed to act reasonably in adopting safeguards that would have prevented the breach from happening; and/or, (2) Target didn’t notify affected consumers quickly enough.
Failure to Adopt Reasonable Safeguards
There are no similarly specific allegations in the lawsuits against Target, probably because the plaintiffs don’t know enough about the facts to plead anything with the requisite specificity. They don’t know yet what Target did wrong, or even if it did anything wrong.
Failure to Timely Notify Affected Consumers
The plaintiffs also claim that Target failed to timely notify affected consumers of the breach, but there are currently no facts that support this theory. According to all accounts, the breach occurred between Nov. 27, 2013, and Dec. 15, 2013, and Target notified potentially affected customers a few days thereafter by e-mail and by creating a special web page with regularly updated information about the breach and Target’s response.
As anyone with breach-response experience will tell you, there are a number of time-consuming steps in the breach-response process before notification can take place. First, you need to identify and understand the nature of the compromise, and you have to be reasonably sure that the compromise has been contained and remediated so it is no longer a threat. This step alone can take days or weeks to complete depending on the level of sophistication of the attack. Further complicating this step is the coordination with law enforcement, who may be concerned that acting too quickly will inhibit their ability to identify the perpetrators. After the integrity of your system has been restored, you need to identify what information was affected by the breach. If you learn that personal information was potentially compromised as a result of the breach, you need to know whose information was affected so you can quickly inform them and regulatory authorities in compliance with applicable legal requirements. Undertaking this entire process can often take weeks. Target appears to have done it within a few days.
There is another factor that must be considered in determining whether Target complied with any legal obligation to notify consumers—the various data-breach notification laws. Forty-six states have their own data-breach notification laws and they are triggered by the location of the individual whose information is compromised, not by the location of the company that suffered the breach. Most require notification within a “reasonable” period of time, and for some that means the breached entity may have as long as 30 to 45 days to undertake notification. These laws usually do not start the clock running on notification until the company reasonably believes that it has identified the full scope of the breach and has contained it. This makes sense because you wouldn’t want to tip off the hackers that you are on to them by issuing a public notification when your systems are still compromised. Additionally, it is very difficult to undertake notification until you know who you need to notify (i.e., whose information was compromised, where do they live, how to contact them, etc.), which can take some time to determine. Finally, almost all of these laws allow for a delay in notification where law enforcement believes that such notification would impede their ability to identify and investigate the hackers. We do not know whether such a law enforcement hold was in place in this case.
It is possible that facts could emerge at a later date showing that Target knew of the compromise much earlier but chose not to notify affected consumers, but for the time being, the fact that Target notified affected consumers within a few days of the compromise becoming known easily disposes of the allegation that Target delayed notifying consumers.
The plaintiffs will also have a very difficult time proving that they suffered cognizable harm, as evident by the difficulty they have in pleading it. Almost half of the lawsuits allege that they suffered “compensatory damages” or “harm” generally, but fail to describe their damages with any specificity. They likely cannot identify any cognizable harm at this point, further demonstrating the premature nature of these lawsuits. Some of the lawsuits seek damages for a “risk” of harm at some unforeseeable point in the future, or for fraudulent charges that were almost certainly reimbursed or will be reimbursed by the consumers’ financial institutions, or for potential damage to their credit scores. None of these types of damages have been recognized as cognizable in a data-breach lawsuit.
This is not to say that all damages are not cognizable. In a few jurisdictions, courts have held that plaintiffs can proceed in pursuing certain damages. In the First Circuit, for example, consumers are allowed to pursue “mitigation expenses” (e.g., the unreimbursed cost of replacing their cards, obtaining credit reports and credit insurance, etc.). In the Eleventh Circuit, consumers have been allowed to pursue the portion of their service fees/premiums to a company that was used for securing the consumers’ personal information.
Finally, plaintiffs will have to deal with the majority of case law in data-breach lawsuits that, with some limited exceptions, has not allowed the lawsuits to proceed. Two of the most important decisions will be the U.S. Supreme Court’s decision in Clapper v. Amnesty International and the Northern District of Illinois’s decision in In re Barnes & Noble Pin Pad Litigation.
Clapper raised the bar for demonstrating cognizable harm and standing in privacy violation cases such as this one. The Clapper decision was relied on by the Northern District of Illinois in dismissing a data-breach lawsuit against Barnes & Noble that arose from an almost identical set of facts—the compromise of consumers’ personal information stolen from PIN pads at a major retailer. The court held that the plaintiffs lacked standing because they could not allege that a threatened injury was “certainly impending” as a result of the breach.
Should Target Still Be Worried?
Despite the premature nature and overall weaknesses of the lawsuits as filed, Target still has cause for concern. First, even though legal precedent is heavily in its favor, the development of the law is still in its early phases, and some courts where lawsuits against Target are pending have allowed data-breach lawsuits to proceed.
Another concern is how the facts emerge. For example, if it turns out that Target knew about the breach long before it was disclosed publicly, knew that personal information had been compromised, knew whose information had been compromised, knew that the information was not encrypted, and was under a legal obligation to notify affected individuals, then the plaintiffs’ “failure to timely notify” will strengthen.
Target also has to be concerned about trying to keep the focus where the law requires it. The plaintiffs’ lawyers are going to try to shift the focus from what Target did to what Target could have done. According to one study, 97 percent of breaches are avoidable through simple or intermediate controls. Target will need to try hard to keep the focus on the correct legal standard. The legal standard isn’t whether Target could have done something to prevent the breach, but whether it acted reasonably to prevent the breach. In other words, the plaintiffs’ lawyers will try to persuade the courts that liability should be determined by whether the breach was preventable, and Target will try to keep the focus on the fact that it adopted a highly sophisticated, expensive, and very effective information security program and made the security of its consumers’ information the highest priority. If plaintiffs succeed in shifting the focus away from the legal standard, every company should be very concerned, because so many data breaches are, in hindsight, preventable, which means that almost every company could face potential liability if they suffer a breach.
Every Company Should Care About These Lawsuits
The lawsuits are premature, not well supported by precedent, and based heavily on rank speculation as to the safeguards Target had in place and how quickly it responded. Despite these weaknesses, however, every company should care about what happens to these lawsuits. Target is a very large company that undoubtedly had in place complex and sophisticated safeguards to protect against this type of a data breach, and from what we know so far, they notified affected individuals very quickly. If there is anything less than a dismissal or summary judgment entered in all of these cases, then the proverbial blood will be in the water and we can expect the floodgates of data-breach litigation to open. Almost every company that suffers a data breach could be held liable because few are going to have the level of security and response efforts that an organization like Target has in place.
The public policy consequences of Target being held liable are significant. Companies will be less inclined to reveal breaches due to potential liability exposure, so consumers will be less likely to know when their information has been accessed, precluding them from responding adequately to protect themselves. Instead of investing resources into physical, technical and administrative safeguards that could improve the security of consumers’ information, companies will be forced to spend their resources on litigation costs, settlements and awards to plaintiffs.
Al Saikali is a partner and co-chair of Shook Hardy & Bacon’s Data Security and Data Privacy Practice Group, based in Miami.
Republished with permission. © 2014 Shook Hardy & Bacon. All rights reserved.
SHRM Online Safety & Security pageKeep up with the latest Safety & Security HR news