CLASS ACTION DATA BREACH LITIGATION: IS THE TIDE TURNING IN PLANTIFFS FAVOR?



Similar documents
Reducing Cyber Risk in Your Organization

GALLAGHER CYBER LIABILITY PRACTICE. Tailored Solutions for Cyber Liability and Professional Liability

The Matrix Reloaded: Cybersecurity and Data Protection for Employers. Jodi D. Taylor

Illinois Official Reports

Standing To Challenge Corporate Searches?

UNITED STATES COURT OF APPEALS FOR THE THIRD CIRCUIT. No MICHAEL J. MANDELBROT; MANDELBROT LAW FIRM,

Henkel Corp v. Hartford Accident

EMERGING CYBER RISK CYBER ATTACKS AND PROPERTY DAMAGE: WILL INSURANCE RESPOND?

Consumer Reporting Agencies and Federal Law

Joe A. Ramirez Catherine Crane

2015 IL App (1st) U. No IN THE APPELLATE COURT OF ILLINOIS FIRST JUDICIAL DISTRICT

How to Respond When Sensitive Customer and Employee Data is Breached, Stolen or Compromised

Insurers Not Obligated to Defend in ZIP Code Coverage Suits

CLASS ACTION. Westlaw Journal. Expert Analysis The State of Coverage Disputes Concerning Advertising And Privacy Claims

2015 IL App (3d) U. Order filed September 2, 2015 IN THE APPELLATE COURT OF ILLINOIS THIRD DISTRICT A.D., 2015

NOT RECOMMENDED FOR PUBLICATION File Name: 12a1235n.06. No UNITED STATES COURT OF APPEALS FOR THE SIXTH CIRCUIT ) ) ) ) ) ) ) ) ) ) ) )

United States Court of Appeals

Insurance Coverage In Consumer Class Actions

RISKY BUSINESS SEMINAR CYBER LIABILITY DISCUSSION

UNREPORTED IN THE COURT OF SPECIAL APPEALS OF MARYLAND. No September Term, 2012 MARY LYONS KENNETH HAUTMAN A/K/A JOHN HAUTMAN

Arbitration in Seamen Cases

No THIRD DISTRICT A.D., 2009

UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF TEXAS HOUSTON DIVISION CIVIL ACTION NO. 4:14-CV-2872 MEMORANDUM OPINION AND ORDER

2015 IL App (1st) U. No IN THE APPELLATE COURT OF ILLINOIS FIRST JUDICIAL DISTRICT

UNITED STATES DISTRICT COURT DISTRICT OF MINNESOTA

2013 IL App (3d) U. Order filed September 23, 2013 IN THE APPELLATE COURT OF ILLINOIS THIRD DISTRICT A.D., 2013

Data Breach Response Basic Principles Under U.S. State and Federal Law. ABA Litigation Section Core Knowledge January

CLOUD SECURITY LAW MICHAEL KEELING, PE, ESQ. KEELING LAW OFFICES, PC PHOENIX AND CORONADO

Data Breach and Senior Living Communities May 29, 2015

Discussion on Network Security & Privacy Liability Exposures and Insurance

Commonwealth of Kentucky Court of Appeals

No IN THE APPELLATE COURT OF ILLINOIS FIRST JUDICIAL DISTRICT

IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA

The Enforceability of Mediated Settlement Agreements. By: Thomas J. Smith The Law Offices of Thomas J. Smith San Antonio, Texas

THE THREAT OF BAD FAITH LITIGATION ETHICAL HANDLING OF CLAIMS AND GOOD FAITH SETTLEMENT PRACTICES. By Craig R. White

KBR Ruling Likely To Encourage More FCA Litigation

Case: 1:10-cv Document #: 55 Filed: 02/03/11 Page 1 of 9 PageID #:411

Case 1:13-cv TWP-MJD Document 24 Filed 06/27/14 Page 1 of 7 PageID #: <pageid>

Anatomy of a Hotel Breach

2016 IL App (4th) UB NO IN THE APPELLATE COURT OF ILLINOIS FOURTH DISTRICT

IN THE CIRCUIT COURT OF THE NINTH JUDICIAL CIRCUIT, IN AND FOR ORANGE COUNTY, FLORIDA

2014 IL App (1st) U. No IN THE APPELLATE COURT OF ILLINOIS FIRST JUDICIAL DISTRICT

2013 IL App (5th) WC-U NO WC IN THE APPELLATE COURT OF ILLINOIS FIFTH DISTRICT WORKERS' COMPENSATION COMMISSION DIVISION

Clapper Dethroned: Imminent Injury and Standing for Data Breach Lawsuits in Light of Ashley Madison

v. CASE NO.: CVA Lower Court Case No.: 2008-CC-7009-O

2015 IL App (5th) U NO IN THE APPELLATE COURT OF ILLINOIS FIFTH DISTRICT

Managing Jones Act Personal Injury Litigation The Vessel Owner s Perspective. Lawrence R. DeMarcay, III

