- After Zappos.com experienced a data breach incident, consumer plaintiffs relied on an alleged statement the company allegedly communicated to shoppers on its e-commerce site that "shopping on Zappos.com is safe and secure—guaranteed’’ to assert that the company negligently misrepresented the safety of plaintiffs’ financial information and violated California’s unfair competition statute. In re Zappos.com, Inc., No. 12-325, 2013 BL 239619 (D. Nev. Sept. 9, 2013). The court found the statement sufficient to form the basis for both counts at the motion to dismiss stage. Id.
- Plaintiffs have also relied on statements in privacy policies to assert deception-based claims. In Grigsby v. Valve Corp., for example, a consumer plaintiff relied on statements allegedly made in the company’s privacy policy to support a claim of unfair or deceptive practices. Grigsby v. Valve Corp., No. 12-553, 2013 BL 96372 (W.D. Wash. Mar. 18, 2013) (12 PVLR 649, 4/15/13). Prior to the breach, the privacy policy purportedly indicated that ‘‘Valve has taken reasonable steps to protect the information users share with us, including, but not limited to, setup of processes, equipment and software to avoid unauthorized access or disclosure of this information. . . .’’ Plaintiff, characterizing this statement as a representation that users’ information ‘‘would be protected,’’ alleged that he relied on this representation in choosing to purchase goods from the company. This assertion was sufficient, at the motion to dismiss stage, to allege that Valve acted unfairly or deceptively (finding plaintiffs stated a claim by relying on a statement in the privacy policy that the company used "reasonable administrative, technical, and physical security controls,’’ despite separate language in the policy stating that no security measure is 100 percent effective) (13 PVLR 1604, 9/15/14).
2. Press Release. Consider carefully what information to disclose after a breach and make sure such disclosures are accurate because such disclosures may be relied on by courts to determine whether the plaintiffs were sufficiently injured or face an imminent risk of injury to have standing to sue either in a federal court under Article III of the U.S. Constitution or a state court. Actual damage is generally an element of the causes of action plaintiffs bring over data security breaches. At the motion to dismiss stage, one source of information courts may use to determine whether a sufficient injury exists is the company’s own statements, if any, about the extent and effect of the breach.
- See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38, 41 (3d Cir. 2011) (concluding that "Appellants’ allegations of hypothetical, future injury do not establish standing under Article III’’) (10 PVLR 1859, 12/19/11); Maglio v. Advocate Health & Hosps. Corp., 40 N.E.3d 746, 753 (Ill. App. Ct. 2015) (finding ‘‘plaintiffs’ allegations of injury are clearly speculative, and therefore plaintiffs lack standing to bring suit’’) (14 PVLR 1091, 6/15/15).
- In Remijas v. Neiman Marcus, Neiman Marcus posted public statements on its website to keep customers abreast of the data security breach it had suffered, including acknowledging that 350,000 cards were potentially exposed, and 9,200 of those cards had experienced fraud. Remijas v. Neiman Marcus Grp. LLC, 794 F.3d 688, 690 (7th Cir. 2015) (14 PVLR 1807, 10/5/15). Neiman argued in its motion to dismiss that the consumer plaintiffs did not face an actual or imminent risk of harm sufficient for Article III standing. The Seventh Circuit focused on Neiman Marcus’s own public statements, particularly the statement that 9,200 of the potentially exposed payment cards had already suffered fraudulent charges, to conclude that future harm was sufficiently imminent to confer standing to the company’s customers.
- C.f., SuperValu, Inc., Customer Data Sec. Breach Litig., No. 14-4660, 2016 BL 3925 (D. Minn. January 7, 2016) (finding consumer plaintiffs lacked standing, rejecting Plaintiff’s reliance on the company’s press releases because those press releases in fact stated that there had been no determination that customer data had been stolen and no evidence that it had been misused).
3. Offering Credit Monitoring Services for Free in the wake of a breach. Offering credit monitoring to consumers whose information may have been compromised may be treated as an admission that those consumers face an imminent risk of injury. Many companies that suffer a data security breach offer free credit monitoring to consumers whose personal information may have been compromised in order to reduce the possibility that consumers could argue in litigation that they are ‘‘injured’’ from having to purchase such monitoring themselves. Consider including a statement clarifying the reason for the offer.
- In Neiman Marcus, the U.S. Court of Appeals for the Seventh Circuit treated Neiman Marcus’ offer of credit monitoring to its customers as an effective admission that the customers faced a sufficiently imminent risk of fraud to give them Article III standing. Neiman Marcus, 794 F.3d at 694. The court found the offer ‘‘telling,’’ reasoning that ‘‘it is unlikely that’’ Neiman Marcus made the offer ‘‘because the risk [to plaintiffs’] is so ephemeral that it can safely be disregarded. These credit-monitoring services come at a price that is more than de minimis.’’ Id.
4. Consider Ways to Protect Communications and Documents under the Attorney-Client Privilege or Work Product Doctrine.
- In the wake of the cyber-attack, Target set up a two-track response program. The first track involved a team of forensic experts who were engaged on behalf of several credit card brands (the PCI Investigator). The purpose of the second track was to assist counsel in conducting an investigation of the data breach to enable counsel to provide legal advice to Target. This track involved two key groups: (i) the Data Breach Task Force, which was made up of, among other persons, internal counsel and information technology specialists, and (ii) forensic experts engaged by Target’s outside counsel. During discovery, Target produced all communications with the PCI Investigator, but withheld communications with, and the work product of, the Data Breach Task Force and the experts engaged by counsel. Financial institutions pressing class actions against Target filed a motion to compel Target to produce, among other things, documents generated by the Data Breach Task Force and the forensic experts engaged to support counsel. The U.S. District Court for the District of Minnesota denied the motion as to documents generated by the Data Breach Task Force and the forensic ex
- perts engaged by counsel. In re Target Corp. Customer Data Sec. Breach Litig., No. 14-2522 (D. Minn. Oct. 23, 2015). "T he work of the [second track] was focused not on remediation of the breach, as plaintiffs contend, but on informing Target’s in-house and outside counsel about the breach so that Target’s attorneys could provide the company with legal advice and prepare to defend the company in litigation.’’ Id. Target also ‘‘produced documents and other tangible things, including forensic images, from which Plaintiffs can learn how the data breach occurred and about Target’s response to the breach.’’ Id.
No comments:
Post a Comment