The State of Data-breach Litigation and Enforcement: Before the 2013 Mega Breaches and Beyond

• Publication year: 2015
• Author: By Evan M. Wooten

THE STATE OF DATA-BREACH LITIGATION AND ENFORCEMENT: BEFORE THE 2013 MEGA BREACHES AND BEYOND

By Evan M. Wooten¹

Over the past year, data breach and security have come to dominate the privacy law landscape. High-profile breaches at numerous retailers leading into the 2013 holiday season brought widespread awareness to risks that businesses have been navigating for the better part of a decade, if not longer. Consumers awoke to the reality that electronic systems are under constant threat of intrusion from malware, hackers, and foreign states. Lawmakers reacted to consumer alarm and unrest with calls for accountability and reform. Industry groups, governmental entities, and information-sharing systems representing public and private bodies increased efforts to identify threats and enhance security. And, of course, litigation ensued.

After a brief overview, this article will explore (i) traditional data-breach litigation and public enforcement efforts; (ii) the state and federal response to recent high-profile breaches; and (iii) significant developments in case law and enforcement since the 2013 mega breaches. The 2014 holiday season brought more high profile breaches, bringing the issue back into focus and ensuring additional litigation. Data-breach lawsuits are nothing new, but there can be no question that the data-security landscape is changing. The question is, will changes in public perception and awareness auger different results in litigation and enforcement? Thus far, the answer has been mostly 'no,' but several developments warrant attention and bear watching in the future. Practitioners will want to familiarize themselves with existing law and keep close tabs on evolving issues.

DATA BREACH OVERVIEW

Corporate legal spending on data security in the United States increased from $1 billion in 2013 to $1.4 billion in 2014, and is expected to climb to $1.5 billion in 2015—a 7.9% increase that dwarfs the next highest practice area (2.7% for class actions).² The issue is firmly on the radar of attorneys, businesses, regulators, and legislators. But data breach is not a new phenomenon. As Senator Rockefeller of West Virginia has observed, "[f] or nearly a decade, we've had major data breaches at companies both large and small."³Companies in the United States have been hit particularly hard, at least financially speaking. In 2012, the United States "experienced the highest total average cost at more than $5.4 million" per data breach, or $188 per compromised record, costs that include detection, escalation, customer notification, remediation, and lost business, among other

[Page 229]

things.⁴ These figures do not include breaches of more than 100,000 consumer records— what the Ponemon Institute refers to as "mega" breaches—because those breaches had, in the past, been atypical.⁵ But mega breaches are becoming more common or, at least, more visible.

The mega breaches of 2013 and 2014 cast new light on data-breach litigation, but data-breach lawsuits are nothing new. The earliest examples of data breach—at least those that reached the courts—involved stolen or mislaid laptops and other hard assets. In a typical fact pattern, employees would leave laptop computers in cars or hotel rooms, and thieves would make off with the hard assets and any data they contained. Sometimes the thefts were the result of concerted criminal effort, other times the result of employee carelessness. Although it is tempting to view these scenarios as outdated and inconsequential by comparison to sophisticated cyber-attacks, recent data suggests that human error (35%) and system malfunction (29%) are nearly as common causes of data breach as malicious or criminal attacks (37%),⁶ and mislaid laptops are as common causes of litigation as malware, even in 2014. As discussed below, the context and cause of a breach could play an important role in judicial outcomes. Principles developed in the early data-breach cases continue to hold sway, for the most part, though several recent cases have departed from traditional views.

TRADITIONAL RULES OF PRIVATE DATA-BREACH LITIGATION

As discussed in greater detail below, there is no general data-security statute in the United States. Although some federal statutes, such as the Health Insurance Portability and Accountability Act ("HIPAA")⁷ and the Gramm—Leach—Bliley Act ("GLBA"),⁸ address data security in specific industries (health care and financial services, respectively) and most states have data-breach notification laws (which are expanding in scope), most data-breach lawsuits begin in state court, alleging causes of action under state common law.⁹

The basic allegation underlying most data-breach complaints is that companies took inadequate steps to safeguard consumer data, which resulted in or contributed to a breach. The particular breach could take many forms, e.g., malicious intrusion or probe into electronic systems, such as by malware or virus; compromise of point-of-sale technologies, such as credit-card readers or ATMs; rogue employees disclosing company records for profit or other impermissible motive; laptops and other company data left unsecured or unattended; or corporate espionage. Similarly, the breached data can take many forms: names, addresses, social security numbers, medical records, personal

[Page 230]

identification numbers ("PINs"), passwords, credit card numbers, and other personally identifiable information ("PII"). Consumers usually claim injuries in increased risk of identity theft and/or the diminution in value of their PII.

