by Jay Marshall Wolman, CIPP/US
Recently, this blog has published posts on a new Connecticut law and a 7th Circuit ruling on data breach, both of address the issue of standing in class action data breach suits. Standing, in plain terms, means having a legal right to sue based on an injury to you. The Sierra Club may have standing to sue for environmental damages because its members are specifically harmed; even if many of those members also belonged to Susan Boyle Fans International, Inc., the fan club would not have standing because the organization as a whole is not harmed.
Actual harm is key. In many data breach cases, it is hard to show actual harm; identity theft may very well not occur and free credit monitoring eliminates the direct consumer cost. Thus, a lot of litigation has focused on the right to sue in the event of a data breach.
Now, we have the Ashley Madison hack and data dump. Ashley Madison, as you may know, is a matchmaking service for adultery. Unlike prior breaches, the hackers are not merely keeping the information to themselves, but they are releasing information that identifies people, including public figures and federal employees. Divorces will occur because of the data dump. This is not a case of “maybe someone will open a credit card in my name”; it is a case of “I have to pay alimony and child support for the foreseeable future”. Data breach victims now have tangible harm.
Class action attorneys will still litigate questions of typicality and commonality, for not every victim will suffer the same harm. But class certification is likely, even in such instances. In the Black Farmers Case, the class was certified even where different class members had widely varying economic losses as a result of allegations of discrimination in USDA loan programs. The question in this matter will not be whether to certify, then, but rather how to establish class member damages. Although this is probably the least sympathetic data breach class, it will be one of the best cases.
I should also note that liability seems pretty decent. In the Neiman Marcus case, the plaintiffs alleged:
negligence, breach of implied contract, unjust enrichment, unfair and deceptive business practices, invasion of privacy, and violation of several state data breach acts.
That case lacked something this case does–an express guarantee. Take a look:
We treat data as an asset that must be protected against loss and unauthorized access. To safeguard the confidentiality and security of your PII, we use industry standard practices and technologies including but not limited to “firewalls”, encrypted transmission via SSL (Secure Socket Layer) and strong data encryption of sensitive personal and/or financial information when it is stored to disk.
That just seems to be another broken promise. Section I of their Terms and Conditions states:
Privacy & Use of Information
This is a pretty weak effort at a release and may well not be enforceable. Of course, the Terms and Conditions does have a choice of law provision, New York, which is pretty strong in their favor. It also has a mandatory arbitration clause, though there is a class action waiver and a damages cap of $5,000. I expect significant litigation over the enforceability of these terms.