[BreachExchange] The realities of data breach litigation today

Thu Apr 20 19:09:38 EDT 2017

https://iapp.org/news/a/the-realities-of-data-breach-litigation-today/

If you ask Jay Edelson, he'll tell you things are about to get
significantly better for class-action litigants on the plaintiffs side. He
sees a shift in the way courts are willing or not willing to handle
settlements. He's feeling good enough about the future of such cases, in
fact, that he announced yesterday three new filings on behalf of Edelson
PC, his Chicago-based law firm, recently put forth or with plans to
officially file, including one against Bose, for sharing its consumers
listening preferences with data miners, and one against Confident, the
messaging app Trump campaigners reportedly used to leak news to
journalists. The third is against MDLive, which Edelson is suing over
alleged patient privacy concerns.

Aside from the new suits, the news that class-actions are on the up and up
was part of his message in a session at the IAPP's Global Privacy Summit on
Wednesday on "The State of Data Breach Litigation Today," in which Edelson,
who runs Edelson PC, and Doug Meal of Ropes and Gray discussed the lay of
the land. And no one worth their beans puts on a data breach session
without talking Spokeo, in which the Supreme Court held that in order to
clear the threshold for Article Three standing to sue, a plaintiff must
prove "concrete" injury, though that injury can be intangible. Edelson
argued the case for the plaintiff. (For a thorough analysis of the Spokeo
case, click here.)

While many people made a big to-do of the Spokeo ruling and what it might
mean for the future of privacy litigation  — particularly data breach
attorneys who saw opportunity in the court's ruling that harms can be
intangible — Edelson said it's a mistake to think that just because there's
a claim, there's a case.

"The court said the risk of future harm can be enough to have standing, and
a lot of data breach lawyers said, 'That's terrific,'" he said. "And I
think that's wrong."

That's because you still have to show damages in a breach case. So even if
a plaintiff can get past a "motion to dismiss" in court, it's very possible
that case then goes nowhere.

"You have to show damages," Edelson said. "In a data breach case, if you
have a bad theory, a theory that 'Maybe in 10 years, Doug might get
injured,' how are you going to quantify that?"

Edelson said, maybe lamented, there's an entire section of plaintiffs
attorneys who have one goal in data breach cases, which is to avoid a
motion to dismiss.

"The idea is if you can get by a motion to dismiss, even with a really bad
claim, the defense isn't going to want to engage in discovery, and they're
going to want some kind of settlement."

That's not something that sits well with Edelson.

"Firms that are doing that are doing such a disservice to data breach law
in general and I think to their claims."

Meal and Edelson agreed there are essentially two ways defense attorneys
can try cases these days. They can be predicated on actual harm, that is,
there was a data breach and data was stolen. Or they can be based on
"overpayment theory" if there's a concern actual harm can't be proved. For
example, a customer has paid money for a service, and the corporation they
paid made promises about the level of data security they could provide, and
then failed to uphold those promises.

While Edelson was more upbeat on the "overpayment theory" type of cases,
Meal said, in reality, courts aren't really changing their tune on
requiring proof that there's been an actual harm.

"There's never been a data breach of any kind involving any situation, no
matter how extensive the breach was, where anybody could say they were
certainly going to incur an actual, out-pocket, tangible loss," Meal said.
"No data breach is ever going to hit the certainly impending loss
standard."

But for the plaintiff's side, Edelson said he sees good things happening
for plaintiffs in settlements.

"The wind is at our backs, if our backs means people who want better deals
for the class," he said. "I think the idea that we're going to have data
breach causes that survive motions to dismiss, I'm hoping those days are
gone."

Edelson said courts are now interested in seeing data breach cases in which
the class itself wins, and not just the plaintiffs' attorneys. And in the
case where the damages award will simply pay off the plaintiffs' attorneys
and the class itself sees nothing in the end, "courts will find a way to
throw away those cases," he said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170420/aae50d21/attachment.html>