Once more unto the (corporate data) breach, dear friends.

• Author: Foresman, Adam R.

1. INTRODUCTION II. BACKGROUND A. Corporate Data Privacy Breaches B. Data Privacy Class Actions 1. The Data Regulation Landscape C. Questionable Consumer Protection Outcomes D. Deja Vu and the PSLRA III. ANALYSIS A. The PSLRA's Intended Target: "Strike Suits" 1. Nominal Damages but High Attorneys' Fees: Agency Costs B. PSLRA Provisions and Practical Outcomes 1. The Lead Plaintiff Provision 2. The Heightened Pleading and Discovery Stay Provisions C. Efficacy of the PSLRA 1. The Heightened Pleading Requirement and Silicon Graphics D. Comparing the PSLRA and Data Breach Claims 1. Data Breach Strike Suits IV. RECOMMENDATION V. CONCLUSION I. INTRODUCTION

   Data security breaches are no longer merely the concern of IT departments; (1) they are now one of the most critical and potentially costly specters corporations face today. (2) To strike a balance between consumer and corporate interests, this Note will advocate that congress should include, as a part of any data privacy reform, a heightened pleading requirement modeled after the standard created by the Private Securities Litigation Reform Act of 1995 (PSLRA), as applied by the Ninth Circuit in Silicon Graphics? With news of new breaches arriving almost daily, implicating significant firms like JPMorgan chase Bank, Sony Pictures, and Anthem Inc., it is clear that an age of large corporate data breaches is just beginning. (4) These data breaches are proving to be extremely costly, due in part to a corresponding increase in class action litigation. Some of these claims bear striking similarities to the securities class actions that a small group of unscrupulous attorneys filed during the 90s-era dot-com boom. (5) These claims negatively affected many corporations individually, while also significantly burdening U.S. capital markets. (6) This Note will explain the similarities and differences between the current era of data privacy class actions and the pre-PSLRA era of securities class actions. It will also evaluate the efficacy of the PSLRA, before ultimately advocating that Congress should adopt a heightened pleading standard for data privacy class action claims modeled after the Ninth Circuit's application of the PSLRA in Silicon Graphics. (7)

2. BACKGROUND

   1. Corporate Data Privacy Breaches

      In 2012, FBI director Robert Mueller ominously stated: "there are only two kinds of companies: those that have been hacked and those that will be." (8) However, even with such a high likelihood of hacking, the majority of corporate data breaches in 2013 had other causes. (9) While hacking gets the glory, system glitches and employee errors are still responsible for the lion's share of corporate data breaches. (10) The average data breach in 2013 cost U.S. companies $201 per record lost, with the average breach implicating nearly 30,000 records. (11) Unfortunately, these statistics conceal significant outliers representing the largest and most costly data breaches. For example, the now infamous 2013 data breach of Target Corporation (Target) exposed 40 million credit and debit card records, in addition to potentially compromising the personal information records of an additional 70 million customers. (12) Unfortunately, this appears to be the new status quo for corporations, (13) as the number of large-scale breaches will likely continue an upward trajectory in 2015.14 The fact that recent breaches occurred at some of the largest companies, presumably with the most sophisticated countermeasures, leads many to believe that no corporation is safe. For example, Anthem and JPMorgan Chase both recently experienced data breaches--compromising 80 million and 76 million records, respectively--the largest breaches that the banking or healthcare industries have ever experienced. (15) Although consumer data is a precious capital asset for companies, (16) it has become abundantly clear that "even the most robust and sophisticated network security will fail," and when it does, the corporation could face significant litigation, regulatory, and public relations costs. (17)

      As more corporations announce data breaches, unscrupulous attorneys stand ready--some merely trolling news reports--just waiting for the next opportunity to file a claim, often within 24 hours of a data breach. (18) During Home Depot's recent breach, at least one plaintiff filed a complaint before the company had even confirmed that there had actually been a breach. (19) Home Depot's mere "acknowledgment] [that] it was investigating 'unusual activity' related to a potential breach" was sufficient grounds for plaintiffs to file a class action. (20) Additionally, a single breach event can yield a high volume of class action claims against a corporation. (21) For example, plaintiffs filed over 70 putative class actions against Target--in various jurisdictions across the country--in response to the company's now paradigmatic 2013 breach. (22)

