A Look at the 2017 Data Breach Litigation Report

Posted by Mark Greisiger

A Q&A with David Zetoony of Bryan Cave LLC

Every year the Data Breach Litigation Report offers a needed view into the reality of the legal risk associated with data security incidents. I spoke with David Zetoony, attorney at Bryan Cave LLC, about this year,s edition and its most notable findings.

Our 2017 report shows that plaintiffs’ attorneys tried 21 different legal theories — from our perspective the large numbers mean that plaintiffs’ attorneys are piling on multiple counts and adding more theories to a complaint to try to avoid motions to dismiss

What laws are most effective in bringing class-action breach litigation?

This is almost a trick question as there are no really good laws that work well in terms of winning class action litigation. Our 2017 report shows that plaintiffs’ attorneys tried 21 different legal theories — from our perspective the large numbers mean that plaintiffs’ attorneys are piling on multiple counts and adding more theories to a complaint to try to avoid motions to dismiss. In terms of what they think is working, you should focus on the “old” theories that appear to be gaining in prominence each year.  For example, negligence was 75 percent last year and up to 95 percent this year. Unfair and deceptive acts and practices is still on the list but seems to be dropping in frequency. I’d suggest the reason for that is that because unfair and deceptive acts and practices relates to  state statutes, its inclusion can open up a host of class action certification issues as a court tries to determine whether an entire class could be certified under one states law.  On the other hand, negligence and breach of contract are common law claims that are often easier to certify.

If the healthcare sector leads the pack in total breaches — your report estimates 70% — then why do they only make up 34% of lawsuits?

Although healthcare breaches often involve sensitive data that has a high value on the black market, many of the healthcare breaches involve small physician practices or community hospitals where there may be less than 10,000 records involved. Generally, that scale is not large enough to bring a class action suit. There may also be cases that are just not making it to federal court. For example, if a local physician’s practice is breached, the physician and all of her patients may be in the same state and there may not be sufficient diversity to remove to federal court.  However, among the big healthcare breaches, such as those involving insurance companies and hospital networks that have large aggregations of data, we are definitely seeing class action filings.

What is bailment and how is it applied to data security law?

Bailment is a theory most people learn in law school and never use again. To provide context, most of the law school cases that we are taught involve a horse. The theory is that if you give someone something to hold onto and they are supposed to give it back to you they may have a duty to protect it while it is in their possession. It makes sense when you are talking about something like a valet taking your car or a coat check in a restaurant. People are trying to apply it to data security but it is fundamentally a mismatch because most companies would not say that they are taking your data and planning to give it back to you. It’s really a grasping-at-straws theory that we don’t expect to have much success.

Which plaintiff firms are leading the pack in this area?

More than  72 firms filed class action complaints. While a few have better reputations than others, even the biggest plaintiffs firms are filing six data breach class action complaints a year at most, and many file fewer than that. With so few successes in this field to-date, and very few payouts as a result, it’s simply not a profitable business model for most plaintiffs firms.

What are the leading allegations pertaining to poor security? What safeguard controls seem to be most often lacking?

We don’t track for this statistically in our report.  Anecdotally, there are no leading allegations of bad security because most plaintiffs are functionally filing cases that implicitly rely upon a res ipsa loquitur theory.  Put differently, they are implicitly stating that the “breach speaks for itself” or the fact that a company was breached somehow suggests that the company had deficient security. In my opinion, it shows a fundamental deficiency in these complaints and a lack of due diligence by plaintiffs’ firms. If every breach speaks for itself then you’re ignoring the law and the fact that companies are not responsible for the actions of criminals. The truth is that a company can do all the right things in terms of security and still have a bad result if a criminal attacks the company.

In summary…
We want to thank Mr. Zetoony for his insights into data breach litigation trends. This is definitely a topic important to the many cyber risk insurance companies that we at NetDiligence support, including the corporate risk managers concerned about class action exposures. Our goal would be to connect with the Bryan Cave law firm on an annual basis to see how these trends might change as new legal precedents are created, as new legislation continues to emerge, and as identity theft victims become more aware of the damages.