CLASS ACTION DATA BREACH LITIGATION:IS THE TIDE TURNING IN PLANTIFFS’ FAVOR?

These days, it is rare to turn on the news and not hear about a new data breach affecting U.S. companies and consumers. In fact, a recent study revealed that data breaches continue to increase,

with 888 occurring in the first six months of 2015, which involved a whopping 246 million records worldwide. A flurry of recent decisions, most notably the 7th Circuit’s ruling in Remijas v. Neiman Marcus Group LLC, are making it easier for consumers to pursue damages from companies that fall victim to hackers.

The rapid pace of litigation related to the unauthorized collection, use, or disclosure of consumer information has left district and circuit courts grappling with the fundamental question: Do plaintiffs have standing to bring a claim in the event of a data breach?

Under Article III of the Constitution, a plaintiff must demonstrate the following to bring an action in federal court: 1) he/she suffered actual or imminent harm; 2) that is traceable to the defendant; and 3) that judicial action will likely redress the harm. This criteria has

created quite the conundrum for appellate courts that must determine whether the release of private information constitutes an “injury.” While it may seem clear that an “injury” to a consumer has occurred if a hacker makes unauthorized charges on a consumer’s credit card, what about scenarios in which information has been accessed, or potentially accessed, but no fraudulent activity has followed? Let’s take a look at how these issues have historically played out in federal court and how recent developments may impact your company’s purchase of cyber insurance.

CLASS ACTION DATA BREACH LITIGATION OCTOBER 20152

THE EVOLUTION OF ARTICLE III DECISIONS

Pisciotta v. Old Nat’l Bancorp

It all began in 2007 when the 7th Circuit ruled that after Old National Bancorp failed to adequately protect its consumers’ personal data, plaintiffs had standing to bring an action because the injury requirement of Article III could be satisfied simply by a threat of future harm or an increased risk of future harm.

Krottner v. Starbucks Corp.

In 2010, the 9th Circuit united with the 7th Circuit when it determined the threat of misuse from the theft of a laptop containing personal, unencrypted data qualified as an “injury,” and therefore met the requirements of Article III.

Reilly v. Ceridian Corp.

In 2011, the 3rd Circuit criticized the 7th and 9th circuits’ “skimpy rationale” employed in the two cases above, when it reviewed the fact pattern in this case, suggesting that even though a computer firewall was compromised, there was “no quantifiable risk of damage in the future,” and therefore, no injury or standing.

Clapper v. Amnesty Int’l USA

In 2013, defense attorneys were ecstatic when the Supreme Court ruled on this case, which presented a unique fact pattern, and strengthened the requirements for Article III standing. A group of attorneys, human rights and media organizations argued that Section 702 of the Foreign Intelligence Surveillance Act of 1978 was unconstitutional as it could potentially allow the government to engage in surveillance that may compromise the plaintiffs’ capacity to interact confidentially with their clients.

Where intelligence actions and foreign affairs policies were concerned, the Supreme Court claimed it had often found standing lacking, further stating that imminence was a “somewhat elastic concept, [but] it cannot be stretched beyond its purpose [to ensure] that the injury is certainly impending.” Therefore, the Court held the alleged threat to the plaintiffs, “which relies on a highly attenuated chain of possibilities, does not satisfy the requirement that threatened injury must be certainly impending.”

Remijas v. Neiman Marcus Group, LLC

More recently, as data breach incidents at large retailers and other companies exploded, the plaintiffs’ bar saw the potential for huge classes with massive settlements and class action claim activity increased. With the stakes high, appellate litigation continued on this issue and Article III standing defenses began to erode.

While defense attorneys continued for years to successfully cite the Clapper ruling to support plaintiffs’ insufficient standing at the district court level, this practice was brought to a halt in July of 2015 when the 7th Circuit once again sided with consumers. 350,000 records of Neiman Marcus customers were involved in a hack, 9,200 of which were later used fraudulently. Concerning the cards that were not subject to fraud, Neiman Marcus argued the potential risk of future identity theft or fraudulent charges was too speculative to constitute an “injury.”

CLASS ACTION DATA BREACH LITIGATION OCTOBER 20153

The 7th Circuit, however, rejected this argument and declared that “Clapper does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.” Further, the court refused to require the affected customers “wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.”

Concerned that the court’s precedential ruling would have long-term effects on data breach law, Neiman Marcus asked the appellate court in August of 2015 to rehear the matter en banc, claiming the decision “all but declares that such breaches automatically confer standing.” The 7th Circuit declined, allowing the suit to move forward in Illinois federal court.

Enslin v. The Coca-Cola Co.

In September of 2015, the Eastern District of Pennsylvania denied a motion to dismiss this case for lack of standing in yet another victory for class-action plaintiffs. Following an employee theft of 55 laptops containing the personal information of 74,000 current and former employees, Coke argued that any future harms the plaintiff might suffer were “speculative, hypothetical, and not an injury-in-fact.” Further, Coke claimed that even if an injury had been suffered, it was “not fairly traceable to the conduct” of the company.