2016 CO 51. After Unleaded Software, Inc., failed to deliver contracted-for websites and

IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF VIRGINIA PLAINTIFF S BRIEF IN SUPPORT OF MOTION FOR SUMMARY JUDGMENT

2014 IL App (1st) U No February 11, 2014 Modified Upon Rehearing April 30, 2014 IN THE APPELLATE COURT OF ILLINOIS FIRST DISTRICT

IN THE UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLORADO

In the Missouri Court of Appeals Eastern District

IN THE UNITED STATES DISTRICT COURT FOR THE EASTERN DISTRICT OF PENNSYLVANIA

IN THE COURT OF COMMON PLEAS OF PHILADELPHIA COUNTY FIRST JUDICIAL DISTRICT OF PENNSYLVANIA CIVIL TRIAL DIVISION

IN THE APPELLATE COURT OF ILLINOIS FIRST DISTRICT

Hit ratios are still very low for Security & Privacy coverage: What are companies waiting for?

Case 2:04-cv JWS Document 45 Filed 10/26/05 Page 1 of 7 UNITED STATES DISTRICT COURT DISTRICT OF ARIZONA

Black Hats, Firewalls, and Data Loss: Insurers Confront Data Breach Litigation

Follow this and additional works at:

FILED December 18, 2015 Carla Bender 4 th District Appellate Court, IL

No IN THE APPELLATE COURT OF ILLINOIS FIRST JUDICIAL DISTRICT

Construction Defect Coverage Recap For 1st Quarter

Reverse and Render in part; Affirm in part; Opinion Filed December 29, In The Court of Appeals Fifth District of Texas at Dallas

Challenging EEOC Conciliation Charges

SHAWNTELLE ALLEN, Plaintiff/Appellant, SCF NATIONAL INSURANCE COMPANY; RALPH MORRIS, Defendanst/Appellees. No. 1 CA-CV

UNITED STATES DISTRICT COURT MIDDLE DISTRICT OF FLORIDA FORT MYERS DIVISION. Case No. 2:12-cv-45-FtM-29SPC OPINION AND ORDER

IN THE UNITED STATES COURT OF APPEALS FOR THE ELEVENTH CIRCUIT. No D.C. Docket Nos. 8:10-cv VMC ; 8:90-bk PMG

IN THE SUPREME COURT OF FLORIDA

Case 4:06-cv Document 12 Filed in TXSD on 05/25/06 Page 1 of 9 UNITED STATES DISTRICT COURT SOUTHERN DISTRICT OF TEXAS HOUSTON DIVISION

2015 IL App (1st) U. No IN THE APPELLATE COURT OF ILLINOIS FIRST JUDICIAL DISTRICT

Transcription:

CLASS ACTION DATA BREACH LITIGATION: IS THE TIDE TURNING IN PLANTIFFS FAVOR? These days, it is rare to turn on the news and not hear about a new data breach affecting U.S. companies and consumers. In fact, a recent study revealed that data breaches continue to increase, with 888 occurring in the first six months of 2015, which involved a whopping 246 million records worldwide. A flurry of recent decisions, most notably the 7th Circuit s ruling in Remijas v. Neiman Marcus Group LLC, are making it easier for consumers to pursue damages from companies that fall victim to hackers. The rapid pace of litigation related to the unauthorized collection, use, or disclosure of consumer information has left district and circuit courts grappling with the fundamental question: Do plaintiffs have standing to bring a claim in the event of a data breach? Under Article III of the Constitution, a plaintiff must demonstrate the following to bring an action in federal court: 1) he/she suffered actual or imminent harm; 2) that is traceable to the defendant; and 3) that judicial action will likely redress the harm. This criteria has created quite the conundrum for appellate courts that must determine whether the release of private information constitutes an injury. While it may seem clear that an injury to a consumer has occurred if a hacker makes unauthorized charges on a consumer s credit card, what about scenarios in which information has been accessed, or potentially accessed, but no fraudulent activity has followed? Let s take a look at how these issues have historically played out in federal court and how recent developments may impact your company s purchase of cyber insurance.

