Advising clients is sometimes like the old joke about how to outrun a bear – make sure you are faster than the other guy. Cybersecurity and the law is just as cutthroat and a new trend in litigation makes it more important than ever for companies to employ the gold standard in cybersecurity, leaving the weak to be eaten by class action plaintiffs.
Few lawsuits seeking damages against industry for loss of Personally Identifiable Information (“PII”) because of identity theft have made the news lately. You would think the multiple and serious breaches that occurred over the last few years would generate a blizzard of litigation. Cyber Security breaches occur almost daily, so often that we only hear about the major ones – the Target breach, the Sony hack, the OPM debacle, Anthem and Ashley Madison and Home Depot (to name a few).
During my keynotes I have taken to asking my audiences (sometimes in the thousands) to raise their hands if they have received a dreaded “identity monitoring letter.” Though not tested by any true empirical rigor, the older and more professional the crowd, the more likely a forest of hands will reach upward. Each year the question receives more hands, and if we don’t stop this trend of massive-scale identity breaches, the majority of adults in the US may find themselves subscribing to identity monitoring companies that benefit from the carrion left in the wake of a cyberattack.
In light of the number of people who have lost their PII to these breaches, one would think that an enterprising lawyer would gobble them all up after a breach and lock them into a massive class action lawsuit against the corporation that failed them. Why don’t we hear about these billion dollar lawsuits? And while we are at it, what, exactly, is an identity worth these days?
According to a December 2014 report by Dell SecureWorks, counterfeit identities have trended favorably for thieves who need to support their fraud business – passports, fake identity kits, utility bills, driver’s licenses and Social Security numbers. $250 buys you a new identity, including a SSN, name and address. For just $100 more, they will throw in a utility bill for ID verification purposes.
Around $250 to $350. That’s what your identity sells for on the black market. But a savvy lawyer can sue for more. Let’s look at the issue from another direction. What is the potential harm (on average) for someone who has lost their identity?
According to a September 2015 US Department of Justice, Bureau of Justice Statistics Bulletin (NCJ 248991), an estimate of 17.6 million persons (or 7% of all US residents over 16 years old) were victims of identity theft in 2014. According to the report, the mean direct (monetary amount the offender obtained from using the victim’s PII) and indirect (other costs caused by the identity theft, such as legal fees, bounced checks, and other miscellaneous expenses) loss from victims reporting identity theft was $1,343.
If we assume that the DOJ’s statistics are sound, and we look at just one cyber security breach – say the Anthem hack – it boggles the mind that some enterprising lawyer didn’t gather all (approximately) 80 million people informed that their identities may have been lost because of the breach, multiply by $1,343, and sue Anthem for over $107 billion. To return to my earlier question: why don’t we hear about these billion dollar lawsuits?
Until very recently, courts have consistently dismissed class action lawsuits making claims about cybersecurity breaches for lack of “standing.” The courts ruled that plaintiffs bringing these suits couldn’t show any future injury based on the potential unauthorized use of their private information. Indeed, most plaintiffs in these cases could only claim that a future threat existed that their identity could be sold and used illegally sometime down the road.
However, In July 2015, in what may become a landmark case, the Seventh Circuit in Remijas v. Neiman Marcus Group, 794 F. 3d 688 (7th Cir. 2015) allowed a case to proceed under a “substantial risk of future harm” standard because the harm was found to be “certainly impending.”
In mid-December 2013, Neiman Marcus learned that fraudulent charges had shown up on the credit cards of some of its customers and discovered potential malware in its computer systems. Nine days later, Neiman Marcus publicly disclosed the data breach and sent individual notifications to the customers who had incurred fraudulent charges. The company confirmed that 350,000 cards were potentially exposed and 9,200 of those 350,000 cards were known to have been used fraudulently.
Various groups of plaintiffs filed class action lawsuits. All of the plaintiffs claimed that they had used a credit or debit card at a Neiman Marcus. However, the majority of the plaintiffs alleged “only that their data may have been stolen.” Neiman Marcus moved to dismiss the complaint for lack of standing and for failure to state a claim. On September 16, 2014, the district judge granted the motion exclusively on standing grounds, and the plaintiffs appealed to the Seventh Circuit.
The Seventh Circuit (which covers federal courts in Illinois, Indiana, and Wisconsin) reversed the district court decision and found standing despite a lack of significant proven harm. To find standing, the Seventh Circuit stated that plaintiff’s must allege that “the data breach inflicted concrete, particularized injury on them; that Neiman Marcus caused that injury; and that a judicial decision can provide redress for them.” Citing a 2013 Supreme Court Case, the Seventh Circuit opinion stated that allegations of future harm can establish standing if harm is “certainly impending.” Clapper v. Amnesty Int’l, 133 U.S. 1138 (2013). The court reasoned that the purpose of a data breach is to steal private information in order to use it. Therefore, the plaintiffs should not have to wait until hackers commit identity theft in order to have standing to bring the lawsuit, because there is an “objectively reasonable likelihood” that an injury will occur. In other words, for hacking cases, a substantial risk of future harm was enough to meet the Supreme Court standard set in Clapper, because the risk of future harm is less speculative and more real.
The Seventh Circuit’s decision bears watching. If other Circuits and jurisdictions follow suit and allow class action plaintiffs to sue organizations that suffer cybersecurity breaches, the landscape of cybersecurity litigation will change. Billion dollar cases will no longer rest on a company’s ability to dismiss a claim for lack of standing, but on a reasonableness standard where companies will be held against a harsh light of whether they took reasonable and proactive steps to protect the information of their customers.
Cybersecurity is currently an unregulated industry with a few sets of best standards to loosely guide organizations. Companies that fail to employ the best and complete methods to protect themselves – to achieve a gold standard – will be eaten by the bear and become buried in the avalanche of litigation hanging right over the horizon.