The court rejected Coke’s first argument, claiming that unlike the plaintiffs in Clapper and Reilly, the plaintiff had “already suffered palpable harm, including the alleged theft of funds from his bank accounts on two occasions, unauthorized use of four credit cards, and the unauthorized issuance of new credit cards.”

Nor did the court buy Coke’s second argument that any injury suffered could not be traceable to Coke, citing that “chain linking the loss of Plaintiff’s SSN, credit cards, and banking information, and the subsequent identity attacks Plaintiff suffered, is plausible. The connection between the loss of sensitive PII like SSN and banking information and subsequent identity attacks is apparent from Plaintiff’s complaint.”

A pre-trial conference in this case is set for November 12, 2015, and JLT will continue to monitor further developments.

Spokeo, Inc. v. Robins

During its fall 2015 term, the Supreme Court will determine whether Congress can confer Article III standing upon a plaintiff who has suffered no concrete harm by authorizing a private right of action based on a violation of a federal statute.

Spokeo, Inc. operates a “people search engine” that compiles publicly-available information about individuals’ contact information, marital status, age, occupation, economic health, and wealth. The plaintiff

“Clapper does not, as the district court thought, foreclose any use whatsoever of future

injuries to support Article III standing.”

CLASS ACTION DATA BREACH LITIGATION OCTOBER 20154

in this case claims that Spokeo created and made available for sale a report containing inaccurate information about him, specifically his education, employment, wealth, relationship status, and children.

The district court initially dismissed the plaintiff’s suit for lack of standing, but the 9th Circuit reversed, concluding the plaintiff had standing under Article III because he alleged violations of statutory rights created by the Fair Credit Reporting Act (“FCRA”), which were “concrete, de facto injuries.” Because the plaintiff alleged Spokeo violated his own rights versus the rights of others, the 9th Circuit concluded he had sufficiently satisfied the legal requirements for standing.

Spokeo appealed to the Supreme Court, claiming the 9th Circuit erred in allowing the plaintiff “to maintain a lawsuit in federal court based solely on an injury in law untethered to any concrete harm—in other words, without any real-world injury,” which will in turn allow any future plaintiff to satisfy standing by asserting a violation of a technical FCRA or other statutory requirement.

The parties’ briefings have been filed and, interestingly, both highlight the conceivable impact of this decision not only for the future of data-breach litigation, but also for the general scope of Article III jurisdiction. Oral argument is currently scheduled for November 2, 2015, and JLT will continue to monitor further developments.

THE FUTURE OF DATA BREACH LITIGATION

Is the tide turning in favor of consumers? Only time will tell if these recent decisions are indicative of a more consumer-sympathetic legal system in an environment

where the number of data breaches seems to be growing by the day. Many companies, especially those with consumers, have understandably expressed concern about a flood of “no-injury” class actions under various statutes providing for statutory damages, such as FCRA, the Telephone Consumer Protection Act, and the Video Privacy Protection Act, among others.

HOW WILL THESE CASES AFFECT CYBER INSURANCE AND PREMIUMS?

Cyber insurance coverage in certain industries, most notably, retail and healthcare, is already facing pricing pressures due to the substantial claim activity over the past 36 months. Losses in those industries have been attributable to the size of the breaches, the data lost (credit card numbers and personal health care information), and the regulatory environment.

If the erosion of the standing defense to these claims (where consumers really have not suffered much of a loss) continues, we can expect to see even more litigation, leading to increased defense costs and larger and more frequent settlements. All add to the challenges facing insurance carriers as they underwrite this risk and are likely to lead to higher premiums and more restrictive terms (certainly higher retention requirements). Large companies in any industry who maintain large amounts of personally identifiable information of their customers will continue to be targeted by the plaintiffs’ bar and may face new challenges on cyber insurance terms.

Only time will tell if these recent decisions are indicative of a more consumer-sympathetic

legal system in an environment where the number of data breaches seems to be growing by

the day.

ABOUT JLTJardine Lloyd Thompson (JLT) is the world’s leading specialty focused provider of insurance, reinsurance, and employee benefits related advice, brokerage and associated services. We provide our clients with deep specialist knowledge, advocacy, tailored advice, and service excellence. Our 10,600 experts worldwide are focused on our client industries and are supported by the second largest international placement network with unparalleled capabilities and resources in 135 countries.

JLT Specialty USA is the U.S. platform of the leading specialty business advisory firm, Jardine Lloyd Thompson Group. Our experts have deep industry and product experience serving leading US and global firms. Our key to client success is our freedom to be creative, collaborative, and analytical while challenging conventions, redefining problems, creating new analytical insights, and exploring new boundaries to deliver solutions for each client’s unique business and risks.

www.jlt.com © 2015 JLT Group

JLT Specialty USA1520 Market Street, Suite 300

Denver, CO 80202720.501.2800 | www.jltus.com

© 2015 JLT Specialty USA

Contacts

Ryan GriffinVice PresidentCyber and E&O Practice312.351.5637ryan.griffin@jltus.com

Lindsey RoserSenior Vice PresidentLegal & Claims Practice720.501.2829lindsey.roser@jltus.com