City Suits: The Next Frontier of Data Breach Actions

For over a decade, companies that have suffered data-security breaches have faced claims asserted by a dizzying array of adversaries, from the Federal Trade Commission and other federal agencies to state attorneys general to private plaintiffs such as consumers, employees, shareholders, and financial institutions. As if that were not enough, in late 2017 a new type of claimant has come to the fore: municipalities. Who are these new city plaintiffs, how do they fit into the existing landscape of data-breach litigation, and what can companies do to protect against the claims they bring? This article will de-mystify the new wave of city suits over data breaches and highlight some ways that organizations may be able to reduce their exposure to such suits.

Pre-Existing Litigation and Enforcement Activity

While the underlying statutes and common-law bases may vary, claims by government actors and private plaintiffs following a data breach are, for the most part, based on the same core set of factual allegations—the breached entity had inadequate security, deceived consumers about the quality of its security, and/or failed to respond appropriately or quickly enough upon discovering the breach. Pursuant to §5 of the Federal Trade Commission Act, for example, the Federal Trade Commission has convinced numerous companies to enter consent decrees and has brought enforcement actions based on allegations that the company’s data security was inadequate and/or that its statements to the public about security were deceptive. Depending on the kind of entity and the type of data involved, other federal government agency investigations and actions may also ensue. On a parallel track, state attorneys general—acting individually or in a coordinated multistate effort—often investigate breaches and the responses to them and may ultimately exact settlements or initiate litigation under data-security, breach-notification, or unfair and deceptive trade practices laws. For instance, in May 2017, Target reached a settlement with a group of 48 state attorneys general in connection with a 2013 data breach without resort to litigation.