CLASS ACTION DATA BREACH LITIGATION 2 THE EVOLUTION OF ARTICLE III DECISIONS Pisciotta v. Old Nat l Bancorp It all began in 2007 when the 7th Circuit ruled that after Old National Bancorp failed to adequately protect its consumers personal data, plaintiffs had standing to bring an action because the injury requirement of Article III could be satisfied simply by a threat of future harm or an increased risk of future harm. Krottner v. Starbucks Corp. In 2010, the 9th Circuit united with the 7th Circuit when it determined the threat of misuse from the theft of a laptop containing personal, unencrypted data qualified as an injury, and therefore met the requirements of Article III. Clapper v. Amnesty Int l USA In 2013, defense attorneys were ecstatic when the Supreme Court ruled on this case, which presented a unique fact pattern, and strengthened the requirements for Article III standing. A group of attorneys, human rights and media organizations argued that Section 702 of the Foreign Intelligence Surveillance Act of 1978 was unconstitutional as it could potentially allow the government to engage in surveillance that may compromise the plaintiffs capacity to interact confidentially with their clients. Where intelligence actions and foreign affairs policies were concerned, the Supreme Court claimed it had often found standing lacking, further stating that imminence was a somewhat elastic concept, [but] it cannot be stretched beyond its purpose [to ensure] that the injury is certainly impending. Therefore, the Court held the alleged threat to the plaintiffs, which relies on a highly attenuated chain of possibilities, does not satisfy the requirement that threatened injury must be certainly impending. Remijas v. Neiman Marcus Group, LLC More recently, as data breach incidents at large retailers and other companies exploded, the plaintiffs bar saw the potential for huge classes with massive settlements and class action claim activity increased. With the stakes high, appellate litigation continued on this issue and Article III standing defenses began to erode. Reilly v. Ceridian Corp. In 2011, the 3rd Circuit criticized the 7th and 9th circuits skimpy rationale employed in the two cases above, when it reviewed the fact pattern in this case, suggesting that even though a computer firewall was compromised, there was no quantifiable risk of damage in the future, and therefore, no injury or standing. While defense attorneys continued for years to successfully cite the Clapper ruling to support plaintiffs insufficient standing at the district court level, this practice was brought to a halt in July of 2015 when the 7th Circuit once again sided with consumers. 350,000 records of Neiman Marcus customers were involved in a hack, 9,200 of which were later used fraudulently. Concerning the cards that were not subject to fraud, Neiman Marcus argued the potential risk of future identity theft or fraudulent charges was too speculative to constitute an injury.

CLASS ACTION DATA BREACH LITIGATION 3 Clapper does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing. The 7th Circuit, however, rejected this argument and declared that Clapper does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing. Further, the court refused to require the affected customers wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an objectively reasonable likelihood that such an injury will occur. Concerned that the court s precedential ruling would have long-term effects on data breach law, Neiman Marcus asked the appellate court in August of 2015 to rehear the matter en banc, claiming the decision all but declares that such breaches automatically confer standing. The 7th Circuit declined, allowing the suit to move forward in Illinois federal court. Nor did the court buy Coke s second argument that any injury suffered could not be traceable to Coke, citing that chain linking the loss of Plaintiff s SSN, credit cards, and banking information, and the subsequent identity attacks Plaintiff suffered, is plausible. The connection between the loss of sensitive PII like SSN and banking information and subsequent identity attacks is apparent from Plaintiff s complaint. A pre-trial conference in this case is set for November 12, 2015, and JLT will continue to monitor further developments. Enslin v. The Coca-Cola Co. In September of 2015, the Eastern District of Pennsylvania denied a motion to dismiss this case for lack of standing in yet another victory for class-action plaintiffs. Following an employee theft of 55 laptops containing the personal information of 74,000 current and former employees, Coke argued that any future harms the plaintiff might suffer were speculative, hypothetical, and not an injury-in-fact. Further, Coke claimed that even if an injury had been suffered, it was not fairly traceable to the conduct of the company. The court rejected Coke s first argument, claiming that unlike the plaintiffs in Clapper and Reilly, the plaintiff had already suffered palpable harm, including the alleged theft of funds from his bank accounts on two occasions, unauthorized use of four credit cards, and the unauthorized issuance of new credit cards. Spokeo, Inc. v. Robins During its fall 2015 term, the Supreme Court will determine whether Congress can confer Article III standing upon a plaintiff who has suffered no concrete harm by authorizing a private right of action based on a violation of a federal statute. Spokeo, Inc. operates a people search engine that compiles publicly-available information about individuals contact information, marital status, age, occupation, economic health, and wealth. The plaintiff

