USA, December 30 2013, Alfred J. Saikali, http://www.lexology.com
Plaintiffs’ lawyers were falling over themselves last week in a race to the courthouse to sue Target as a result of its
recent data breach. By at least
one report, over 40 lawsuits have already been filed against Target, the first of which was filed
the day after the breach became public. This post will provide an overview of the lawsuits, analyze their merits, identify potential concerns for Target, and address some of the larger public policy implications raised by the lawsuits. My next post will provide more specific details about a sample of the lawsuits.
A (Coordinated) Race to the Courthouse The lawsuits were filed in Federal courts all over the country, including Alabama, California, Florida, Illinois, Minnesota, Oregon, and Rhode Island. At least four of them were the result of coordinated efforts between plaintiffs’ firms that filed the lawsuits in California, Illinois, and Oregon, given the similarity of language and structure used in those complaints. (That’s not particularly unusual, but let’s not pretend that there isn’t a coordinated effort involved here). The lawsuits will likely be consolidated or become part of a
multidistrict litigation panel, and there will be an internal battle between the plaintiffs’ lawyers as to whom will serve as class counsel. Also interesting is
when the lawsuits were filed. All of these lawsuits were filed within a few days of the data breach becoming public. They were filed before knowing what caused the breach, before knowing when Target learned of the breach, and before knowing what Target did to prevent the breach from occurring in the first place. The developing data breach legal landscape has shown us that liability from a data breach arises not from the breach itself (almost every company suffers a breach), but from what the company did before or after the breach to prevent it and notify affected individuals. So the fact that these lawsuits were filed before we know much about what led to the breach and how Target responded should raise initial skepticism about the merits of the lawsuits.
On to the Merits . . . Generally speaking, the lawsuits are not only premature, but weak for at least two reasons: their legal theories are not sufficiently specific, and almost none of them allege cognizable harm. The lawsuits contain numerous causes of action (negligence, statutory violations, breach of implied and express contracts, invasion of privacy, bailment, etc.), but the causes of action are based primarily on two legal theories: (1) Target failed to act reasonably in adopting safeguards that would have prevented the breach from happening; and/or, (2) Target didn’t notify affected consumers quickly enough. Let’s evaluate these theories and other weaknesses in the lawsuits separately.
“Failure to Adopt Reasonable Safeguards” Plaintiffs allege that Target failed to act reasonably to adopt safeguards to prevent the breach from occurring, but there are no allegations as to what specifically Target did wrong. In the
LinkedIn lawsuit, for example, there were allegations that LinkedIn failed to salt or hash sensitive information, and that LinkedIn’s conduct contradicted a specific provision of its consumer-facing privacy policy. The
LinkedIn complaint was
dismissed because the court held that the plaintiffs lacked standing, but you knew upon reading it what the plaintiffs were claiming LinkedIn did (or failed to do) wrong. There are no similarly specific allegations in the lawsuits against Target, probably because the plaintiffs don’t know enough about the facts to plead anything with the requisite specificity. They don’t know yet what Target did wrong, or even if it did
anything wrong. The highly ambiguous pleading now puts Target in the position of trying to defend itself against a “moving target” (no pun intended) that plaintiffs will interpret differently to best suit their needs as the lawsuit progresses.
“Failure to Timely Notify Affected Consumers” The plaintiffs also claim that Target failed to timely notify affected consumers of the breach, but there are currently no facts that support this theory. According to all accounts, the breach occurred between November 27
th and December 15
th, and Target notified potentially affected customers a few days thereafter by
email and by creating a special web page (linked to Target.com) with regularly updated information about the breach and Target’s response. As
anyone with breach response experience will tell you, there are a number of time-consuming steps in the breach response process before notification can take place. First, you need to identify and understand the nature of the compromise, and you have to be reasonably sure that the compromise has been contained and remediated so it is no longer a threat. This step alone can take days or weeks to complete depending on the level of sophistication of the attack. Further complicating this step is the coordination with law enforcement, who may be concerned that acting too quickly will inhibit their ability to identify the perpetrators. After the integrity of your system has been restored, you need to identify what information was affected by the breach. If you learn that personal information was potentially compromised as a result of the breach, you need to know whose information was affected so you can quickly inform them and regulatory authorities in compliance with applicable legal requirements. Undertaking this entire process can often take weeks. Target appears to have done it within a few days. There is another factor that must be considered in determining whether Target complied with any legal obligation to notify consumers – the various data breach notification laws. 46 states have their own data breach notification laws and they are triggered by the location of the individual whose information is compromised, not by the location of the company that suffered the breach (meaning that they’re all in play with a breach this size). Most require notification within a “reasonable” period of time, and for some that means the breached entity may have as long as 30 to 45 days to undertake notification. These laws usually do not “start the clock running” on notification until the company reasonably believes that it has identified the full scope of the breach and has contained it. This makes sense because you wouldn’t want to tip off the hackers that you are on to them by issuing a public notification when your systems are still compromised. Additionally, it is very difficult to undertake notification until you know who you need to notify (i.e., whose information was compromised, where do they live, how can I contact them, etc.), which can take some time to determine. Finally, almost all of these laws allow for a delay in notification where law enforcement believes that such notification would impede their ability to identify and investigate the hackers. We do not know whether such a “law enforcement hold” was in place in this breach. (Some of the plaintiffs allege in their complaints that no law enforcement hold was in place, but they couldn’t possibly know that yet). It is possible that facts could emerge at a later date showing that Target knew of the compromise much earlier but chose not to notify affected consumers, but for the time being, the fact that Target notified affected consumers within a few days of the compromise becoming known easily disposes of the allegation that Target delayed notifying consumers.
