Privacy Predicament
As security breaches mushroom, courts remain skeptical of consumer and business claims.
August 31, 2007 at 08:00 PM
6 minute read
After TJX Companies announced early this year that hackers had stolen 45.7 million credit and debit card numbers–the largest data security breach in U.S. history–consumers, banking associations and a pension fund quickly took the retail giant to court.
Several consumer class actions accuse TJX, which operates 2,500 T.J. Maxx, Marshalls and HomeGoods stores, of negligence for failing to maintain adequate security and for failing to disclose the breach for a month. Three state banking associations seek recovery of “dramatic costs” they say their 300 member banks incurred in replacing credit cards and covering the costs of fraudulent purchases. The Arkansas Carpenters Pension Fund–which owns 4,500 shares of TJX stock–sued for access to records to see whether TJX's board was properly overseeing customer data protection. TJX's card processor, Fifth Third Bank, is a co-defendant in some of the suits.
Privacy law experts are closely watching the cases. According to the non-profit Privacy Rights Clearinghouse, these types of breaches have exposed more than 158 million records of U.S. residents since January 2005. But the courts consistently have shot down efforts by consumers, banks and other parties to recover damages. Companies faced with a breach can't afford to be complacent, though. Plaintiffs are testing new arguments in the TJX case and others, and rapidly evolving state privacy laws are opening new avenues for them to pursue.
“We're continuing to see a perfect storm with a large number of new laws with potentially conflicting requirements and ongoing security breaches that should point us to more litigation,” Kirk Nahra, partner in Wiley Rein, told a Practising Law Institute privacy forum in July. “If someone breaks the bank with a class action, a lot of plaintiffs' attorneys are on the sidelines waiting.”
Fear Factor
The plaintiffs' attorneys are still on the sidelines in part because the major federal privacy laws, including Gramm-Leach-Bliley and HIPAA, preclude private rights of action. Many state laws also give attorneys general enforcement power and preclude consumer suits.
“The states feel that a lot of laws are overenforced by private litigants and drive up costs on business,” says Andrew Serwin, partner in Foley & Lardner. “Before you see class actions take off, we will have to see more statutes that include statutory damages.”
Judges dismissed most of the consumer cases that have come to court because the plaintiffs couldn't show damages. That's because banks typically reimburse cardholders for all but $50 of illegitimate charges on their accounts. While identity theft can result in real damage, security breaches rarely lead to identity theft. In a report released in July, the General Accounting Office studied 24 major security breaches and found that only three resulted in identity theft.
Consumer suits often cite the distress of potential identity theft, but the courts consistently have held that fear of identity theft alone does not trigger damages. In a series of 2006 cases, federal courts in the Southern District of Ohio, the Eastern District of Arkansas, the Central District of Illinois, the District of Minnesota and the District of Arizona rejected consumer actions asserting that increased risk of identity theft justifies damages. The courts said that potential future injury from loss of personal data did not satisfy the requirement of “injury in fact.”
“Plaintiffs are still struggling with the square-peg-in-a-round-hole problem,” Nahra said. “They think a wrong occurred but they don't know what to call it.”
Mitigation Litigation
Consumers aren't alone in their struggle to recover damages after security breaches. The first major cost-mitigation suits, filed against BJ's Wholesale Club Inc., failed to recover anything.
After hackers accessed bank and debit card data of the customers of a BJ's Wholesale Club in Miami in 2005, the FTC issued a complaint against BJ's for failing to provide “reasonable security” for its computer network. Two banks and a credit union then sued BJ's in Pennsylvania federal court, seeking recoveries of the costs they incurred as a result of the breach. BJ's joined IBM, from which it had purchased software used for electronic transactions, claiming it had specifically requested that the software delete identifying information once the system validated a transaction.
The plaintiff financial institutions alleged they were third-party beneficiaries of a contract between BJ's and its card processor, Fifth Third Bank, which obligated BJ's to follow certain security practices. The court rejected this claim because the contract specified that there were to be no third-party beneficiaries. It also rejected negligence claims under the “economic loss doctrine”–the rule barring negligence claims for economic damages unless there has been physical injury to either a person or property.
Banknorth also asserted an “equitable subrogation” claim on behalf of cardholders. But the court said the cardholders had not lost anything because the bank covered unauthorized card use, so there was no claim for the bank to pursue on its customers' behalf. The judge threw out most of BJ's claims against IBM early in the case, and once he had dismissed all claims against BJ's, the rest of its claims became moot.
What's Ahead
Despite the fate of the BJ's litigation, the banking associations that filed suit against TJX claim their case will succeed because Massachusetts, where they filed suit, allows a statutory unfair trade practices claim. They also will claim negligent misrepresentation because TJX represented that it was safeguarding cardholder data.
Whether TJX will be the breakthrough case remains to be seen. In the meantime, point-the-finger suits are emerging as an important factor for all parties that handle consumer data to consider.
“That wave of litigation over who carries the responsibility is just cranking up,” says Scott O'Connell, partner in Nixon Peabody. “We'll see it for some period of time until the lawyers on the transactions side more carefully assess those risks and contract for it.”
Meanwhile, states are starting to pass data security laws that create causes of action for injured parties. If passed by Congress, comprehensive federal privacy legislation may also assign liability and provide statutory damages for consumers.
“You're going to see either the federal or state governments move to say, 'This is how we're going to deal with these issues, here's who's going to bear the risks, here are the requirements–violate them at your risk,'” Serwin says.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllCoinbase Hit With Antitrust Suit That Seeks to Change How Crypto Exchanges Operate
3 minute readBaker Botts' Biopharma Client Sues Former In-House Attorney, Others Alleging Extortion Scheme
Trending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250