This week’s Data Spotlight looks at cyber-related litigation trends. While data breach costs typically include investigation and remediation, notification, and possibly fines or penalties, events also are generating a rapidly growing number of third-part lawsuits. Plaintiffs typically have struck out in these suits, but that seemingly has not deterred lawyers from continuing to step up to the plate, hoping to hit a home run.
Last week in this publication, Rick Bortnick examined trends in cyber class action litigation. As he points out, “Courts may not (yet) be prepared to award common law (i.e., non-statutory) damages to individuals who have a fear of future harm.” In other words, fear of identity theft alone has rarely proved adequate for a court to award damages to plaintiffs.
Bortnick also points out that attaining class certification in cyber cases is no easy task for plaintiffs and their attorneys. He cites the closely-followed case,Anderson v. Hannaford Brothers Co, in which “the District Court, on remand, declined to certify the putative class in light of the claimants’ failure to establish that common issues of law and fact ‘predominate’ over individual issues, a predicate to class certification.”
Despite the challenges, cyber-related litigation is on the upswing. The recent data breach at Target alone has produced dozens of suits.
As the Litigation Frequency Index shows, after holding more-or-less steady since 2009, the number of new cases surged in 2013. Thus far, it appears that 2014 could be another banner year for litigation.
Of suits filed in 2013, only about 14 percent are presently settled or dismissed (though the numbers are somewhat skewed by the several Target suits filed in the final week of 2013), while more than three quarters of suits filed in 2008 are settled or dismissed.
A recent Sedona Conference dialogue involving a diverse group of judges, law enforcement officers, prosecutors, regulators, corporate counsel, cybersecurity consultants, and plaintiff and defense lawyers identified various theories of cyber liability:
According to an analysis of the Sedona Conference findings by Adam Cohen of E&Y, common law negligence claims are the most troubling: “The application of common law negligence claims to cyber breaches adds another dimension of complete uncertainty to evaluating whether cybersecurity defenses pass the ‘reasonableness’ test.”
Lawsuits often are filed by individuals, as a class, whose personal information has been compromised. Depending on the nature of the breach, other private parties also may pursue recoveries. When payment card information has been stolen, for example, the banks that issued the cards have sued to recover the costs of reissuing cards and repaying compromised customers.
Target faces at least seven lawsuits brought by financial institutions, alleging the company failed to perform due diligence in protecting its data.
Some legal experts see cybersecurity claims as the next big wave in securities litigation. The SEC issued data security disclosure guidance in 2011.
According to a memo from the King & Spalding law firm, failure to promptly disclose a cyber breach “may put a company at risk of facing formal SEC investigations, shareholder class actions, or derivative lawsuits.” The Target breach has thus far spawned a shareholder derivative lawsuit alleging that board members and directors “participated in the maintenance of inadequate cyber-security controls.”
Advisen data suggests that, on average, it takes 3-4 years to resolve cyber-related litigation.
Dave Bradford is Chief Strategy Officer and Director of Strategic Partnership Development at Advisen. Dave is also a founder of Advisen. As Chief Strategy Officer, Dave monitors market trends and advises the CEO and fellow Executive Committee members on strategic developments that impact our ability to fully serve our clients. As Director of Strategic Partnership Development, he cultivates and manages relationships with companies with complementary products and services. Contact Dave at [email protected].
