The ins and outs of data breach class actions

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.insidecounsel.com/2015/06/17/the-ins-and-outs-of-data-breach-class-actions

A panel, “No Harm, No Foul? Standing and Damages in Plaintiffs’ Data Breach
Class Actions,” at the Mid-Year Cybersecurity and Data Protection Legal
Summit, featured Michelle Kisloff, partner at Hogan Lovells and Donald
Aplin, senior legal editor, Privacy & Security Law Report, Bloomberg BNA
and adjunct professor of law at Washington College of Law at American
University.

Kisloff spoke about enforcement matters conducted by the Federal Trade
Commission (FTC), which has taken on dozens of cases in recent years,
focusing on the challenges put forth by Wyndham World Wide. Wyndham has put
forth a jurisdictional challenge to FTC’s actions. At the same time, the
Federal Communications Commission (FCC) is also taking an interest in data
breaches, including a recent settlement with AT&T.

Aside from federal regulators, Kisloff pointed out that state attorneys
general are concerned with data breaches. Most states have data breach
notification laws and data security laws, and Aplin pointed out that these
state AGs often work together on these matters. California, Illinois and
Connecticut are often leaders in these initiatives. Since data security is
a non-partisan issue, it leads to more collaboration among state attorneys
general.

Because there are 47 different state laws, it’s important to know the
commonalities, though many states do have different standards. Aplin notes
that complying with the strictest one is tempting, but it may not give you
the coverage you hope for. Scope, triggers, timing and notification
protocols vary from state to state.

Settlements can range from $100,000, like in the case of Zappos, to upwards
of $10 million, like the settlement faced by TJX. Kisloff noted that
companies can interface with regulators, to let them know what steps are
being taken in response to questions presented by government officials. She
recommends being as cooperative when possible when dealing with regulators,
providing information on a voluntary basis before you are served with a
subpoena.

In class action litigation, the issue of standing comes up. Plaintiffs are
nervous and stressed out, but are they out of pocket? On the other hand,
regulators don’t need to show injury. A class action litigation will begin
with the public notice of a breach, followed by allegations that you have
violated statutes, been negligent and breached privacy. Where plaintiffs
are able to get past the motion to dismiss phase, there have been large
settlements, says Kisloff.

The issue of standing, under Article III of the U.S. Constitution, requires
a three-part test to show standing: an actual injury traced to the
challenged action and redressable by a favorable union. Most breach cases
are dismissed for lack of injury, but when there is standing, most
companies settle. On future case to watch, the panelists said, is the
Target case, but another is the Spokeo case, a Federal Credit Reporting Act
case which the Supreme Court is considering, and which could have
implications for privacy and data security actions.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!