If you were waiting for a federal court decision in favor of a consumer class action suit over the loss of personal information to break up the reality distortion field around most corporate overlords, you just got it.
A federal appeals court decision handed down earlier this month highlights the legal recourse available to consumers whose electronic records are hacked and underscores the consequences to corporations for ignoring their responsibilities.
In July of 2014, the health insurer CareFirst was hacked and lost 1 million customer records, but only detected the breach in May of 2015, almost 11 months later. After notifying their customers, they were quickly greeted with a class action suit that ironically attributed the breach to CareFirst’s carelessness and citing the increased risk of identity theft in their cause for damages claim.
That initial round was won by CareFirst as a federal district court judge dismissed the complaint because the plaintiffs failed to provide adequate proof that the breach caused any substantive harm to the plaintiffs.
After breathing a sigh of relief, CareFirst was soon to learn that upon appeal, the U.S. Appellate Court for the District of Columbia reversed the district court’s decision insisting that the plaintiff’s’ allegation of harm was correct, and that the plaintiffs had established that personally identifiable information (PII), protected health information (PHI) and “sensitive information” had in fact been hacked.
The original court’s finding was based on an incorrect reading of the damages, concluding that the cause was speculative because no actual harm had occurred.
The appeals court determined that the type of data involved in the hack and the subsequent potential for identity theft, constituted “plausible” grounds for potential harm as a result of the breach and that even if no actual harm had yet occurred, the loss of PII, sensitive and PHI was sufficient to establish a concrete and particularized injury.
Anyone who thinks that simply providing some free credit monitoring is going to somehow mitigate lost personally identifiable information form this point forward should think again. They’re going to get the “Thanks for playing” buzzer.
In an amicus brief filed by of all people, the U.S. Chamber of Commerce, the brief offered that if plaintiffs are permitted to pursue cases like the one against CareFirst, “the Chamber’s members will be mired in lawsuits over breaches that have not caused any actual or imminent harm to the plaintiffs — and yet those cases threaten to extract massive settlements from businesses that were victimized by hackers or thieves.”
Uh, yeah. And whose freaking side are you on anyway, Mr. Chamber?
The impact on future e-commerce eco-systems will obviously be substantial if customers are allowed to file suit against companies that have experienced breaches without sufficiently establishing actual harm, which should cause everyone involved in those businesses to do what they should have done years ago and implement a comprehensive cybersecurity defense system.
This lawsuit should strike fear in the hearts of e-commerce business operators everywhere because in the past, it was pretty common that establishing an element of evidentiary injury was essential for affected customers to achieve sufficient legal standing to file an action.
In other words, there had to be actual damages, injury and/or harm.
Obviously, courts will still debate whether data breach plaintiffs can survive a motion to dismiss for lack of standing, but this is not a win for the defendants. Even if a company might prevail, the attlasian cost of litigation and the increased liability will break many smaller companies who believed that the ruling against the plaintiff in Whalen v. Michaels Stores had established the standard for legal standing.
In that case, the Second Circuit U.S. Court of Appeals earlier this year concluded that the plaintiff had failed to establish a concrete injury sufficient to bring a suit related to a breach of private data.
These differences among appeals court decisions in data breach cases could ultimately result in the issue appearing on the calendar of the U.S. Supreme Court. If you are waiting for that to happen, I wouldn’t bet against the customer/class action/plaintiff.
If anything, the D.C. Circuit decision and others like it will lead to a substantial increase in the types and numbers of civil cases filed against organizations that suffer data breaches where personal information is compromised and without at least some provable track record of reasonable actions to protect sensitive data from unauthorized access, the corporation will likely be screwed.
As we have seen in New York, our government has concluded that businesses can’t do what is necessary on their own and every state along with the Federal level will soon have similar regulatory legislation in place to assure that companies create and implement sound cybersecurity programs.
Not only must they implement these programs, they actually have to follow them and that includes appropriate administrative, technical and physical controls and documentation along with monitoring and cyber-incident response and internal investigations that actually anticipate litigation. All future litigation will concern itself not only with whether a breach occurred but also with how the organization prepared for and responded to the incident.
If you missed my prior post on Value-at-Risk, you may want to take a read. The failure to understand and manage the legal risk related to a cybersecurity incident during the response and investigation phases is one of the biggest mistakes an organization can make. All too often, incident response activity remains within the information technology purviews of a company, and is managed and conducted by individuals with no expertise or experience in how the developing evidence is likely to be used in litigation that will inevitably follow.
The cost of installing a senior Information Security Officer reporting directly to the CEO pales against the cost of litigation and damages resulting from a poorly orchestrated cybersecurity defense system resulting in a breach and loss of customer data.
My recommendation? Ha!