BreachExchange mailing list archives
The ins and outs of data breach class actions
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 17 Jun 2015 23:04:19 -0600
http://www.insidecounsel.com/2015/06/17/the-ins-and-outs-of-data-breach-class-actions A panel, “No Harm, No Foul? Standing and Damages in Plaintiffs’ Data Breach Class Actions,” at the Mid-Year Cybersecurity and Data Protection Legal Summit, featured Michelle Kisloff, partner at Hogan Lovells and Donald Aplin, senior legal editor, Privacy & Security Law Report, Bloomberg BNA and adjunct professor of law at Washington College of Law at American University. Kisloff spoke about enforcement matters conducted by the Federal Trade Commission (FTC), which has taken on dozens of cases in recent years, focusing on the challenges put forth by Wyndham World Wide. Wyndham has put forth a jurisdictional challenge to FTC’s actions. At the same time, the Federal Communications Commission (FCC) is also taking an interest in data breaches, including a recent settlement with AT&T. Aside from federal regulators, Kisloff pointed out that state attorneys general are concerned with data breaches. Most states have data breach notification laws and data security laws, and Aplin pointed out that these state AGs often work together on these matters. California, Illinois and Connecticut are often leaders in these initiatives. Since data security is a non-partisan issue, it leads to more collaboration among state attorneys general. Because there are 47 different state laws, it’s important to know the commonalities, though many states do have different standards. Aplin notes that complying with the strictest one is tempting, but it may not give you the coverage you hope for. Scope, triggers, timing and notification protocols vary from state to state. Settlements can range from $100,000, like in the case of Zappos, to upwards of $10 million, like the settlement faced by TJX. Kisloff noted that companies can interface with regulators, to let them know what steps are being taken in response to questions presented by government officials. She recommends being as cooperative when possible when dealing with regulators, providing information on a voluntary basis before you are served with a subpoena. In class action litigation, the issue of standing comes up. Plaintiffs are nervous and stressed out, but are they out of pocket? On the other hand, regulators don’t need to show injury. A class action litigation will begin with the public notice of a breach, followed by allegations that you have violated statutes, been negligent and breached privacy. Where plaintiffs are able to get past the motion to dismiss phase, there have been large settlements, says Kisloff. The issue of standing, under Article III of the U.S. Constitution, requires a three-part test to show standing: an actual injury traced to the challenged action and redressable by a favorable union. Most breach cases are dismissed for lack of injury, but when there is standing, most companies settle. On future case to watch, the panelists said, is the Target case, but another is the Spokeo case, a Federal Credit Reporting Act case which the Supreme Court is considering, and which could have implications for privacy and data security actions.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- The ins and outs of data breach class actions Audrey McNeil (Jun 22)