To Sue or be Sued?
Unless paying close attention to characters' small talk in Erin Brockovich, many do not understand the mechanics of large-scale, class-action litigation from the business perspective. Attorneys that initiate class-action lawsuits must evaluate cases from a risk/reward scenario. Although often claiming 30-40% of the final verdict or settlement award, the attorney risks all the costs in working the case. If the case is lost or a decent settlement is not reached, the attorney forfeits all funds spent on court costs, filing fees, expert witnesses, and his/her fees.
In the last year, the United States Supreme Court and several federal district courts tackled questions about whether data breach victims could sue for damages. Any attorney that represents class-actions is watching these same cases closely to answer this business question – is it worth the financial risk to represent a group of people in a data breach case?
A year or two ago, the answer (from a reasonably conservative mindset) was a resounding “No.” Now, tables are turning, and state attorney generals’ offices are encouraging a future influx of litigation.
Here is how:
1. The Right to Sue is Now Defined: Injury Beyond the Breach (Examples: Defamation, identity theft, Reputational Harm).
Between the United States Supreme Court’s opinions in Spokeo Inc. v. Robins (2016) and TransUnion v. Ramirez (2021), victims of data breaches can sue the data holders when the plaintiff’s alleged injury has a “close relationship” to a harm claimed – regardless of whether that harm is monetary, physical, reputational, or mental as intangible harms are evidence of a concrete injury.
A mere statutory breach by a defendant cannot suffice as the Supreme Court in TransUnion stated that “Only those plaintiffs who have been concretely harmed by a defendant's statutory violation may sue that private defendant over that violation in federal court."
TransUnion was a class-action suit for violations of the Fair Credit Reporting Act ("FCRA"). The first claim was that the defendant's failure to use reasonable procedures led to class members being inaccurately listed as "potential match[es]" to the Treasury Department's list of national security threats. The second claim involved the failure to adhere to FCRA formatting requirements in the mailing used to inform class members of the potential match.
The Supreme Court divided the class members two categories: 1) those whose credit reports were disseminated to a third-party; and 2) those whose reports were not disseminated. The first group, whose credit reports were sent to third parties demonstrated that they "suffered a harm with a 'close relationship'" to the harm associated with the tort of defamation, falsely labeled as potential terrorists, drug traffickers, or serious criminals. The second group had suffered no concrete harm for defamation or other type of injury. The risk of future harm was insufficient to assert a lawsuit.
Both the Eastern District of New York and Middle District of North Carolina recently followed this analysis.
2. State Laws and Enforcement Actions Support Claims in Civil Court:
On January 28, 2022, the California Attorney General’s Office announced that it was sending businesses that operate Customer Loyalty Programs official notices of failure to comply with the California Consumer Privacy Act. As stated in the press release, the CA Attorney General’s Office found that businesses offering financial incentives, such as discounts and coupon codes in exchange for personal information must provide consumers with a notice that clearly describes “the material terms of the financial incentive program to the consumer before they opt into the program” and gave the offending businesses 30 days to comply.
On January 24, 2022, the Attorney General for the District of Columbia announced a coalition with the attorney generals from Indiana, Texas, and Washington to pursue Google for unlawfully tracking consumer location data. These attorney generals claimed that “Google’s business model relies on constant surveillance of its users.”
While data breaches and accusations of improper data collection are separate events, these efforts signify a movement to recognize previously ignored elements of data injuries.