CLASS ACTION DATA BREACH LITIGATION 4 in this case claims that Spokeo created and made available for sale a report containing inaccurate information about him, specifically his education, employment, wealth, relationship status, and children. The district court initially dismissed the plaintiff s suit for lack of standing, but the 9th Circuit reversed, concluding the plaintiff had standing under Article III because he alleged violations of statutory rights created by the Fair Credit Reporting Act ( FCRA ), which were concrete, de facto injuries. Because the plaintiff alleged Spokeo violated his own rights versus the rights of others, the 9th Circuit concluded he had sufficiently satisfied the legal requirements for standing. Spokeo appealed to the Supreme Court, claiming the 9th Circuit erred in allowing the plaintiff to maintain a lawsuit in federal court based solely on an injury in law untethered to any concrete harm in other words, without any real-world injury, which will in turn allow any future plaintiff to satisfy standing by asserting a violation of a technical FCRA or other statutory requirement. The parties briefings have been filed and, interestingly, both highlight the conceivable impact of this decision not only for the future of data-breach litigation, but also for the general scope of Article III jurisdiction. Oral argument is currently scheduled for November 2, 2015, and JLT will continue to monitor further developments. THE FUTURE OF DATA BREACH LITIGATION where the number of data breaches seems to be growing by the day. Many companies, especially those with consumers, have understandably expressed concern about a flood of no-injury class actions under various statutes providing for statutory damages, such as FCRA, the Telephone Consumer Protection Act, and the Video Privacy Protection Act, among others. HOW WILL THESE CASES AFFECT CYBER INSURANCE AND PREMIUMS? Cyber insurance coverage in certain industries, most notably, retail and healthcare, is already facing pricing pressures due to the substantial claim activity over the past 36 months. Losses in those industries have been attributable to the size of the breaches, the data lost (credit card numbers and personal health care information), and the regulatory environment. If the erosion of the standing defense to these claims (where consumers really have not suffered much of a loss) continues, we can expect to see even more litigation, leading to increased defense costs and larger and more frequent settlements. All add to the challenges facing insurance carriers as they underwrite this risk and are likely to lead to higher premiums and more restrictive terms (certainly higher retention requirements). Large companies in any industry who maintain large amounts of personally identifiable information of their customers will continue to be targeted by the plaintiffs bar and may face new challenges on cyber insurance terms. Is the tide turning in favor of consumers? Only time will tell if these recent decisions are indicative of a more consumer-sympathetic legal system in an environment Only time will tell if these recent decisions are indicative of a more consumer-sympathetic legal system in an environment where the number of data breaches seems to be growing by the day.

ABOUT JLT Jardine Lloyd Thompson (JLT) is the world s leading specialty focused provider of insurance, reinsurance, and employee benefits related advice, brokerage and associated services. We provide our clients with deep specialist knowledge, advocacy, tailored advice, and service excellence. Our 10,600 experts worldwide are focused on our client industries and are supported by the second largest international placement network with unparalleled capabilities and resources in 135 countries. JLT Specialty USA is the U.S. platform of the leading specialty business advisory firm, Jardine Lloyd Thompson Group. Our experts have deep industry and product experience serving leading US and global firms. Our key to client success is our freedom to be creative, collaborative, and analytical while challenging conventions, redefining problems, creating new analytical insights, and exploring new boundaries to deliver solutions for each client s unique business and risks. Contacts Ryan Griffin Vice President Cyber and E&O Practice 312.351.5637 ryan.griffin@jltus.com Lindsey Roser Senior Vice President Legal & Claims Practice 720.501.2829 lindsey.roser@jltus.com www.jlt.com 2015 JLT Group JLT Specialty USA 1520 Market Street, Suite 300 Denver, CO 80202 720.501.2800 www.jltus.com 2015 JLT Specialty USA

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information