It was the scandal of the summer: AshleyMadison.com, the dating and social networking service that markets itself to would-be cheaters, was cyberattacked, and the names and contact information of purported members—including celebrities, congressional staffers and evangelists—were revealed online. Soon after, plaintiffs lawyers lodged class action litigation on behalf of website users.
The chain of events—a high-profile data hack, followed by proposed consumer class actions—was a familiar one. Prior data breaches at big-name companies, including 2013′s Target Corp. hack and the hack at Home Depot Inc. in 2014, spurred similar lawsuits.
Lawyers on both sides of the privacy and data security bar expect that large-scale breaches, along with companies’ more granular handling of personal information, will provide fodder for an expanding wave of future litigation. That’s true, they say, even as the heightened publicity of some attacks hasn’t yet translated into a larger number of suits or more successful results for plaintiffs in class actions.
(See related article on the fact that one-third of in-house lawyers say their companies have been the victims of data breaches.)
Judging by the submissions for this year’s Litigation Department of the Year competition, the world of Big Law is taking notice. Of the six firms recognized as general category finalists or winners, three—Orrick, Herrington & Sutcliffe, Kirkland & Ellis and Gibson, Dunn & Crutcher—highlighted their defense work on at least one data privacy or cyberbreach case in submissions to The American Lawyer. Another finalist, Quinn Emanuel Urquhart & Sullivan, noted the area as one of its growing practices, touting its January 2015 hire of partner Jenny Durkan, a former U.S. attorney who now heads the firm’s cyberlaw and privacy group.
Eugene Assaf, a litigation partner at Kirkland & Ellis, says his firm is among those that view data privacy and security work as a priority. Kirkland, Assaf says, is among a group of firms that have sought to add expert cybersecurity and data privacy lawyers to teams that guide a company through “enterprise risk” situations—high-profile scandals that often lead to government investigations and private litigation. “Firms are leveraging resources from their investigation and enforcement practices, their board governance practices and their litigation practices,” he says. In the context of data breaches, he adds, firms like his also try to distinguish themselves by offering “important support from lawyers with national security expertise.”
Other firms, such as Orrick and Ropes & Gray, place a larger focus on offering counseling services—including compliance training and audit support—to companies’ information technology and information security departments. But leaders in both of those firms’ data privacy and security practices say they make a point of backing up that counseling work with teams of litigators who specialize in the data privacy and cybersecurity realm. “Part of what we’re trying to do with our clients is to advise them in such a way that, when bad things do happen, they’re better prepared to deal with it,” says Russell Cohen, a partner in Orrick’s cybersecurity and data privacy group. “Our focus has really been on proactive counseling to get our clients positioned better from a security perspective and a privacy perspective.”
Orrick and Ropes & Gray stress, however, that they back up pre-emptive counseling with strong litigation teams that specialize in data privacy and security. “We help companies reduce the risk of an incident and otherwise solve privacy and data security challenges,” says Ropes & Gray partner Heather Sussman, a leader in the firm’s privacy and data security group. “We also are poised to step in and handle incidents and post-incident litigation and government enforcement.”
Yet another model for jumping into the data privacy and cybersecurity realm might involve making inroads with the insurance industry. Insurers often end up covering much of a company’s costs following a data hack, according to David Zetoony, leader of Bryan Cave’s data privacy and security practice. And they have a significant say in the outside law firms that get the call after a breach, Zetoony says.
Big breaches, small payouts
On the basis of the headlines, it’d be easy to assume that large-scale data breaches mark some of the highest litigation risks for companies. But even if the general public and certain judges have a strong appetite for someone to blame, consumer class actions over compromised personal data have largely struggled to gain traction in court. As such, it hasn’t proved to be a hugely lucrative litigation arena for defense or plaintiffs lawyers.
For plaintiffs lawyers, a key obstacle is establishing that consumers have suffered damages that could give the plaintiffs standing to sue. The main reason for that: Following a typical data breach that compromises credit card information, the hacked company almost always offers to cover consumer costs for credit monitoring and identity theft insurance, according to Bryan Cave’s Zetoony. What’s more, any fraudulent charges that crop up on someone’s card as a result of a hack typically prompt a full reimbursement by the cardholder’s bank, says Zetoony.
“By and large, these are not making plaintiffs firms millions of dollars,” he says. “You file these class action lawsuits—the question is, ‘What are you looking for?’ … For the most part, the plaintiffs bar is still experimenting with how to get over those thresholds.”
There have been some recent signs that courts may be more receptive to newer theories for holding companies accountable. If those theories were to take hold, Zetoony and others say, the landscape of private cyberbreach litigation could change dramatically. “If someone can figure out a good theory for data breaches that leads to more compensation and really cracks that open, we’ll see a lot more activity,” he says.
One sign of a shift came amid the proposed class actions that followed a massive November 2013 cyberattack against Target. After the exposure of payment card numbers and contact information for as many as 110 million customers, the retailer was hit with a slew of proposed class actions from consumers and banks affected by the breach.
As the Target data breach litigation moved forward, it passed milestones that many similar lawsuits weren’t able to. Specifically, in December 2014, the plaintiffs managed to defeat motions to dismiss lodged by Target’s defense lawyers at Ropes & Gray, Morrison & Foerster and Faegre Baker Daniels. The judge rejected Target’s arguments that the consumers and financial institutions hadn’t suffered the kinds of harm that amount to a valid claim in court.
Banks that sued Target also later secured class status in the litigation, and with the momentum on the plaintiffs’ side, Target eventually reached a series of settlements. The company agreed to pay $10 million to consumers, more than $39 million to banks and MasterCard Inc. card issuers, and $67 million to Visa Inc. card issuers. Overall, Target has so far spent more than $290 million following the breach, a number that includes its settlements in lawsuits and legal fees related to a pending Federal Trade Commission probe.
