Media reports of data security breaches among retailers, information brokers, payment card processors, and others have become routine. While these incidents may quickly retreat from the spotlight after an initial flurry of attention, lawsuits related to the breaches linger on much longer and may impose a sting sharper than negative publicity. This article gives an overview of the array of legal attacks that have arisen from data security breaches.
Consumer class action complaints have inevitably followed each announcement of a major retailer security breach in recent memory. Hannaford Brothers Company faced 17 separate class actions before they were consolidated into one proceeding. Allegations against the grocery chain included claims based on negligence, state unfair or deceptive acts and practices (UDAP) laws, and failure to comply with the card issuers’ Payment Card Industry Data Security Standards (PCI DSS).
A similar suit filed against Lending Tree LLC alleged negligence and breach of implied contract. Lending Tree reacted to this complaint by suing those of its clients that allegedly took part in the unauthorized access. Lending Tree asserted that these clients used company insiders to improperly obtain passwords and other customer information for marketing purposes. In other actions arising from data security breaches, consumer suits have also included claims of breach of contract, emotional distress, invasion of privacy, common-law fraudulent inducement, and negligent misrepresentation.
Although there are a variety of legal challenges available to consumers in the wake of a security breach, affected consumers have, at times, struggled to establish sufficient harm to allow their cases to proceed. In a consumer class action against shoe retailer, DSW, Inc., the court held that consumers lacked standing to sue when their only harm was increased risk of abuse of credit card information, as opposed to actual economic harm.
However, another court allowed an affected consumer to proceed against Jackson Hewitt Tax Service, Inc. even though the consumer suffered no actual identity theft or economic harm. The court dismissed some claims but retained other claims under a state UDAP law and common-law fraudulent inducement, where statutory damages are available.
In all, courts have adopted varying approaches to injury-in-fact standing in security breach cases. The majority view appears to require more than unauthorized access to personal information in the absence of actual identity theft. These courts look for provable economic injury. There is a minority approach, however, that has accepted claims based on possible economic harm and emotional distress.
Retailers experiencing a security breach must also contend with lawsuits filed by banks and other affected business partners. Several banks and credit unions sued Heartland Payment Systems, Inc., a payment processor, for failure to adequately protect consumer data. Their claims have included violations of state UDAP laws, breach of implied contract, and negligence. These financial institutions are seeking to recover costs associated with notifying affected consumers and reissuing credit and debit cards, among other things. Of course, several consumer class actions have also been filed against Heartland.
Such costs can rise significantly depending on the scope and nature of the breach. Retailers that have settled these business-to-business suits have paid substantial penalties. For example, TJX Companies Inc. paid card issuers $40.9 million in connection with its security breach. TJX’s settlement did not even resolve all claims against the company. Financial institutions that did not take part in this payment are continuing to proceed with their claims.
In addition, we are also beginning to see business-to-business litigation outside the typical context of a financial institution suing a breached retailer. At the time that payment card processor CardSystems Solutions Inc. was breached, it was operating under a certification provided by a third-party auditor that CardSystems was in compliance with the self-regulatory predecessor of PCI DSS. A bank that was assigned CardSystems’ rights following its bankruptcy filing sued the auditor for breach of contract, negligence, and negligent misrepresentation. Because no business wants to be left holding the hot potato of paying for the aftermath of a security breach, suits like this one and others asserting new theories of liability would seem likely.
All of this activity within the context of private litigation supplements the separate realm of administrative enforcement actions in response to retailers’ security breaches. On June 23, 2009, 42 states announced a $9.75 million settlement with TJX arising from allegations of inadequate data security.
Additionally, most states require breach notifications, and several states are beginning to adopt security and confidentiality standards for personal information. Other states, led by Minnesota, have adopted or are considering retailer data breach liability laws to expressly assign responsibility in the event of a security breach.
At the federal level, there is no current notification requirement, but the Gramm-Leach-Bliley Safeguards Rule requires covered financial institutions to implement an information security program. In addition, the Federal Trade Commission has used its general prohibition on unfair or deceptive acts and practices to challenge inadequate data security. The FTC has collected multi-million dollar settlements from retailers, asserting that unreasonable data security can be “unfair” and that acting contrary to promises made in a privacy policy can be “deceptive.”
If the negative public relations attention that accompanies a security breach does not provide sufficient incentive to implement a comprehensive data security program, this overview of the resulting litigation should convince anyone responsible for consumers’ personal information to address privacy and security concerns as soon as possible.
Michael Goodman is a partner in the Washington, D.C., office of Hudson Cook, LLP. Basis Points readers can reach Mike at 202-327-9704 or by email at mgoodman@hudco.com.