Data breaches are common and expensive. When a breach is discovered, companies can easily spend millions notifying affected customers, covering credit monitoring and identity theft services, and conducting forensic investigations—for a total cost of $225 per record stolen.
But, for awhile, data breach victims could take some comfort in knowing that data breach litigation wasn’t going to be easy. Thanks to the Supreme Court’s 2016 Spokeo v. Robins decision, individuals whose information was exposed in a data breach have struggled to establish standing when suing over the breach. A growing series of cases, however, including a recent opinion from the D.C. Circuit, may be blunting Spokeo’s edge, making it easier to sue companies following breaches.
Yes, if you didn’t think the consequences of a data breach weren’t bad enough already, they could be getting worse.
Where’s the Harm in a Data Breach?
While data breach fallout for companies can be serious, the consequences for those whose data is lost—customers, clients, patients, and the like—can also be significant: the threat of identity theft, the risk of further hacking, the possibility that your information is being bought and sold on the more criminal corners of the web. But is that potential damage enough to sustain a lawsuit?
Maybe not. Parties now routinely argue that Spokeo prevents such suits, with a fair amount of success. That landmark decision, however, didn’t involve a data breach lawsuit. Rather, Spokeo arose out of misinformation online. Spokeo, the titular “people search” website, aggregates information about individuals and makes it available online. But, some claim, that information isn’t always accurate.
When Thomas Robins found himself on Spokeo, for example, he noticed that Spokeo had a few details wrong: Robins was wealthy, married, and a father, the site claimed, while in reality he was single, unemployed and desperately looking for work. Spokeo’s rose-colored view of his life could prevent him from landing a job, he worried. Robins eventually filed a putative class action, alleging that Spokeo had violated the Fair Credit Reporting Act.
It was that suit that the Supreme Court addressed in 2016. Robins had failed to demonstrate “injury in fact,” Justice Samuel Alito wrote in a six-to-two decision. A statutory violation alone, without a showing of concrete injury, simply wasn’t enough to meet the requirements of Article III standing.
Though the ruling wasn't as strong as some in the defense bar would have liked, many still thought that Spokeo could be used as a shield against consumer litigation. Last December, the Seventh Circuit found that Spokeo prevented a suit over the disclosure of credit card information on sales receipts. The D.C. Circuit, as well, relied on Spokeo when tossing out a suit over violations to the District’s Use of Consumer Information Act. The plaintiff couldn’t even “get out of the gate,” the three-judge panel ruled. Spokeo, some experts claimed, meant that “data breach defendants don’t need to give in.”
A New Approach to Spokeo?
But the treatment of Spokeo hasn’t been uniform and the case has not always been the shield data breach defendants would have hoped. The Sixth Circuit, for example, in the first major opinion interpreting Spokeo in the data-breach context, found that victims of Nationwide’s 2012 data breach could sue under the FCRA. Though no actual cases of fraud or identity theft had been alleged, the Sixth found in Galaria v. Nationwide that the plaintiff’s injuries were not merely hypothetical:
There is no need for speculation where Platiniffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminal. … Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiff’s complaints.
In January, the Third Circuit followed suit, allowing customers of Horizon Healthcare to continue pursuing their data breach class action, despite the company’s Spokeo-based arguments on standing. Spokeo, the Third Circuit wrote, “rejected the argument that an injury must be ‘tangible’ in order to be ‘concrete’”.
“In the absence of any indication to the contrary,” the court concluded, “we understand that the Spokeo Court meant to reiterate traditional notions of standing, rather than erect any new barriers”.
Then, on August 1st, the D.C. Circuit issued a similar ruling. After CareFirst, a health insurer, suffered a cyberattack that exposed customers’ personal information, several of those customers sued, saying that the insurer’s carelessness was responsible for the breach. The plaintiffs’ claimed that they suffered an increased risk of identity theft was enough to get over “the low bar to establish their standing at the pleading stage.”
And then there is Spokeo itself. On remand from the Supreme Court, the Ninth Circuit applied the High Court's decision to Robins' suit—and found that it survived. On Tuesday, the Ninth ruled once again that Robins' allegation of a statutory injury under the FCRA alone was sufficient.
The softer approach taken by these courts is quickly becoming “a fast-emerging consensus” on Spokeo’s impact, according to Reuters’ Alison Frankel—though a “growing circuit split” might be a more accurate description.
Why It Matters for You
What does all this appellate caselaw have to do with lawyers and eDiscovery professionals? A lot—and not just for those counseling data breach victims. Attorneys hold client information that is much more valuable than a few digits of a credit card or an individual’s login credentials. Attorney files are full of valuable IP, insider information, corporate strategies, settlement thresholds, and the like.
Law firm cyberattacks are already disturbingly common, whether it’s the hacking of two Big Law firms for insider trading, the phishing of firm partners, or the ransomware strike that briefly shuttered DLA Piper this June.
The discovery process is itself particular vulnerable to data breaches. Data is most at risk when in motion and archaic eDiscovery precesses are full of data in motion: transfers from custodians to clients to attorneys to tech teams to vendors to reviewers to requesting parties, etc.
Discovery data breaches are already taking placing. Some are accidental, like recent Wells Fargo debacle, during which personal and financial information about some of the bank’s richest clients was inadvertently produced to the other side—and then to the New York Times. But other discovery breaches are certainly the result of malicious outsiders, hackers who know that a discovery repository is where the most valuable information is stored.
With data breach litigation becoming more viable, it is likely a matter of time before a law firm finds itself on the receiving end of a data breach lawsuit, claiming not just a violation of privacy, but malpractice. Protecting your clients, and your firm, from a data breach is more important now than ever.
This post was authored by Casey C. Sullivan, who leads education and awareness efforts at Logikcull. You can reach him at casey.sullivan@logikcull.com or on Twitter at @caseycsull.
