By Bob Johnson, NAID CEO
Within weeks of the massive Target data breach last December, privacy and legal pundits began speculating about class action lawsuits that would result. So far, most of those predictions have come to pass.
- Lawmakers made a lot of noise but nothing meaningful developed – at least so far.
- Hundreds of class action suits were filed across the country.
- As predicted, these separate lawsuits were combined into one case.
The only prediction that is left to be resolved is that the case will be summarily dismissed before it gets to court. Some experts believe dismissing the case will likely be for the same reason that similar cases in the past have been dismissed: the plaintiffs have no standing with the court because they cannot demonstrate actual damages as a direct result of the event. The actual damages precedent stems from Clapper vs. Amnesty International, a U.S. Supreme Court case in 2012 wherein plaintiffs argued that the Foreign Intelligence Surveillance Act (FISA) should be struck down under the basis that it posed a future harm. The Supreme Court overturned an earlier ruling by the FISA, stating the following:
- Plaintiffs failed to demonstrate the future injury they purportedly feared was certainly impending.
- Plaintiffs failed to establish the future injury they purportedly feared was fairly traceable to the FISA provision at issue.
- Costs plaintiffs incurred to avoid surveillance were not fairly traceable to the FISA provision at issue.
As I said earlier, and as the experts point out, with Clapper as their guide, courts across the country have been summarily dismissing data breach class action suits before they get to court. This precedent is the reason that experts predicted a similar fate for the Target lawsuit.
Then, things changed.
In March, a federal district appeals court in Florida overturned two previous dismissals of a data breach class action suit against health care insurer AvMed. AvMed allowed unauthorized access to 1.2 million personal records. In overturning the prior court rulings, both based upon the Clapper precedent, the appeals court determined that insurance premiums to AvMed were paid with an expectation that the firm was taking sufficient measures to protect their data. The court said AvMed had “unfairly enriched” itself at the expense of the plaintiffs when it did not take the precautions necessary to protect the data, thus giving the plaintiffs the necessary standing. Upon learning the case would proceed to court, AvMed sought a settlement, which was approved at $3 million on March 18.
This ruling seriously challenged the get-out-of-jail-free card that Clapper had been providing data breach lawsuits up to this time. After all, when is personal information ever exchanged with an institution wherein the individual is not, in part, paying for the expectation that the recipient organization is adequately protecting their personal information? If I’m a class action lawyer going after Target, I am suddenly feeling a little more confident about my clients’ case.
The day after the AvMed announcement, a Los Angeles County Superior Court judge approved a $4.1 million settlement by Stanford Hospital and Clinics to approximately 20,000 plaintiffs. This settlement stemmed from the improper posting of emergency room visit details to the organization’s website. Other than the loss of the expectation of privacy, no actual damages were proven.
Despite the predictions that the Target class action data breach suits will suffer a quick death, I am not convinced. Obviously, the public feels the violation of privacy and increasing risk of identity theft is worthy of compensation. Why else would firms settle so quickly once their cases are allowed to proceed? They realize the jury would be much harder on them.
The AvMed ruling changed the conversation. If part of what I am buying when I do business with someone is the expectation they will protect the data I share with them, they “unfairly enrich” themselves when they avoid the expense of meeting that obligation. The “actual damages” are that I have been defrauded.
So, while the fate of the Target class action data breach case is unknown, there are some things we can predict:
The plaintiffs will put a strong and persistent battle. The AvMed case was overturned after two lower courts tossed it out. With the AvMed and Stanford cases now in hand, and with so much more at stake, the Target case will go as high as it is allowed to go – all the way to the Supreme Court, if necessary.
We also know that Target is fighting for its life. Its future is already in jeopardy and if the suit turns against them, it is that much bleaker.
The conversation has changed or at least it is changing. It is no longer about demonstrating damages, it is about whether companies are defrauding customers by not providing the security they paid for and expect in the business transaction.
Frankly, I would like to see the Supreme Court hear this case. Legislators and regulators have not effectively confronted the problem. A strong new precedent that recognizes the obligation to protect personal information may raise the stakes high enough that meaningful data protection will result. The consequences of data breaches are nearing the point where they can no longer be tolerated. Data breaches can still be largely attributed to lax or inept data protection practices. Obviously, the pain has not been high enough to prevent those practices from changing.