Heading 1

You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

TAG Cyber Law Journal

May 2019
Once these cases were routinely flattened with a motion to dismiss, but not anymore.
By Matt Fleischer-Black
CYBERSECURITY PRESENTS A HOST OF HEADACHES for general counsel and risk managers. They face an ever-growing list of regulatory requirements, especially as data privacy laws expand nationally and globally. Companies need to be particularly careful about the way they communicate about breaches with regulators, employees and consumers.
     Now there’s another big worry: data breach lawsuits. These have evolved from a relatively mild potential risk into an increasingly active, costly and multipronged threat. Not only do companies have to worry about class actions brought by consumers whose data was stolen, shareholders regularly file suit after stock prices plummet following a breach.
     Data breach suits used to be based almost entirely on the lone fact that data had been exposed. Plaintiffs lawyers hyped the volume of data that had been stolen as evidence of the damage. But those cases didn’t get very far. Courts were not impressed that data exposure, by itself, constituted enough harm to survive a motion to dismiss. So lawyers adjusted their strategy. They looked for different ways to characterize the harm that plaintiffs experienced. They started defeating or sidestepping those initial motions on the way to discovery.
     Exhibit A: In April, Yahoo agreed to a $117.5 million settlement to end a class action lawsuit over three large breaches. If approved, this will be the largest class action payout for data exposure. Nor do Yahoo’s potential litigation costs end there. Yahoo also agreed to an $80 million settlement with shareholders for stock-drop claims, plus a $29 million settlement for shareholder derivative claims against company leaders.
     The Yahoo case exemplifies the inroads that plaintiffs lawyers, and judges, have made in ratcheting up the pressure throughout the stages of data breach litigation—at the beginning, middle and end.
     Starting out, the Yahoo plaintiffs lawyers reaped the fruit of a years-long effort to refine arguments over harm from breaches. U.S. District Judge Lucy Koh in San Francisco allowed the case to go forward, ruling that data exposure counts as a current injury.
     The Yahoo case quickly intensified, even though the exposed data at issue was less sensitive than the types of data exposed in previous major breach settlements. The Yahoo hackers took users’ names, phone numbers, dates of birth, account passwords and security questions. A majority of the cases that judges OK’d in the time before Yahoo involved the mass theft of customers’ payment card information (PCI). Previous landmark settlements that followed from theft of customers’ PCI include the Sony Gaming, Target and Home Depot settlements in 2015 and 2016.
     Unlike those lawsuits, the Yahoo case proceeded to an extended discovery face-off, leading to the exchange of 9 million documents. Settling the suit has taken extra effort, too. The U.S. Court of Appeals for the Ninth Circuit last November instituted new review policies for class action settlements. Adhering to those standards, Judge Koh rejected the Yahoo lawyers’ first attempt at settlement, requiring both sides to spend more time and money to craft the April proposed settlement.

In the Beginning, Long Odds
     Up until a couple of years ago, general counsel didn’t need to closely watch breach class actions. Few cases lasted long—if they were even filed. Customers weren’t always aware that they were victims, or why they should worry, or how to fight back. “The odds that you know you’re in a breach, and then you find a lawyer who knows what to do with you—there was a small chance,” recalled James Barry, an associate with the data breach practice at the Locks Law Firm, in Cherry Hill, New Jersey. Those who did hear about the breach, “maybe they called their local lawyer, and that local lawyer had no idea of what to do, or told them that they didn’t have a claim—because it’s such a specialized niche for plaintiffs work,” Barry added.
     Defense lawyers were able to persuade judges to throw out case after case. They repeated a mantra: Absent evidence of financial loss, the plaintiffs had no claim. If that didn’t knock out a claim, often the hurdle of class certification did. Some judges concluded that customers had to bring cases individually or in small groups, because injuries differed (“typicality”), or because consumer fraud protections differed across states (“commonality”). 
     Plaintiffs lawyers sometimes made fatal mistakes. David Navetta, vice chair of the cybersecurity and data privacy practice group at Cooley LLP, said: “They go out and find representatives of the class, yet the harm is not quite on point. Someone steals a credit card, and there’s an allegation that someone’s bank account is having a problem—those two things don’t compute.”