      1. The Data Regulation Landscape

      Unfortunately, for many plaintiffs injured by corporate data breaches, there is currently no clear route to redress. (23) This is due in large part to the complex "patchwork" of state and federal law currently governing data privacy. (24) The Federal Government's "sectoral" approach, which breaks down laws according to the type and use of data, complicates the potentially available legal remedies for victims who have had multiple types of data compromised. (25) These laws comprise a group of roughly 20 different federal statutes that govern privacy generally, although some have questionable applicability to personal data. (26) For example, some plaintiffs have recently attempted to file data breach claims under the Video Privacy Protection Act (VPPA), a 1988 law passed to protect customers' VHS tape rental history from public disclosure. (27) VPPA bars "video tape service providers" from knowingly disclosing personal information without written consent. (28) Although VPPA still applies to today's modern day movie streaming companies like Netflix, many plaintiffs have attempted to retrofit the law to cover all manner of data breaches, even though Congress clearly never contemplated such coverage. (29) Importantly, VPPA contains a statutory damages provision that allows plaintiffs to recover $2500 per violation, irrespective of any actual damage. (30) Plaintiffs have increasingly attempted to apply such laws in the data privacy context, since a single data breach could yield millions of "violations," converting claims into the practical equivalent of gold mines. (31) In addition, most states have been actively passing legislation governing personal data, generating a lack of uniformity that has muddied the waters for injured plaintiffs. (32) Their lawyers are now forced to throw the "kitchen sink" into complaints to see what, if anything, sticks. (33) Unfortunately for the majority of recent claims, not much has actually stuck, but many commentators characterize this as a "war of attrition," and note that plaintiffs' tactics are rapidly and aggressively evolving and causing some courts to entertain novel applications. (34)

      Many courts have dismissed data privacy class actions under the doctrine of standing. (35) Courts generally base these dismissals on one of two grounds: (1) the plaintiffs did not establish an injury in-fact; (36) or (2) the plaintiffs did not adequately quantify or prove recoverable damages (i.e., a legally cognizable injury) pursuant to the Supreme Court's standards in Lujan v. Defenders of Wildlife (31) and Clapper v. Amnesty International (38) Although the majority of courts are still turning aside data privacy class actions that merely allege a fear or increased risk of fraud caused by a breach, (39) plaintiffs have been able to chip away at courts' Article III bulwark. (40) A high-profile example of courts' willingness to modify the injury requirement can be gleaned by the statement of U.S. District Court Judge Paul Magnuson who stated, after partially denying Target's motion to dismiss: (41) "You have people here who were honest to goodness hurt, who were injured." (42) While the judiciary could take it upon itself to reform data breach claims by modifying the standing doctrine, this Note will instead advocate for reform at the congressional level.

      Under the current regime, if a data privacy class action claim meets the injury requirement, the next crucial battle occurs at the motion to dismiss stage. (43) If plaintiffs survive a corporation's motion to dismiss, they gain a tremendous amount of leverage (i.e., the looming cost of lengthy discovery combined with the potential for negative publicity). (44) This leverage typically forces corporate defendants to rapidly settle claims. (45) If courts are not able to properly dismiss non-meritorious claims at this stage, this leverage could have a detrimental effect on corporations and the U.S. economy as a whole.

   3. Questionable Consumer Protection Outcomes

      For those claims that survive dismissal and reach the settlement table, it is unclear what consumer protection goals, if any, many settlements serve. (46) For example, clothing retailer T.J. Maxx, one of the first major companies to experience a large-scale data privacy breach, settled 25 putative class actions by offering plaintiffs a choice of either three years of free credit monitoring and identity theft insurance, or nominal cash payments or vouchers, valued at $15 or $30 dollars respectively (i.e., coupons), for lost time suffered in response to the breach. (47) T.J. Maxx also offered to reimburse any costs incurred to replace drivers' licenses or losses borne from identity theft fairly traceable to the breach, as well as $6.5 million to the plaintiffs' attorneys. (48) While this appears to be a favorable outcome on its face, "only 3% of the eligible [T.J. Maxx] class members sought the credit monitoring service," with most opting to instead collect a nominal "coupon" payment. (49) Moreover, by the time the court...