Data Breach Liability from a Class Action Trial Lawyer’s Standpoint

Posted by Mark Greisiger

A Q&A with Jay Edelson of Edelson LLC
With court attitudes around privacy issues constantly evolving, it can be a challenge to understand what constitutes a significant data breach case and the consequences liable organizations face. I asked counsel Jay Edelson about how he chooses his class action cases and how the current legal climate is treating them.

What are some traits or hallmarks that you look for when determining whether a data breach case might be ripe for a class action proceeding?
The first thing we look for is the degree of sensitivity of the information that was left unguarded. We are more likely to choose something that seems like a serious breach, like those involving health records or private information of children.  For a suit to be successful, it needs to connect with the judge and jury on an emotional level—in short, they must be convinced that the loss of information truly matters to people. The reason that this is such an important hurdle to clear comes from the fact that data breach litigation is an emerging issue of the law. Courts don’t have the extensive precedent to look to, as in other consumer cases. If we can’t sell the case on an emotional level then it will be significantly harder to get them to be receptive to our broader arguments. Next, we will look at why or how the breach occurred. If it was something we think was preventable—for example, misplaced laptops that didn’t have basic encryption, as opposed to, say, a sophisticated hack from Eastern Europe—then we are more likely to take it on. The key that many plaintiffs’ attorneys unfortunately sometimes aren’t attuned to is that simply because a breach occurred does not automatically mean that the company acted negligently. Hackers and thieves are increasingly more sophisticated and there are certain times that it would be unreasonable for a company to have done more to guard their consumer data. Most data breach cases tend to be large so the size of the class doesn’t tend to be a determining factor, though of course the larger number of people involved the easier it is to justify putting more resources to the case.

In the past, it seems many plaintiffs/victims were only offered a year of free credit monitoring, which, arguably, is of little value to them. What are some additional settlement remedies your team (or your peers) are now pursuing to compensate victims?
Prior to a few years ago, the law was fairly settled and the thinking was that the fact that your information was out there in and of itself wasn’t enough to harm you—you’d have to show something more to the court to demonstrate harm. But that’s changed recently with decisions such as Resnick v. Avmed from the United States Court of Appeals, Eleventh Circuit. In Avmed, the court recognized that if people are paying the defendant money and they have a reasonable expectation that part of that money will go towards protecting their information, they have been essentially “overpaid” for their goods or services if the company was not following through on its promises. Due to cases like this, we’re starting to see settlements move away from the “free credit monitoring” deals to monetary compensation.                      

What regulations do you call on to bring a case, and what is a typical negligence claim you’ve made?

We don’t look to regulations so much as the common law. We’re looking at the types of express or implied promises made to consumers.  In terms of negligence, our theories are pretty simple: We’re bringing cases when we believe that the defendant wasn’t following industry security standards.

Which security shortcomings of breached organizations drive you nuts?
I think that corporations are not really asking the right questions internally about where the data is stored and how it’s being protected. Sometimes they’ll hire an outside consultant and they think because they’re paying someone money, they’re being responsible. The problem is that the companies aren’t thinking through these issues in a truly robust way. They’re often not asking the basic questions: Who has access to our data? Where is it being stored? What do we do with the laptops that we take out of circulation?

What steps would you recommend to limit exposure in a class action lawsuit?
Well, as a plaintiff’s attorney, I’m not generally in the business of giving advice to the defendant. But the way to limit exposure is to have really terrific protections so that the data isn’t hacked or stolen or lost. Protect— don’t harm—your client.

Which courts are the most sympathetic to these issues? 
A few years ago I would say there were none. Few if any courts were receptive to privacy cases. But there’s been a huge shift in the landscape, partly due to the increased sensitivity of the public. Issues such as the government spying program have changed the view of the judiciary as well, and we are now seeing great decisions coming from all over the country—in Chicago, where I’m located; in California; in Florida. At this point, I’d say there’s not a location in the United States where I’d be hesitant to bring a case.

In summary…
We invited Mr. Edelson to speak at our Marina del Rey Cyber Liability conference (attended by majority of P&C insurers in the industry that offer cyber/privacy liability coverage) and he and his colleague were both very forthcoming and effective in educating the audience about the plaintiff’s (victim’s) perspective—something that often gets lost in the quantum of cyber risk. Hopefully, risk managers are paying attention to these emerging theories of liability from the front lines of class action litigation. As a final comment, I’ll add that Jay and his fellow panelist received some of the highest praise from the hundreds of attendees, which is especially remarkable when you consider that some of those same audience members could be his future adversaries.

See this session recording on the eRisk Hub.