Data Breach Litigation – A New Wave of Class Actions by Financial Institutions


Rarely does a day go by without news of a data security breach.  According to the Identify Theft Resource Center, there have been a total of 447 data breaches to date this year, which represents a 20.5% increase over the same time period last year (371 breaches).  The majority of courts ruling on individual common law claims arising from data security breaches has dismissed the claims primarily based on lack of standing or lack of damages for failing to prove actual harm.  However, the tide is turning starting with the U.S. District Court for the Northern District of California denying a motion to dismiss recognizing an ascertainable value and/or property right inherent in consumers’ personally identifiable information.  Claridge v. RockYou, 785 F. Supp. 2d 855 (N.D. Cal. 2011).

After several high-profile data breaches, i.e., Target, Neiman Marcus, eBay, Michaels Stores, there has been an increase in class action lawsuits filed.  Shareholders are weighing in, too, resulting in shareholder derivative suits based upon data security breaches.  See, e.g., Palkon ex rel. Wyndham Worldwide Corp. v. Holmes, No. 2:14-cv-01234 (D.N.J. filed Feb. 25, 2014).

Now, financial institutions are joining the legal battle over data breaches.  In Winsouth Credit Union v. MAPCO Express, Inc., No. 3:14-cv-01573 (M.D. Tenn. filed July 31, 2014), a retail credit union who issued Visa debit cards to its customers filed suit on behalf of all similarly situated financial institutions against a convenience store corporation and its parent company.  The claims relate to a data breach of plaintiff’s debit cards used by its customers at the defendant’s retail stores.  The alleged damages include (i) cancelling customers’ debit cards, (ii) reissuing debit cards with new account numbers, (iii) reimbursing fraudulent charges or reversing fraudulent charges, (iv) lost interest and transaction fees (including lost interchange fees); (v) administrative expenses associated with monitoring and preventing fraud; (vi) administrative expenses associated with addressing customer confusion and fraud claims; and (vii) “potential damages” to plaintiff’s reputation and lost customers.

The costs of a data breach can be significant.  According to the 2014 Cost of Data Breach Study: Global Analysis, the average cost to a company suffering a data breach is $3.5 million in US dollars and 15% more than what it cost last year.

Given the new threat of financial institutions suing companies for a data breach, preventative planning is critical.  In-house counsel should not delay establishing or improving a company’s cyber security program.  A risk assessment of a company’s data security system (performed by a third party vendor – not internal IT employees) should involve outside counsel to preserve the attorney-client privilege applicable to any reports or other communications relating to the assessment.  A data breach plan should be instituted before a data breach occurs and shared with key management, not only C-suite executives.  A company’s preparation and planning should be with stakeholders, a critical step often overlooked.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Butler Snow LLP | Attorney Advertising

Written by:


Butler Snow LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.