Court rulings threaten to upset defences against data breach claims

In February, a Los Angeles hospital paid a bitcoin ransom equivalent to about $17,000 to retrieve its medical records after hackers attacked its network.

While the records were soon restored, the attack raises the spectre of cyber criminals causing harm to consumers if a healthcare provider is, for example, unable to find out about a patient’s drug allergies in an emergency.

If these and other types of attacks increase, so could the risks of companies facing individual consumer litigation and class action law suits.

Until recently organisations could take comfort from the difficulties plaintiffs in the US faced in demonstrating they had suffered material injury caused by lost data.

In the 2013 case of Clapper v Amnesty International USA, Supreme Court justices ruled that legal action could not be brought against a government surveillance programme as the plaintiffs could not prove they were at immediate risk of injury. This ruling was applied to cases involving attacks on retailers, hotels and others.

“It’s difficult to show damage, particularly right away after a security breach,” says Matt Karlyn, co-chair of the technology industry team at New York-based law firm Foley & Lardner. “And sometimes the damage might not impact a consumer base or shareholders until much later.”

The Clapper decision has been used by “defendants on the receiving ends of these suits . . . to ask the court to dismiss the case, and many have been successful”, says Michael Whitener, a Washington-based partner at VLP Law Group.

But lawyers have still found ways to bring suits against companies whose data have been breached. They might claim, for example, that consumers have been forced to spend money on credit monitoring services.

“Because of the prevalence of data breaches and the desire of courts not to leave individuals without remedy when their data have been compromised, we’ll be seeing courts getting more creative about how they define what an actual injury or a pending injury might be,” says Mr Whitener.

In some cases, courts may not dismiss a case immediately but allow the plaintiffs to attempt to prove they have suffered. However, these cases tend not to lead to court decisions.

Courts will become more creative about defining what an injury might be

“You get into discovery [the pre-trial process during which the parties obtain evidence such as sworn statements and other documents] and lots of costs for both parties,” says Mr Whitener. “That’s where defendants are ready to settle rather than proceed.”

However, decisions from a number of high-profile cases are likely to make it easier for consumers to bring suits against companies in the event of a data breach or cyber intrusion.

For example, in July 2015, the Seventh US Circuit Court of Appeals, overturning a previous judgment, ruled that customers of Neiman Marcus could potentially sue the retailer because they were at substantial risk of identity theft or becoming victims of fraud as a result of a data breach two years previously.

Another case that increases the chances of consumers suing companies after cyber attacks is Vidal-Hall v Google. While the case concerns misuse of private information, not a security breach, it is significant because in March 2015 the English Court of Appeal found the plaintiffs could use EU data protection legislation to claim damages for distress from Google in the US without having to prove monetary loss.

“Until this case came along, you had to show financial loss,” says Marc Dautlich, partner at London law firm Pinsent Masons. “Now all you have to show is distress. That’s a game changer.”

Vidal-Hall v Google also illustrates the global nature of litigation over security breaches. The claimants, who are based in the UK, argued they should be granted permission to serve a claim brought in the English High Court against a defendant in the US, a procedure that is called “service out of the jurisdiction”.

Mr Karlyn says the uncertainty for companies about the possible outcome of legal action is likely to continue: “We’ve yet to get results that can give us an indication of where this is all going.”

He adds that this lack of legal precedents means that companies may not invest heavily in cyber security because the hazards and financial implications of class actions are unclear. “Companies are saying: ‘Is there really a risk I’m going to be subject to a class-action lawsuit?’ ”

And it is not always easy for companies to know how to best prepare for cyber incursions as the threat is evolving all the time, adds Mr Whitener.

“It’s an arms race with the hackers to stay one step ahead of them,” he says. “That’s a moving target.”