Although the basic allegations were essentially the same, early data-breach cases tested numerous theories of recovery, most commonly: (1) breach of contract, express or implied; (2) unjust enrichment; (3) invasion of privacy; (4) negligence; (5) misrepresentation (negligent or intentional); (6) infliction of emotional distress (negligent or intentional); and (7) violation of state consumer protection, unfair competition, and/or deceptive practices laws—analogues to the Federal Trade Commission Act ("FTCA"),¹⁰ such as California's Unfair Competition Law ("UCL"),¹¹sometimes called "little" or "mini-FTC" acts. Courts have generally rejected each of these theories, using reasoning that can be summed up as follows: data-breach plaintiffs, who allege that their private information was compromised, cannot allege or establish that their data was actually purloined, disseminated, or misused.

Breach of contract allegations are generally dismissed for the simple reason that companies do not promise, as a matter of contract, to safeguard or protect consumer data from third-party intrusion.¹² Historically, courts have refused to construe generic statements on company websites or promotional materials—that consumer data was safe or protected by certain security measures, such as firewalls or encryption—as express contractual obligations, or to imply contracts from such statements or the customer relationship at large.¹³

Unjust enrichment, or "quasi contract" as it is known in some states, is an alternative to breach of contract: "a plaintiff may not recover for unjust enrichment where a 'valid, express contract governing the subject matter of the dispute exists.'"¹⁴ In most data-breach cases, a valid contract or privacy policy exists (negating a quasi-contract claim), but does not promise to protect data from intrusion.

Common-law invasion of privacy claims require, among other things, that plaintiff information be "published," i.e., publicly disseminated or disclosed to an appreciable number of people. Traditionally, data-breach plaintiffs have been able to allege that their

[Page 231]

data was compromised, but not that the data was disseminated publicly. In such cases, courts have dismissed invasion of privacy claims for lack of publication.¹⁵

Similarly, courts have dismissed negligence, negligent misrepresentation, and negligent infliction of emotional distress claims, citing the "economic loss doctrine." Torts, including those sounding in negligence, can only be pursued to redress personal or property damage, as opposed to purely economic losses.¹⁶ To recover for economic losses, plaintiffs must sue in contract. But as discussed above, consumer contracts rarely impose data-security obligations.

And while unfair competition and deceptive practice claims are not subject to the economic loss rule, such state laws often only authorize injunctive relief or restitution, rather than compensatory damages for economic loss.¹⁷ Other consumer protection statutes authorize compensatory damage awards,¹⁸ but courts interpreting those statutes have traditionally held data-breach plaintiffs to a very high standard, one most plaintiffs cannot meet. A data breach is actionable under some state statutes, for example, only if the defendant was "systematically reckless," the breach was "aggravated by [a] failure to give prompt notice," and the breach resulted in "very widespread and serious harm to other companies and to innumerable consumers."¹⁹

In sum, early data-breach cases rarely survived motions to dismiss (or demurrers), primarily because plaintiffs could not allege a compensable injury. This rule has crystallized in a line of cases applying the "case" or "controversy" requirement of Article III of the U.S. Constitution to data-breach complaints, particularly since the Supreme Court's 2013 decision in Clapper v. Amnesty International USA.²⁰ Article III limits the jurisdiction of federal courts to true cases or controversies: the plaintiff must have suffered "actual or imminent" injury as opposed to "hypothetical" or "conjectural" harm.²¹ To have standing to pursue any cause of action in federal court, a plaintiff must allege (1) a "concrete and particularized injury" that is (2) "fairly traceable" to the defendant's conduct and which is also (3) likely redressed by the judicial resolution.²² The Supreme Court has referred to these requirements as the "irreducible constitutional minimum" of...