Rarely does a day go by without news of a data security breach. According to the Identify Theft Resource Center, there have been a total of 447 data breaches to date this year, which represents a 20.5% increase over the same time period last year (371 breaches). The majority of courts ruling on individual common law claims arising from data security breaches has dismissed the claims primarily based on lack of standing or lack of damages for failing to prove actual harm. However, the tide is turning starting with the U.S. District Court for the Northern District of California denying a motion to dismiss recognizing an ascertainable value and/or property right inherent in consumers’ personally identifiable information. Claridge v. RockYou, 785 F. Supp. 2d 855 (N.D. Cal. 2011).
After several high-profile data breaches, i.e., Target, Neiman Marcus, eBay, Michaels Stores, there has been an increase in class action lawsuits filed. Shareholders are weighing in, too, resulting in shareholder derivative suits based upon data security breaches. See, e.g., Palkon ex rel. Wyndham Worldwide Corp. v. Holmes, No. 2:14-cv-01234 (D.N.J. filed Feb. 25, 2014).
Now, financial institutions are joining the legal battle over data breaches. In Winsouth Credit Union v. MAPCO Express, Inc., No. 3:14-cv-01573 (M.D. Tenn. filed July 31, 2014), a retail credit union who issued Visa debit cards to its customers filed suit on behalf of all similarly situated financial institutions against a convenience store corporation and its parent company. The claims relate to a data breach of plaintiff’s debit cards used by its customers at the defendant’s retail stores. The alleged damages include (i) cancelling customers’ debit cards, (ii) reissuing debit cards with new account numbers, (iii) reimbursing fraudulent charges or reversing fraudulent charges, (iv) lost interest and transaction fees (including lost interchange fees); (v) administrative expenses associated with monitoring and preventing fraud; (vi) administrative expenses associated with addressing customer confusion and fraud claims; and (vii) “potential damages” to plaintiff’s reputation and lost customers.
The costs of a data breach can be significant. According to the 2014 Cost of Data Breach Study: Global Analysis, the average cost to a company suffering a data breach is $3.5 million in US dollars and 15% more than what it cost last year.
Given the new threat of financial institutions suing companies for a data breach, preventative planning is critical. In-house counsel should not delay establishing or improving a company’s cyber security program. A risk assessment of a company’s data security system (performed by a third party vendor – not internal IT employees) should involve outside counsel to preserve the attorney-client privilege applicable to any reports or other communications relating to the assessment. A data breach plan should be instituted before a data breach occurs and shared with key management, not only C-suite executives. A company’s preparation and planning should be with stakeholders, a critical step often overlooked.