Proving Cyber Breach Damages Can Be Challenging
Home Depot, Target, TJX and Anthem — all made headlines when their networks were hacked and thieves made off with the personal data of millions of consumers. Not surprisingly, such high-profile cyber breaches usually are followed by lawsuits. Much of the litigation thus far has focused on issues related to damages, particularly actual loss and causation. Here’s an overview of how plaintiffs in cyber breach actions have claimed damages and how courts have ruled.
Did The Plaintiff Suffer?
The most significant problem for many plaintiffs in cyber breach cases is that they haven’t yet suffered any losses. For example, thieves may not have had a chance to use the plaintiff’s personally identifiable information (PII) to open any fraudulent accounts, withdraw funds or make fraudulent charges. Courts have consistently held that PII itself has no inherent monetary value for which a consumer can be compensated.
To get around this, plaintiffs may seek reimbursements for credit monitoring services or identity theft insurance purchased to combat potential future fraudulent activity using their PII. Numerous courts, however, have denied claims based on the increased risk of future harm — the notion that the breach put consumers at risk of having their PII misused for identity theft, fraud or phishing. And courts have also rejected claims for time and money expended to mitigate the increased risk.
Was The Defendant Unjustly Enriched?
In March 2014, however, a federal district court approved a $3 million settlement in a data breach case that included plaintiffs who had suffered no financial losses because of identity theft. The district court and the 11th Circuit Court of Appeals found that these plaintiffs had sufficiently pled injury by claiming that the defendant, AvMed, was unjustly enriched because the plaintiffs paid the company more in insurance premiums in exchange for it taking sufficient measures to protect their data.
Similarly, a “benefit of the bargain” approach seems most likely to survive when the defendant has offered assurances that the plaintiff’s information would be protected. For example, in 2013, a federal district court allowed a claim against a computer game developer in which the developer had assured customers that it would protect the personal information and private financial information they were required to provide.
Even where plaintiffs can prove misuse of their PII, they can’t necessarily recover damages. Damages aren’t available for reimbursed monetary losses. For example, if breached credit card information was used to make fraudulent charges, the consumer can’t recover damages if the credit card company reimbursed him or her for charges.
Did The Breach Cause The Loss?
Of course, proving sufficient injury isn’t enough: A claimant also must establish that his or her injury resulted from the breach. Breaches are common, and consumers share their information constantly online. So making such a connection can be difficult.
A Delaware state court, for example, dismissed negligence claims in a breach case because the plaintiffs had failed to present valid evidence that the breach — and not something else — was the cause of alleged instances of identity theft. But the Ninth Circuit has allowed a claim in which the plaintiff made a detailed showing of factual information supporting temporal and logical relationships between the breach and incidents of identity fraud the plaintiff subsequently suffered.
Experts Can Help
Both plaintiffs and defendants in cyber breach cases should turn to qualified financial experts for assistance with their damages claims. Damages experts can conduct statistical analyses of fraudulent activities allegedly caused by a breach and examine damages estimates proposed by the opposing party. They also can help determine whether opposing experts used the appropriate time frame when measuring damages and distinguished between the types of fraud that can reasonably be linked to the breach — and those that can’t.
Is Insurance The Solution?
Data breach insurance — also known as cyber liability or cyber risk insurance — has been around for more than a decade. But interest in these policies has surged in the last couple of years. Not only are companies worried about increasing cyber attack risk, but many insurers are also starting to exclude electronic data losses from traditional corporate policies.
Data breach insurance generally provides three main types of coverage: 1) regulatory fines and penalties, 2) lawsuits and 3) response costs (such as forensic analysis, notification and public relations–related expenses). While the general coverage areas are similar across policies, the devil is in the details.
For example, different policies may have varied approaches to the use of vendors in responding to data breaches. Will the insurer provide the necessary services itself or require the insured to use particular vendors — or can the insured use its own vendors or internal resources?
Premiums and sublimits also warrant close attention. Companies should negotiate sublimits for each coverage area, rather than just an overall limit. Other factors that affect premium rates include an insured’s existing security, privacy controls and revenues.