Data Breach Litigation – A New Wave of Class Actions by Financial Institutions


Rarely does a day go by without news of a data security breach.  According to the Identify Theft Resource Center, there have been a total of 447 data breaches to date this year, which represents a 20.5% increase over the same time period last year (371 breaches).  The majority of courts ruling on individual common law claims arising from data security breaches has dismissed the claims primarily based on lack of standing or lack of damages for failing to prove actual harm.  However, the tide is turning starting with the U.S. District Court for the Northern District of California denying a motion to dismiss recognizing an ascertainable value and/or property right inherent in consumers’ personally identifiable information.  Claridge v. RockYou, 785 F. Supp. 2d 855 (N.D. Cal. 2011).

After several high-profile data breaches, i.e., Target, Neiman Marcus, eBay, Michaels Stores, there has been an increase in class action lawsuits filed.  Shareholders are weighing in, too, resulting in shareholder derivative suits based upon data security breaches.  See, e.g., Palkon ex rel. Wyndham Worldwide Corp. v. Holmes, No. 2:14-cv-01234 (D.N.J. filed Feb. 25, 2014).

Now, financial institutions are joining the legal battle over data breaches.  In Winsouth Credit Union v. MAPCO Express, Inc., No. 3:14-cv-01573 (M.D. Tenn. filed July 31, 2014), a retail credit union who issued Visa debit cards to its customers filed suit on behalf of all similarly situated financial institutions against a convenience store corporation and its parent company.  The claims relate to a data breach of plaintiff’s debit cards used by its customers at the defendant’s retail stores.  The alleged damages include (i) cancelling customers’ debit cards, (ii) reissuing debit cards with new account numbers, (iii) reimbursing fraudulent charges or reversing fraudulent charges, (iv) lost interest and transaction fees (including lost interchange fees); (v) administrative expenses associated with monitoring and preventing fraud; (vi) administrative expenses associated with addressing customer confusion and fraud claims; and (vii) “potential damages” to plaintiff’s reputation and lost customers.

The costs of a data breach can be significant.  According to the 2014 Cost of Data Breach Study: Global Analysis, the average cost to a company suffering a data breach is $3.5 million in US dollars and 15% more than what it cost last year.

Given the new threat of financial institutions suing companies for a data breach, preventative planning is critical.  In-house counsel should not delay establishing or improving a company’s cyber security program.  A risk assessment of a company’s data security system (performed by a third party vendor – not internal IT employees) should involve outside counsel to preserve the attorney-client privilege applicable to any reports or other communications relating to the assessment.  A data breach plan should be instituted before a data breach occurs and shared with key management, not only C-suite executives.  A company’s preparation and planning should be with stakeholders, a critical step often overlooked.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Butler Snow LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.