Litigation: Minimizing the risk of data breach class actions from Target's example
Every company that maintains, houses, or moves personal information is at risk of a data breach, but the legal consequences of a breach can be minimized by taking at least three steps.
February 20, 2014 at 03:00 AM
8 minute read
The original version of this story was published on Law.com
In mid-December, Target announced that it had suffered a wide-reaching security breach that potentially affected the accounts of millions of credit and debit card holders. Later reports indicated that the data breach affected even more people than the retailer had originally announced, perhaps as many as 110 million consumers, and that the stolen information included customer names, credit and debit card numbers, card expiration dates, and encrypted personal identification numbers (PINs).
The Target data breach made headlines across the country and did not escape the attention of the plaintiffs' bar. Two days after Target disclosed the security breach, three separate purported class actions were filed in Minnesota, New York, and California, and many more were filed later in December and in January with most claiming that Target was negligent in its handling of credit and debit card data by failing to protect consumers' private information. As of mid-January, over fifty purported class action suits against the retailer were pending across the nation.
Plaintiffs traditionally have a difficult time sustaining privacy class action cases because they often cannot plead, let alone show, actual injury flowing from a data breach — a necessary component of Article III standing and jurisdiction. Some of the newly filed cases against Target and other companies have tried to establish standing by alleging injuries from fraudulent charges, including the cost of monitoring credit and, for financial institution plaintiffs, the costs of notifying customers about compromised debit cards, closing customer accounts, and reissuing cards. However, the U.S. Supreme Court decision last February in Clapper v. Amnesty International USA, a government surveillance case, raises the possibility that at least one of these alleged injuries — the cost of credit monitoring — may be too speculative to satisfy Article III standing requirements. As Justice Alito opined in that case, allowing plaintiffs to bring an “action based on costs they incurred in response to a speculative threat” would “improperly water[ ] down the fundamental requirements of Article III.” The other purported injuries alleged in the Target cases may likewise be bound to be speculative, and the future of negligence–based data breach class actions is therefore uncertain.
Companies should not get too comfortable, however. Privacy class actions in which plaintiffs seek statutory damages are on the rise, and some courts are ruling that this type of claim can satisfy Article III standing requirements. For example, in Harris v. comScore, one of the largest privacy class action suits ever filed, the lead plaintiffs were found to have standing, and the purported class was accordingly certified, based on statutory damages under the Electronic Communications Privacy Act, also known as the Wiretap Act, and the Stored Communications Act. Since the decision in comScore, there has been a rise in privacy class action litigation alleging statutory claims such as the ones asserted in comScore (the Wiretap Act, and the Stored Communications Act), the Telephone Consumer Protection Act, the Video Privacy Protection Act, and the Computer Fraud and Abuse Act.
Every company that maintains, houses, or moves personal information is at risk of a data breach, but the legal consequences of a breach can be minimized by taking at least the following three steps:
- Free credit monitoring. Both to alleviate reputational injury and minimize alleged damages, follow Target's approach and offer free credit-monitoring services to at-risk customers. While it is still too early to tell whether the Clapper decision will effectively foreclose the availability of this remedy in litigation, paying for such services will go a long way towards restoring good will with potentially impacted customers, and will eliminate, at the pleading stage, an allegation of harm arising from such costs.
- Engage security breach counsel. Have a security breach response team in place before a breach occurs, including counsel who can provide critical legal guidance with respect to your company's breach notification obligations. When a data breach occurs, there is very little time to select new counsel so having your attorneys lined up in advance will prove invaluable.
- Formulate an incident response plan. Since a major data security breach puts any size entity at substantial risk, prevention is the best defense. Formulate a data breach plan. Consider working with privacy counsel. And while it may not be possible to prevent every data breach, being able to demonstrate that reasonable care was taken to avoid the risk will help reduce company liability.
