Connecting The Dots - Data Breach and Plaintiff Injuries
It seems that hardly a day goes by without a data breach making headlines. And while attacks on the largest companies receive the most attention, businesses of all sizes are vulnerable.
Data breach litigation can be extremely complex, and the law in this area is continuing to evolve. But one thing is certain: Forensic experts, including accountants and IT specialists, are an invaluable part of the litigation team. Although forensic analysis is often associated with damages calculations, forensic experts also can help establish injury and causation.
By sifting through enormous amounts of data, these experts can identify trends and patterns, helping connect the dots between data breaches and plaintiff injuries (or help prove that there is no connection).
One of the biggest hurdles for plaintiffs in data breach cases, especially class actions, is establishing that they were injured by the breach. And the U.S. Supreme Court raised this hurdle even higher in a 2013 decision. In Clapper v. Amnesty International, the Court discussed the requirements for proving an “injury in fact” that was sufficient to establish standing. The case didn’t involve a data breach — it was a human rights case involving the National Security Agency’s wiretapping program. But federal courts have since applied Clapper’s principles in dismissing several data breach class actions.
The Court held, among other things, that:
- Mere threatened injury isn’t enough — rather, for plaintiffs to have standing, injury must be “certainly impending,”
- Allegations of possible future injury are insufficient, and
- Plaintiffs cannot “manufacture” an injury by incurring costs based on their fears of hypothetical future harm.
Following Clapper, several federal courts have dismissed data breach cases, reasoning that the risk that identity theft or other fraud will be committed using information obtained via data breach is insufficient to establish that injury is “certainly impending.” Some courts even have dismissed cases in which plaintiffs had actual fraudulent charges on their credit cards. These courts make a distinction between fraudulent charges, which are readily reversed, and “actual identity theft,” which involves use of personal information to open new accounts and can be far more harmful to victims.
An obstacle to recovery in these cases is establishing a connection between the theft of data that includes plaintiffs’ information and the actual or imminent use of that information to commit fraud. The mere fact that hackers have possession of certain data doesn’t necessarily mean they have the ability or desire to extract personal information from that data. But in some cases, experts are able to trace breached data to information published, or otherwise stored or transmitted, on the Internet, demonstrating that hackers have indeed extracted plaintiffs’ personal information. Even if no fraud has yet been committed, some courts have found that the existence of plaintiffs’ names, login credentials, credit card numbers, expiration dates and other information on the Internet is enough to establish that injury is “certainly impending.”
Supporting insurance claims
Another area that benefits from forensic expertise is cyber-risk insurance claims. Forensic accountants can sift through large volumes of data to help a company victimized by a data breach identify losses and determine whether they occurred during the relevant coverage periods.
They can also analyze sales data to help ensure that claimed losses are reasonable and accurate. For example, a company that suffers a data breach might lose a significant amount of online sales because customers are hesitant to provide their credit card information. But considering those lost sales alone may overstate the company’s losses if some of those customers buy the same products in the company’s bricks-and-mortar stores — or simply postpone their online purchases.
Forensic accountants are invaluable in reviewing a company’s claimed costs to help determine whether they meet a cyber-risk policy’s coverage criteria. For example, it may be necessary to distinguish between costs incurred to investigate and mitigate a data breach and those incurred to improve the company’s cyber-security program to prevent future breaches.
Involve experts early
Data breach litigation typically involves enormous quantities of data. Getting experts involved early can help you make sense of the data and establish connections (or the lack thereof) between the breach and claimed injuries.
Data breaches affect millions
Ponemon Institute is a research center dedicated to privacy, data protection and information security policy. Its recent report 2014: A Year of Mega Breaches lists the following major breaches from 2014, including the number of people or businesses affected (listed in parentheses).
- eBay (145 million people),
- JPMorgan Chase (76 million households and 7 million small businesses),
- Home Depot (56 million payment cards),
- CHS Community Health Systems (4.5 million people),
- Michaels Stores (2.6 million people),
- Neiman Marcus (1.1 million people), and
- Staples (point-of-sales systems at 115 retail stores).
This list doesn’t include the massive data breach at Target in late 2013, which resulted in approximately 40 million lost credit card numbers.