Insights

No matter where you spend your working hours (at a bank, a car dealership, or a retail store), there is a good chance that you are witnessing an evolution of information security governance within your organization. This progression stems from a myriad of legal, business, and societal sources dictating various information security obligations. A true patchwork of state and federal laws and regulations coupled with industry standards and consumer expectations tend to be at the forefront of everyone’s compliance strategy.

Many of these sources, however, do not provide for an individual private right of action to which consumers may take up grievances, a clear by-product of a security breach. As a result, common law claims continue to produce an additional body of law that builds on the existing statutory and regulatory framework and increasingly substantiates a legal duty to provide information security within corporate America. A breach of that duty may constitute negligence and, in order to prevail, a claimant must demonstrate, generally, the occurrence of the following:

1) The defendant has a duty to the claimant to keep the data secure;

2) The defendant breached this data security duty;

3) This breach was the cause of the claimant’s injury; and

4) The claimant suffered damages because of the defendant’s breach of its data security duty.

The developing case law, however, reveals that this common law claim of information security negligence is not easily won. And, the latter issue of actual damages continues to emerge as an impediment to a claimant’s ability to successfully argue the claim. Potential harm is not enough.

In the recent case of In re Hannaford Bros. Co. Customer Data Security Breach Litigation, 2010 Me. LEXIS 97 (Me. September 21, 2010), a number of consumers affected by a grocery store chain’s security breach sued the chain for negligence, seeking damages to compensate them for the expenditure of time and effort necessary to remedy the disruption of their financial affairs and for various fees, charges, and lost reward points. After the plaintiffs were compensated for their economic losses resulting from the security breach, the trial court certified to the Maine Supreme Court the question of whether time and effort alone, spent in a reasonable effort to avoid a reasonably foreseeable harm and in the absence of physical harm, economic loss, or identity theft, could constitute a cognizable injury under a theory of negligence or even breach of implied contract. The Maine high court answered the question in the negative, explaining that an individual’s time and effort, alone, is not legally protected from the negligence of others.

One of Hannaford’s predecessors, the case of Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (8th Cir. 2006), also illustrates a general reluctance to award damages for expended time, effort, and money, without proof of actual or certain future harm. In Forbes, consumers affected by a computer theft incident sued their bank for negligence, seeking damages to compensate them for the undisputed time and money spent monitoring their credit for any fraudulent use of their personal information even though there was no indication that their information on the stolen computers had been accessed or misused. The Eighth Circuit court explained generally that plaintiffs may only recover for loss of time in terms of earning capacity. Further, the court observed that the plaintiffs overlooked the fact that their expenditure of time and money was not the result of any present injury, but rather the anticipation of future injury that had not materialized. In other words, the plaintiffs’ alleged injuries were solely the result of a perceived risk of future harm. The court ultimately dismissed the information security negligence claim because the plaintiffs’ failed to show a present injury or certain future injury to support damages for any alleged increased risk of harm. In a similar case, the Seventh Circuit court held it unreasonable for a company to pay for credit monitoring services when such services were employed only to reduce potential identity theft. See Piscottia v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007).

Interesting enough, many companies systemically offer free credit monitoring services to individuals who are potentially affected by a security breach. While case law suggests there is no legal obligation to do so, I would not recommend removing this procedure from your information security program - as it may not only deter an actual identity theft incident but also provide considerable value from both consumer confidence and public relations perspectives which, in some instances, may actually thwart potential litigation.

Even though recovery under the tort theory of information security negligence is difficult to ascertain without any direct financial loss or stolen identity, we are also witnessing the first stages of litigation arising out of a perceived negligent handling of consumer data. For those not fortunate enough to stay clear of these lawsuits, courts will continue to develop further measures and standards of information security obligations albeit under tort or some other prevailing legal theory. Stay tuned.

Alicia H. Tortarolo is a partner in the California office of Hudson Cook, LLP. Alicia can be reached at 714-263-0425 or by email at atortarolo@hudco.com.