The Tide Turns
A few years ago, plaintiffs lawyers had a breakthrough. They began to persuade judges that companies are obliged to protect customer data and can be deemed negligent when they fail to do so. Judges have let data breach class actions proceed under this theory against Sony, Arby’s, Home Depot and Target. Home Depot settled consumer and business class actions for $45 million total in 2016, while Target that year reached a consumer settlement valued at $10 million.
     After years of losing first-round arguments over lack of injury, the lawyers have wised up, said Amy Keller, a partner at DiCello Levitt Gutzler, who represents plaintiffs. “Attorneys are now putting in more detail regarding the kind of losses that the representative plaintiffs have experienced in dealing with the breach,” she said. The complaint will detail the time that each of the class representatives spent calling banks, the company and identity theft services. “There’s more meat on the bones,” Keller said. Judge Koh and other judges have cited such details when granting plaintiffs standing to sue.
     Now the challenge for the defense is to fully engage. “It previously was easier to get a case tossed out at the motion to dismiss,” said Navetta. “The cases have more legs now.”
     The plaintiffs’ main goal is to get to discovery, he explained. “Then you discover the warts, what happened behind the scene, what mistakes were made, the servers or things that were not secured. Or firewalls, basic controls that should have been implemented.” The cyber-hygiene lapse often is modest, and understandable—but looks bad. 
     Few companies even ponder taking data breach cases to trial, said defense lawyers. Given fast-changing cybersecurity standards, no general counsel wants an outsider judging the quality of the corporate security effort, noted Michael Yaeger, a shareholder at Carlton Fields. “You need to show what was reasonable for someone to understand and know at the time of the incident—which is different than what looks reasonable six months later,” he said.
     After a succession of recent breaches made headlines, the tide has turned, according to Lisa Sotto, cyber practice chair at Hunton Andrews Kurth. “Given the stunning series of security events we have experienced over the last five years, the public is increasingly impatient with perceived security lapses,” said Sotto. “The threat of litigation following a data breach has never been greater, and is to some extent inevitable in today’s environment.”   
     Few breaches invited litigation more than the hacking of Anthem Health in 2014 and 2015.  The health insurer’s 79 million policyholders saw their Social Security numbers, employment data, income information, health account numbers, names, dates of birth, and home and mail addresses exposed. The ensuing class action lawsuit ultimately led to a $115 million settlement in 2017. It holds the record for settlement value, until Judge Koh approves the Yahoo agreement. (Reported values for breach settlements often include a cash fund for victims, budgets for administering claims and security improvements, as well as lawyers’ fees and costs.)
     Judge Koh also presided over that case. Her ruling on the motion to dismiss alarmed general counsel. She accepted a pair of arguments that plaintiffs lawyers had been making for years with limited success. Granting one argument, the overpayment theory, she permitted plaintiffs to argue that paying a premium for health insurance entitled them to protection of their data. If the provider had failed to protect the data, then they could seek damages. Granting the second argument, Judge Koh permitted plaintiffs to argue that they lost the value of their personally identifiable information (PII), a more novel ruling.

The Power of Discovery
In the Yahoo case, Judge Koh again accepted the loss-of-value-of-PII argument. Plaintiffs lawyers have been encouraged by these decisions and now are arguing these points in other cases, said James Pizzirusso, a class action partner at Hausfeld LLP who represents plaintiffs but is not involved in the Yahoo matter. “What we’re trying to move the needle with is to get judges and courts to recognize that there is an inherent value of privacy, and that it can be measured in lots of ways,” he said. “One of the ways to measure is to look at what my data sells for on the dark web.” In Judge Koh’s Yahoo standing decision, she points to the sale of Yahoo users’ data on the web as one indication of injury.
     Cooley’s David Navetta is concerned about the inroads that plaintiffs lawyers have made. Yet federal circuit courts remain split on standing and other early-motion questions. “The plaintiffs are getting more traction, but it is still hard to bring these cases. And there are still some good defenses,” Navetta said.
     As the Yahoo case shows, lawyers on both sides now must prepare to actively litigate their breach cases. Judges are firmly pushing cases forward. Judge Koh, in rejecting the first Yahoo settlement, wrote that “the court had to encourage class counsel to actively litigate the case and take discovery.” John Yanchunis, lead plaintiffs class counsel in the Yahoo case and head of class actions at Tampa’s Morgan & Morgan, declined to comment about the settlement.
     Nonetheless, he confirmed that discovery was high on the agenda in another San Francisco federal courtroom, where he represents Kimpton Hotels’ customers. In that breach case, “Judge Vince Chhabria wanted us to engage in discovery to try the liability phase before looking at whether the court would certify the class,” recalled Yanchunis, adding, “I took 17 depositions in that case!”

Matt Fleischer-Black is a freelance journalist and a former senior reporter at The American Lawyer. He has worked for ProPublica, The National Law Journal, The New York Observer and The Village Voice. He lives in New York.