Cognizable Harm The plaintiffs will also have a very difficult time proving that they suffered cognizable harm, as evident by the difficulty they have in pleading it. Almost half of the lawsuits allege that they suffered “compensatory damages” or “harm” generally, but fail to describe their damages with any specificity. They likely cannot identify any cognizable harm at this point, further demonstrating the premature nature of these lawsuits. Some of the lawsuits seek damages for a “risk” of harm at some unforeseeable point in the future, or for fraudulent charges that were almost certainly reimbursed or will be reimbursed by the consumers’ financial institutions, or for potential damage to their credit scores. None of these types of damages have been recognized as cognizable in a data breach lawsuit. This is not to say that
all damages are not cognizable. In a few jurisdictions, courts have held that plaintiffs can proceed in pursuing certain damages. In the
First Circuit, for example, consumers are allowed to pursue “mitigation expenses” (e.g., the unreimbursed cost of replacing their cards, obtaining credit reports and credit insurance, etc.). In the
Eleventh Circuit, consumers have been allowed to pursue the portion of their service fees/premiums to a company that was used for securing the consumers’ personal information. To the extent the plaintiffs have filed lawsuits in these jurisdictions and are seeking these types of damages, their allegations of damages may be stronger.
Precedent Finally, Plaintiffs will have to deal with the majority of case law in data breach lawsuits that, with some limited exceptions, has not allowed the lawsuits to proceed. Two of the most important decisions will be the U.S. Supreme Court’s decision in
Clapper v. Amnesty International and the Northern District of Illinois’s decision in
In re Barnes & Noble Pin Pad Litigation. Clapper raised the bar for demonstrating cognizable harm and standing in privacy violation cases such as this one. The
Clapper decision was relied on by the Northern District of Illinois in dismissing a data breach lawsuit against Barnes & Noble that arose from an almost identical set of facts — the compromise of consumers’ personal information stolen from PIN pads at a major retailer. The court held that the plaintiffs lacked standing because they could not allege that a threatened injury was “certainly impending” as a result of the breach. I expect the plaintiffs to rely on the recent decisions by the
Eleventh Circuit, the
First Circuit, and the
Southern District of Florida that allowed data breach lawsuits to proceed. Therefore, I would closely monitor what happens in the two Florida lawsuits and the Rhode Island lawsuit, or any others that are subsequently filed in the Eleventh or First U.S. Circuits.
Should Target Still Be Worried? Despite the premature nature and overall weaknesses of the lawsuits as filed, Target still has cause for concern. First, even though legal precedent is heavily in its favor (this blog post cites only a few of the many opinions dismissing data breach lawsuits), the development of the law is still in its early phases, and as evident from the previous paragraph, some courts where lawsuits against Target are pending have allowed data breach lawsuits to proceed. Another concern is how the facts emerge. For example, if it turns out that Target knew about the breach long before it was disclosed publicly, knew that personal information had been compromised, knew whose information had been compromised, knew that the information was not encrypted, and was under a legal obligation to notify affected individuals, then the plaintiffs’ “failure to timely notify” will strengthen. Target also has to be concerned about trying to keep the focus where the law requires it. The plaintiffs’ lawyers are going to try to shift the focus from what Target did (the sophisticated and complex information security program Target likely had in place) to what Target could have done (the one “error” Target made that could have prevented the breach). According to one
study, 97% of breaches are avoidable (in hindsight) through simple or intermediate controls. Why is that important? Because I have little doubt that the plaintiffs’ lawyers will be able to find a cybersecurity “expert” somewhere willing to testify that Target could have done
something that would have prevented the breach from occurring, thereby trying to create an issue of fact as to the reasonableness of Target’s conduct. Target will need to try hard to keep the focus on the correct legal standard. The legal standard isn’t whether Target could have done
something to prevent the breach, but whether it acted
reasonably to prevent the breach. In other words, the plaintiffs’ lawyers will try to persuade the courts that liability should be determined by whether the breach was preventable, and Target will try to keep the focus on the fact that it adopted a highly sophisticated, expensive, and (for the most part) very effective information security program and made the security of its consumers’ information the highest priority. If plaintiffs succeed in shifting the focus away from the legal standard, every company should be very concerned, because so many data breaches are, in hindsight, preventable, which means that almost every company could face potential liability if they suffer a breach.
So why should EVERY Company Should Care About These Lawsuits . . . The lawsuits are premature, not well supported by precedent, and based heavily on rank speculation as to the safeguards Target had in place and how quickly it responded. Despite these weaknesses, however,
every company should care about what happens to these lawsuits. Target is a very large company that undoubtedly had in place complex and sophisticated safeguards to protect against this type of a data breach, and from what we know so far, they notified affected individuals very quickly. If there is anything less than a dismissal or summary judgment entered in all of these cases, then the proverbial blood will be in the water and we can expect the floodgates of data breach litigation to open. Almost every company that suffers a data breach could be held liable because few are going to have the level of security and response efforts that an organization like Target has in place. The public policy consequences of Target being held liable are significant. Companies will be less inclined to reveal breaches due to potential liability exposure, so consumers will be less likely to know when their information has been accessed, precluding them from responding adequately to protect themselves. Instead of investing resources into physical, technical, and administrative safeguards that could improve the security of consumers’ information, companies will be forced to spend their resources on litigation costs, settlements, and awards to plaintiffs. The individuals who will benefit most won’t be the consumers (who could each receive nominal awards for mitigation expenses), but the attorneys who will reap significant attorney’s fees awards in class action lawsuits. So what happens to these lawsuits will be important to any company that collects, stores, uses, and disposes of sensitive consumer information, which is almost every company doing business in this modern economy.