In mid-December, Target announced that it had suffered a wide-reaching security breach that potentially affected the accounts of millions of credit and debit card holders. Later reports indicated that the data breach affected even more people than the retailer had originally announced, perhaps as many as 110 million consumers, and that the stolen information included customer names, credit and debit card numbers, card expiration dates, and encrypted personal identification numbers (PINs).
The Target data breach made headlines across the country and did not escape the attention of the plaintiffs' bar. Two days after Target disclosed the security breach, three separate purported class actions were filed in Minnesota,
Plaintiffs traditionally have a difficult time sustaining privacy class action cases because they often cannot plead, let alone show, actual injury flowing from a data breach — a necessary component of Article III standing and jurisdiction. Some of the newly filed cases against Target and other companies have tried to establish standing by alleging injuries from fraudulent charges, including the cost of monitoring credit and, for financial institution plaintiffs, the costs of notifying customers about compromised debit cards, closing customer accounts, and reissuing cards. However, the U.S. Supreme Court decision last February in Clapper v. Amnesty International USA, a government surveillance case, raises the possibility that at least one of these alleged injuries — the cost of credit monitoring — may be too speculative to satisfy Article III standing requirements. As Justice Alito opined in that case, allowing plaintiffs to bring an “action based on costs they incurred in response to a speculative threat” would “improperly water[ ] down the fundamental requirements of Article III.” The other purported injuries alleged in the Target cases may likewise be bound to be speculative, and the future of negligence–based data breach class actions is therefore uncertain.
Companies should not get too comfortable, however. Privacy class actions in which plaintiffs seek statutory damages are on the rise, and some courts are ruling that this type of claim can satisfy Article III standing requirements. For example, in Harris v. comScore, one of the largest privacy class action suits ever filed, the lead plaintiffs were found to have standing, and the purported class was accordingly certified, based on statutory damages under the Electronic Communications Privacy Act, also known as the Wiretap Act, and the Stored Communications Act. Since the decision in comScore, there has been a rise in privacy class action litigation alleging statutory claims such as the ones asserted in comScore (the Wiretap Act, and the Stored Communications Act), the Telephone Consumer Protection Act, the Video Privacy Protection Act, and the Computer Fraud and Abuse Act.
Every company that maintains, houses, or moves personal information is at risk of a data breach, but the legal consequences of a breach can be minimized by taking at least the following three steps:
- Free credit monitoring. Both to alleviate reputational injury and minimize alleged damages, follow Target's approach and offer free credit-monitoring services to at-risk customers. While it is still too early to tell whether the Clapper decision will effectively foreclose the availability of this remedy in litigation, paying for such services will go a long way towards restoring good will with potentially impacted customers, and will eliminate, at the pleading stage, an allegation of harm arising from such costs.
- Engage security breach counsel. Have a security breach response team in place before a breach occurs, including counsel who can provide critical legal guidance with respect to your company's breach notification obligations. When a data breach occurs, there is very little time to select new counsel so having your attorneys lined up in advance will prove invaluable.
- Formulate an incident response plan. Since a major data security breach puts any size entity at substantial risk, prevention is the best defense. Formulate a data breach plan. Consider working with privacy counsel. And while it may not be possible to prevent every data breach, being able to demonstrate that reasonable care was taken to avoid the risk will help reduce company liability.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All‘Extremely Disturbing’: AI Firms Face Class Action by ‘Taskers’ Exposed to Traumatic Content
5 minute readIn-House Lawyers Are Focused on Employment and Cybersecurity Disputes, But Looking Out for Conflict Over AI
SEC Ordered to Explain ‘How and When the Federal Securities Laws Apply to Digital Assets’
5 minute readTrending Stories
- 1How ‘Bilateral Tapping’ Can Help with Stress and Anxiety
- 2How Law Firms Can Make Business Services a Performance Champion
- 3'Digital Mindset': Hogan Lovells' New Global Managing Partner for Digitalization
- 4Silk Road Founder Ross Ulbricht Has New York Sentence Pardoned by Trump
- 5Settlement Allows Spouses of U.S. Citizens to Reopen Removal Proceedings
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250