Data privacy litigation has been a better bet
The frequency and number of cyberbreach cases pale when compared with their counterparts brought under data privacy laws. Data privacy cases focus primarily on how companies collect personal information from customers and what they do with it, often behind the scenes.
A May 2015 report, completed by Zetoony and colleagues at Bryan Cave, found that roughly 672 data privacy cases were filed over the 15-month period from July 2013 to the end of September 2014. That’s more than six times as many data breach cases filed over the same period. The study also found that more than 240 plaintiffs firms lodged data privacy complaints during that time, compared with more than 70 firms that filed new breach cases.
Driving the volume of filings are the financial incentives and potential rewards associated with privacy cases, according to Andrew Serwin, who co-leads Morrison & Foerster’s privacy and data security group. In consumer cases that follow a hacking incident or data security breach, he says, “99 times out of 100, the plaintiffs can’t prove damages.” But that’s not the case in the privacy realm, in which private class actions often allege violations of federal laws that carry specified statutory damages amounts.
An especially active area of data privacy litigation flows from alleged violations of the Telephone Consumer Protection Act, which restricts the use of automated phone calls and text messages for solicitation purposes. Under the TCPA, consumers are entitled to a $500 damages award for any violation, and $1,500 for a violation found to be willful. But because plaintiffs lawyers can aggregate those claims into a class action that might cover millions of people who received an unwanted text message, a TCPA suit spells potentially massive financial exposure for a company hit with one. Those economic dynamics, unsurprisingly, often lead to settlements. “You really have to look at financial harm as the touchstone of privacy litigation in the U.S.,” says Serwin. “They can blackboard a large number. … In theory, statutory penalties can be really high.”
In recent TCPA litigation against Capital One Financial Corp. and three collection agencies, plaintiffs lawyers led by Lieff Cabraser Heimann & Bernstein accused the company in 2012 of violating the TCPA. At issue were automated phone calls to customers’ cellular phones regarding credit card debt. They allegedly violated the TCPA’s requirement that prerecorded or auto-dialed calls can only be made to a cellphone with express, prior permission. The proposed class had as many as 16 million members. At $500 a head, that means, in theory, Capital One and its co-defendants could have faced damages claims worth billions of dollars. Ultimately, the companies reached a settlement worth $75.5 million—the largest TCPA settlement on record at the time. The deal received final court approval in February 2015, with a judge also signing off on $15.7 million in legal fees for the plaintiffs lawyers.
Telemarketing cases have been popular over the past few years, with the Bryan Cave report saying that TCPA cases made up 65 percent of data privacy complaints filed in the firm’s study period. A February 2015 report from Gibson Dunn on cybersecurity and data privacy adds that TCPA litigation “exploded” over the prior two years. But suits brought under the telemarketing law are just one of several types of data privacy litigation that have become increasingly active, according to the Bryan Cave and Gibson Dunn reports. Like the TCPA, cases in those other areas tend to draw attention from plaintiffs lawyers in part because of financial incentives that stem from statute-set damages awards.
Jay Edelson, managing partner of Edelson, a Chicago-based privacy litigation boutique, is among the plaintiffs lawyers to have capitalized on an uptick in data privacy litigation, even as he and his colleagues largely avoid bringing suits that follow large cybersecurity breaches. “We tend not to love cases where we’re chasing the news,” he says. His firm started in 2007 as KamberEdelson—the name changed after Edelson and his former partner, Scott Kamber of KamberLaw, parted ways—and claims to have collected more than $1 billion in settlements since. Now with 25 lawyers, Edelson says about 80 percent of the firm’s work falls in the realm of privacy class actions.
Edelson and his firm recently spearheaded what some observers considered one of the largest cases ever certified as a class action under Internet privacy laws. The suit, filed in 2011, alleged that Internet technology company ComScore Inc. installed software for tracking Web usage data on consumers’ computers without permission. Specifically, plaintiffs lawyers maintained that ComScore bundled the tracking software with what seemed like benign applications, such as screen savers or games, offered by the company’s business partners.
Among other legal claims, the suit alleged violations of the Electronic Communications Privacy Act and the Stored Communications Act, which, similar to the TCPA, provide for statutory damages. Some estimates put the potential damages for ComScore, defended in the case by Quinn Emanuel, at up to $1 billion. After the case was certified in 2013 as a class action composed of thousands of consumers, the two sides ultimately settled in May 2014, with ComScore agreeing to pay $14 million. Edelson and other plaintiffs lawyers took home more than $4.6 million in fees as part of the settlement.
Although Edelson’s firm has focused on data privacy litigation, he also acknowledges some of the recent shifts on the cybersecurity front, noting that they could set the stage for more success on the plaintiffs side. In addition to the obstacles overcome by plaintiffs in the Target data breach case, Edelson pointed to a recent ruling by the U.S. Court of Appeals for the Seventh Circuit in a class action that followed a 2013 data breach at Neiman Marcus. In that case, a district court judge had thrown out the lawsuit on the grounds that the plaintiffs—Neiman Marcus customers who claimed their credit or debit cards were compromised when the retailer was hacked—lacked standing to sue because they suffered no real harm. But in July, the Seventh Circuit reversed, issuing a ruling that many observers say makes it easier for plaintiffs to keep their data breach claims alive in court.
“The courts have realized that they have to figure out a way to deal with data breach cases,” says Edelson.
Other defense lawyers express similar thoughts. As long as cyberattacks keep happening, they say, there will be a strong appetite for lawsuits. And that appetite is only likely to grow if plaintiffs lawyers can crack the code to making out a successful, post-breach complaint.
“If the plaintiffs bar were making more money,” says Bryan Cave’s Zetoony, “there would be more lawsuits.”