[BreachExchange] Data Breach Litigation Waivers: Be Careful What You Wish For

[Destry Winant]

https://securityboulevard.com/2020/06/data-breach-litigation-waivers-be-careful-what-you-wish-for/

In her 1969 book, “On Death and Dying,” Elisabeth Kübler-Ross
described the five stages of grief and loss:

Denial and isolation
Anger
Bargaining
Depression
Acceptance

They’re not too different from the stages of data breach response.
First, deny that you have had a breach and isolate your network. Then,
find someone else to blame for the breach. Next, bargaining—with
insurance companies, merchant banks, regulators, the FTC, class action
lawyers, shareholders, etc. Then, depression—usually of stock price.
Finally, acceptance: You have a brand-spanking-new data security
policy, pen test, assessment, endpoint management, encryption … cool.
You’re good to go.

One of the (almost) inevitable stages of a data breach has been
litigation via a class action lawsuit. Consumers, vendors,
shareholders or others sue the company for failure to adequately
protect their data and for exposing them to some potential or actual
harm as a result of inadequate security. For large data breaches,
class action lawyers may file multiple lawsuits purporting to
represent various classes of data breach victims—often asking for
millions or tens of millions of dollars in damages. Even when there is
a settlement, the members of the class may get little financial
benefit, but much of the benefit goes to the lawyers representing the
class and/or the named members of the class. That’s neither good nor
bad; it’s just a function of how class action lawsuits work.

In recent years, companies have attempted to avoid class action
liability through mandatory arbitration provisions embedded in website
terms of service, in software end user license agreements, in privacy
policies and in other forms of browsewrap or clickwrap. The U.S.
Supreme Court has held that these arbitration clauses are generally
enforceable, which means consumers and employees can no longer go to
court to get a determination of their rights but must rely on
arbitration. While there are advantages to arbitration generally—it’s
faster, somewhat cheaper and, unlike the courts, it’s open—there are
significant disadvantages to consumers for compelled arbitration as
well. First, the consumer may be required to pay all or a portion of
the costs of arbitration even if they win. The arbitrator, unlike a
judge, is paid by the litigants. When you are arbitrating a claim that
the phone company ripped you off for $35, the prospect of having to
pay a few grand for arbitration is daunting. Second, arbitration is
generally “off the record” and not binding on any other arbitrator.
Thus, if 1,000 other arbitrators have read a clause in a contract one
way, the 1,001st is free to read it any way they like. Third, there is
limited discovery in arbitration; in other words, as a plaintiff, you
may not be able to learn of the internal “screw the consumer” memo
sent by the company VP in charge of, well, screwing the consumer.

Finally, to get paid, arbitrators have to get selected through a
process that involves both plaintiff and defendant. An arbitrator who
consistently rules against company defendants (even if they deserve to
be ruled against) is unlikely to get a lot of work in the future.

One other feature of mandatory arbitration is the class action and
class arbitration waiver. So not only do you give up the right to sue
for your damages, but you also give up the right to file a single
class action representing all of the parties injured—or to file an
arbitration on behalf of all people similarly situated.

Which brings us to the case of the Chegg data breach. Online learning
website Chegg suffered a massive data breach that exposed user IDs,
passwords and other data for users of the site, including those from
George Washington University. (Disclaimer: I teach at the GWU law
school, but was not a user of the website.) The data of about 40
million users was reportedly exposed. For each individual user, the
demonstrable “harm” was likely minimal, making the prospect of
individual lawsuits unlikely. Even if the “damages” were in the area
of thousands of dollars, the cost of litigation for each case
independently outweighed the benefits to any individual victim. As
Judge Richard Posner once noted about such lawsuits, it’s not the
difference between one class action lawsuit and tens of thousands of
individual suits, it’s the difference between one class action lawsuit
and no individual lawsuits. The same basic rule applies to
arbitrations as well.

Without the possibility of litigation through a class action lawsuit
or arbitration, lawyers in Baltimore representing the “class” came up
with a novel but occasionally used strategy: Since the arbitration
provisions in the clickwrap agreement provided that the company would
pay the costs of arbitration for those less than $75,000 (the
jurisdictional limit for federal lawsuits), the lawyers decided to
file thousands of individual demands for arbitration. In fact, the law
firm, Z Law, filed more than 15,107 individual arbitration demands on
behalf of individual data breach victims. If permitted to go forward,
Chegg would have to hire counsel to represent themselves in each
arbitration, engage in hearings in each case, present evidence in each
case and pay the arbitration costs in each case. In fact, just paying
the $300 arbitration filing fee in each of the cases would cost the
company about $4.7 million. These types of “mass arbitration” cases
are, in a sense, made possible by the internet, which would permit
plaintiffs’ firms to gather names of victims and get them to sign up
to arbitrate. Unlike litigation, wherein a lawyer would have to be
admitted to practice law in each jurisdiction in which the lawsuit is
filed (or find local counsel), a single law firm could represent a
diverse set of victims in multiple jurisdictions as long as there is
some connection to the jurisdiction in which they are admitted to
practice law.

As a result, a data breach involving a large number of “victims” each
suffering a small amount of damages—the kind of case that the waiver
of class action and class arbitration was intended to deter—has now
become a huge logistical, practical and financial nightmare for the
company suffering the breach and for the insurance company with a duty
to defend that company in litigation or arbitrations resulting from
the breach. So, be careful what you wish for; you might just get it.