Member Article

The Firestorm: Civil Litigation and Class Actions Following a Cyber Incident

As soon as your company has tangible evidence of a data breach, you must start thinking about what a lawsuit would entail, especially in light of the complexity of electronic evidence. In this installment of our special series, A Desk Guide to Data Protection and Breach Response, we discuss the firestorm of litigation that can arise following a breach and provide practical guidance for preparing for the worst.

In general, your company should anticipate two types of lawsuits following a breach or cyber incident. First, you might want, or might have no choice but, to sue the perpetrator. This situation typically arises when a rogue or disgruntled employee leaves with confidential information, deletes information on company computers, or - worse - plants a time bomb that will do damage long after the employee is gone. But offensive litigation may also arise in the context of an outside hacker if the company has enough evidence to identify the perpetrator. In all of these cases, your company would be the plaintiff and could decide whether or not to sue.

Second, companies that are victims of data breaches can be - and often are - sued by third parties. This situation most commonly arises when a hacker seizes consumer private information held by the company, and the suit typically takes the form of a class action against the company. In this fact pattern, the company is the defendant and has no option but to defend itself. Planning for this litigation early is critical.

Offensive Litigation

Before filing a lawsuit based on a cyber incident, it is important to think through your litigation objectives. An offensive lawsuit might seem like the right thing to do, but further publicizing the data breach could rattle your clients’ confidence in your company. Consider also the difficulty of presenting abstract computer forensic evidence to a jury and the difficulty of recovering any judgment you might obtain. In addition, always consider whether the facts of the case merit referral to law enforcement for possible criminal investigation, which might put the bad actor out of business at no cost, and perhaps with less publicity, to your company than offensive litigation (for more on referring matters to law enforcement, click here).

The next step, if you decide to sue, is to identify your causes of action. Victims of data breaches almost always pursue common law causes of action, such as breach of fiduciary duty, trade secret theft, and trespass to chattel. If the defendant is a former employee, causes of action may lie in the terms of employment. Consider also whether claims exist under the Stored Communications Act (18 U.S.C. § 2701 et seq., the “SCA”) or the Computer Fraud and Abuse Act (18 U.S.C. § 1030, the “CFAA”). Both of these federal statutes create private rights of action for criminal conduct. The CFAA, for example, criminalizes unauthorized access (or exceeding authorized access) to computers involved in interstate commerce, which today effectively means any computer connected to the Internet.

There is a split among the federal circuit courts regarding key issues related to both the SCA and the CFAA (see here and here) so it is important to first analyze how federal courts in your circuit have construed these statutes. Consider also whether to sue under your state’s computer trespass law. These laws often prohibit conduct more broadly than either the SCA or the CFAA.

Defensive Litigation

The more likely result following a data breach is that the breached company will be sued by those allegedly impacted by the breach. Following a breach involving payment card data, for example, consumers whose data was stolen may sue your company under negligence theories or state consumer protection laws. These claims are typically filed as class actions but (could also be filed on an individual basis). To date, these actions have been largely unsuccessful because consumers typically are not responsible for fraudulent charges on their accounts, and breached companies typically offer credit monitoring or other fraud resolution services to affected consumers. Thus, courts have routinely held - with some exceptions, primarily in the context of statutory damages claims - that consumers impacted by a payment card breach have not suffered any damages and have no standing to sue the breached company.

In putative class actions where plaintiffs survive a motion to dismiss, they face the additional hurdle of class certification. Issues of standing and damages suffered in a breach will likely be individualized, making it difficult to argue that common questions “predominate” over individual questions - a mandatory showing under Federal Rule of Civil Procedure 23(b)(3), the provision upon which most classes seeking monetary relief rely. There may also be individual issues regarding liability (such as issues of reliance or consent) or ascertainability problems with the proposed class definition.

In the wake of the Target breach, it is clear that defensive litigation following a data breach may not be limited to consumer lawsuits. For instance, banks that issued payment cards impacted by the breach have sued Target directly to recover their costs of replacing stolen payment cards and reimbursing consumers for fraudulent charges on their accounts. It is too early to know whether these claims will be successful, but the Fifth Circuit recently allowed negligence claims brought by issuing banks to proceed against a payment card processor that suffered a breach allegedly due to its lax security (see our coverage of that case here). Target’s directors and officers have been sued derivatively as well. Target investors have brought claims for breach of fiduciary duty, gross mismanagement, waste of corporate assets, and abuse of control.

Practical Guidance

In case of a breach or cyber incident, think data preservation immediately. Electronic data preservation is essential to reconstruct what happened in a breach, foreclose any accusation of spoliation, potentially assist law enforcement in identifying the perpetrators, and provide the grounds to prosecute or defend future litigation. Skilled counsel, typically with the assistance of forensic experts, can help you decide what to preserve and how to preserve it.

In earlier installments of our special series, A Desk Guide to Data Protection and Breach Response, we discussed

• data protection and compliance issues,
• developing a data security plan,
• obtaining cyber risk insurance,
• investigating and responding to a breach,
• public disclosure and regulatory issues following a breach, and
• referring cyber incidents to law enforcement for possible investigation and prosecution.

In our final installment, we will discuss recovering losses through insurance claims. For additional information on any of these subjects, please contact a member of the Haynes and Boone, LLP Privacy and Data Breach group.