On June 25, 2010, a federal court in New York granted summary judgment dismissing consumer class action claims against Bank of New York arising from the loss of unencrypted computer back-up tapes. Hammond v. The Bank of New York Mellon Corp., Case No. 1:08-CV-06060 (S.D.N.Y. June 25, 2010); 2010 WL 2643307 (BNY Litigation). 

The court held, among other things, that alleged increased risk of identity theft constituted neither sufficient injury to confer Article III standing to sue nor, alternatively, legally compensable injury under any of the causes of action asserted by plaintiffs, which included negligence, breach of implied contract, breach of fiduciary duty, negligence per se, and purported violations of state consumer protection statutes. This decision is consistent with decisions of many other courts that have dismissed data breach-claims for lack of standing or compensable injury. 

Although the weight of authority currently is against plaintiffs seeking to recover damages in data breach class actions, plaintiffs continue to bring these actions and assert new legal theories and variations of previously rejected theories based upon allegedly different facts. Many defendants have decided to settle these claims to avoid the cost and risk of continued litigation.

We expect plaintiffs will attempt to distinguish the BNY Litigation decision and other adverse precedents on their facts. Plaintiffs have argued, and likely will continue to argue, that increased risk of identity theft should be treated like increased risk of future medical injury, for which recovery is sometimes allowed depending upon the nature of the medical risk. Although courts have rejected this analogy so far, a few courts have left open the possibility that under a different set of facts, the increased risk of identity theft might be sufficient to support recovery. 

Plaintiffs also have argued that they should be entitled to nominal damages for breach of contract, which, in a class action, could result in a significant money judgment. The court in the BNY Litigation did not resolve this issue. Instead, it dismissed the claim because plaintiffs never pled nominal damages. In addition, plaintiffs have sought injunctive relief to compel defendants to improve data security systems or stop representing that their data security systems are adequate. To date, courts have rejected these claims on the same grounds that they have rejected damage claims, ie., lack of standing or failure to establish an imminent threat of a legally recognized injury. Again, it is likely that plaintiffs will attempt to distinguish these cases. 

It also should be noted that federal and state regulators have authority to seek injunctive relief to compel companies to implement reasonable data security safeguards and to seek penalties under various consumer protection statutes. In fact, the Federal Trade Commission (FTC) has filed more than 25 cases challenging allegedly faulty data security practices by companies that handle sensitive consumer information. These cases generally allege either a violation of the FTC’s safeguarding rule promulgated pursuant to Title V of the Gramm-Leach-Bliley Act or Section 5 of the Federal Trade Commission Act, which prohibits unfair acts or practices.

Therefore, although courts so far have refused to open the floodgates to private class action litigation in data breach cases, compelling business and legal reasons remain for companies to comply with state, federal and international data security laws, to take swift and appropriate remedial action if a data breach occurs and to give prompt notice of the breach to affected parties in the manner required by applicable state and federal laws. With 46 states and the District of Columbia having enacted data breach laws, compliance with the varying notice requirements is often challenging and cumbersome. Therefore, companies must have policies and procedures in order to quickly respond to a data breach involving sensitive employee or customer information. Also, the first few days after a company learns of a data breach are a critical time for remedying the breach and, as a result, may become a principal focus of discovery if litigation ensues. Therefore, it is important both to take effective action and to appropriately document the action taken during this important time. 

For more information about the topics addressed in this Legal Update, please contact Robert J. Kriss at +1 312 701 7165, Jeffery P. Taft at +1 202 263 3293 or Charles E. Harris, II at +1 312 701 8934.

Learn more about our Privacy & Security and Business & Technology Sourcing practices.