Recent Data Breach Cases
In Joan Longenecker-Wells v. Benecard Services, Inc., plaintiffs were employees who learned that their personal information, including date of birth, social security number, addresses, etc. which resulted in fraudulently filed tax returns. The Third Circuit dismissed the Plaintiff’s claims, stating that their negligence claims were barred by the economic loss doctrine. The Third Circuit explains:
The District Court held that because Plaintiffs’ negligence claim sounds only in economic loss resulting from the fraudulent tax returns filed with their information, the economic loss doctrine bars their claim. We agree.
Food for thought. Can we say that a plaintiff, who experiences this grave injustice of losing the benefit of a 5 figure tax return is only sustaining economic loss? The real harm and the risk of ongoing identity fraud is more than economically and emotionally harmful. We must focus on the deeper rooted issue that lies at the heart of data intrusion cases. The fundamental right to privacy that has deep roots in our history now extends to our digital privacy.
In contrast, we have Taylor v. Spherion Staffing LLC, et al. No. 3:15-cv-2299 (N.D. Ohio 2015), Ernst v. Dish Network, LLC, et al. No. 1:12-cv-8794 (S.D.N.Y May 27, 2016); Hillson et al. v. Kelly Services, No. 2:15-cv-10803 (E.D. Mich. June 8, 2016). These cases settled and involved allegations of statutory violations. Keep in mind that Spokeo left open the possibility that a statutory violation may involve a real risk of harm to satisfy the concreteness requirement. Thus, settlement may have presented a more attractive alternative than extended litigation about the sufficiency of alleged harms.
Consumer class action lawsuits are not a company’s worst nightmare, when they experience a massive data breach. Nope. It’s the lawsuits that Walmart, Home Depot and Wendy’s are filing for data breaches that can result in more massive losses for the breached company.
Headlines about the latest data breach continue to surface on the news about as frequently as we hear about Trump’s campaign travails. Interestingly, when Walmart,Home Depot or Wendy’s sues Visa and MasterCard for their data breach issues, those lawsuits don’t make the front pages. Did you know that banks got together and filed a class action lawsuit against Target for the much publicized data breach? The consumer class action lawsuits against the health insurance behemoths like Anthem and Premera have garnered a lot of attention. In the meanwhile, some of the Goliaths are suing the other Goliaths for their class action was certified late last year.
A takeaway from all of these class action is that the victims and plaintiffs in data breach lawsuits are not only everyday consumers, they are also retail giants, banks, employees, etc. When an organization fails to exercise due care in safeguarding personal information, it had better get ready to face the wrath of someone…
An increasingly common and relatively easy way for hackers to access sensitive data is through “phishing,” where unwitting recipients of email or texts (SMS phishing or “smishing”) trust the sender with the sought after information. According to Verizon’s new 2016 Data Breach Investigations Report, about 90% of security incidents stem from some form of phishing. Verizon reports that phishing continues to trend upward and is found in the most opportunistic attacks as well as “sophisticated nation-state tomfoolery.” But president of the Olympia School District chuckles (yes, that’s right, chuckles) at its recent breach resulting from phishing because, according to what he told MyNorthwest reporter, Sara Lerner:
“It happens…it’s an opportunity to have that conversation and move forward with it. You could call it a teachable moment if you want to,” he said, with a chuckle.
That kind of cavalier attitude is exactly the problem that we have with so many school districts and government agencies. One cannot be careless, when it comes to sensitive data, whether it is at a school district or at the Health Care Authority/Apple Health Data Breach, where an employee’s mishandling and HCA’s insufficient privacy protocols allowed the medical records of 91,000 individuals to get sent to an unauthorized recipient
As we continue our class action litigation regarding the Anthem data breach as well as the Amerigroup Washington data breach, I learn more about how stolen protected health information (PHI) is marketed on the dark net. To those who want to toss caution to the wind, feel free to do so with your own data. Just not everyone else’s.
BTW: If you were one of those who received a data breach notification from HCA or the Olympia School District, please contact me at Catherine@Stritmatter.com or 206.448.1777. I would like to learn your perspective and story, as well as share the details of how we’re trying to hold these organizations accountable to prevent future data breaches.
I wanted to share the above infographic from The Economist. which illustrates the spike in data breaches since 2005. Most notable: Medical records data breaches rose over 40% last year. Subcontractor and Employee negligence are also on the rise. A couple of positive takeaways is that there is apparently less insider theft and a decreasing percentage of breaches that include social security numbers.
I read an interesting post earlier today on one of WSJ’s blogs. It admitted that the pendulum has swung in favor of consumers in data breach cases. While defendant companies continue to get cases bounced on the flawed premise that no its data breach victims have not suffered any “actual harm,” more courts are sympathetic to the consumers.
Two big cases come to mind. One is the Wyndham data breach case (FTC brought the action). This past August, the Third U.S. Federal Circuit Court ruled against Wyndham, finding that the FTC can take action against organizations that adhered to poor IT security practices.
Several weeks before Wyndham was decided, the U.S. Court of Appeals for the Seventh Circuit reinstated a data breach case against Neiman Marcus. Why? It found that the risk of harm was enough to establish standing. The 350,000 affected customers “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing,” the court ruled.
The Seventh Circuit, however, reinstated both types of claims – those who had incurred expenses tied to the Neiman Marcus hack, and those who feared identity theft in the future. Chief Judge Diane Wood pointed out that a breach victim’s fear of hackers in the future is not too “speculative” for a day in court.
Wood asks: “Why else [other than to cause harm] would hackers break into a store’s database and steal consumers’ private information?”