How to Demonstrate Causation and Harm In Data Breach Litigation
Demonstrating that a data breach has resulted in an injury-in-fact can be difficult, because it is not always clear what has happened or will happen with the stolen data.
February 08, 2019 at 07:00 AM
6 minute read
This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.
Data breaches can have substantial adverse impacts on firms, not only in the form of negative publicity or harm to a company's brand and revenues, but through litigation that may result. A key point of contention in data breach litigation has been whether plaintiffs have met the injury-in-fact standing requirement of Article III of the Constitution. Demonstrating that a data breach has resulted in an injury-in-fact can be difficult, because it is not always clear what has happened or will happen with the stolen data.
For example, suppose hackers gained access to consumers' personal information but the information has not yet been misused. In that case, the breach will not have resulted in actual economic harm to the consumers even though risk for future harm from the breach may remain. As a result of this dynamic, plaintiffs in data breach litigation typically allege harm in terms of something that could happen (i.e., an increased risk of future injury) rather than something that did happen.
The determination of standing under Article III also hinges on whether the present or future alleged harm was caused by the data breach in question, as opposed to another independent event or factor. Because of the conjectural nature of harm in many data breach litigations, the inference of causation can be complex. For litigators on both sides of data breach cases, the framework for assessing causal relationships in product liability litigation for pharmaceuticals and medical devices may provide helpful guidance. In this framework, assessment of a causal relationship occurs through two levels of inquiry:
1. General Causation: Whether exposure to a product is plausibly related to the adverse outcome being alleged; and
2. Specific Causation: Whether a specific plaintiff's exposure can be shown to have been the cause of a particular adverse outcome as opposed to any other risk factor.
For a causal relationship to be established, the answer to both of these inquiries must be “yes.” For example, in the multidistrict litigation involving the cholesterol drug Lipitor, plaintiffs alleged that Pfizer had failed to adequately warn users that exposure to certain doses of the drug was causally associated with a previously undisclosed increased risk of type 2 diabetes. In one ruling, a district court found that plaintiffs did not establish a general causal link between exposure to the drug at one of the specified dosages and the onset of diabetes. Additionally, the court found that plaintiffs failed to establish that the onset of diabetes was specifically caused by Lipitor exposure (at any dosage) as opposed to some other risk factor.
How can one apply a similar framework to data breach cases? Consider a breach in which hackers obtained contact information (e.g., email addresses) of a number of website users. Suppose these website users then bring a suit alleging that they now face an increased risk of financial identity theft. Could the plaintiffs demonstrate a causal connection between the at-issue breach and alleged harm?
|General Causation
The general causation inquiry might initially focus on the existence of a plausible and proximate causal link between the information obtained from the breach and the alleged injury. Despite the breach, an e-mail address, in itself, may not be sufficient to cause the harm alleged by plaintiffs—substantially more information is likely needed to open fraudulent accounts based on fake identities. In other words, because the particular data that were stolen in this hypothetical breach would not be plausibly and proximately related to financial identify theft, there would be no evidence of general causation. This would be similar to the finding in the Lipitor MDL that a specified dosage was below the level needed to establish a causal link to the onset of type 2 diabetes.
Suppose instead that a data breach resulted in the theft of a more comprehensive set of consumers' personally identifiable information (PII) (e.g., contact information, social security numbers, banking information, passwords, and security questions and answers). In this case, plaintiffs may be able to establish that such a breach could plausibly lead to financial identity theft, thereby satisfying the general causation requirement.
|Specific Causation
The inquiry would then move to the specific causation stage, which would focus on the question of the likelihood that this particular breach could be shown to be responsible for the alleged harm, independent of other causes. For example, if the stolen information were already accessible to potential misusers due to another data breach of many of the same people, the connection between the particular data breach at issue and the injury would be confounded. In such a situation, plaintiffs would likely be required to establish a more precise link between the at-issue breach and the alleged harm to survive the specific causation inquiry.
A recent case, Hutton v. National Board of Examiners in Optometry (NBEO), (Fourth Cir. June 12, 2018), provides an example of a case in which plaintiffs were able to establish both general and specific causation. In Hutton, a group of optometrists noticed that credit card accounts had been fraudulently opened in their names. They determined that the only common entity to which all of them had provided the necessary personal information to open credit card accounts was the NBEO, an organization to which every optometry graduate had to submit personal information such as social security numbers as part of board certification exams. The optometrists sued NBEO, claiming, inter alia, negligence and breach of contract. A district court dismissed the suit for lack of Article III standing, but the Fourth Circuit Court of Appeals reinstated it. The appeals court held that plaintiffs had established, first, that the theft of information from the breach could cause the alleged injuries (general causation); and, second, that those injuries could plausibly be traced to the specific breach in question (specific causation).
|Analysis
Clearing the threshold of establishing general and specific causation in a typical data breach litigation will often be difficult. Litigators applying the framework to data breach litigation would do well to familiarize themselves with the particular type and amount of data that were allegedly part of the breach. What information were available elsewhere? How plausible is the connection between those data and the claimed injury? Consideration of these and other elements will help litigators formulate approaches that can maximize their clients' chances of prevailing in the litigation.
Brian Ellman and Jee-Yeon Lehmann are vice presidents in the Washington, DC and Boston offices of Analysis Group, Inc., respectively.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250