Plaintiffs are increasingly winning in the earlier stages of data breach litigation and defendants may be helping set unrealistic settlement figures out of a fear of going through discovery, attorneys on both sides of the issue said Thursday.

“Instead of thinking of ways to make [the plaintiffs lawyer's] life more difficult and fight class certification, people are settling,” said Baker & Hostetler data privacy lawyer Theodore J. Kobus III.

Kobus was speaking on a panel to a Philadelphia ballroom full of cybersecurity professionals attending NetDiligence’s annual Cyber Risk and Privacy Liability Forum.

“Are we going to stand up and challenge them on class certification and summary judgment?” asked Ronald I. Raether Jr., a partner at Dayton, Ohio-based Faruki Ireland & Cox.

Chandler Givens of Edelson P.C. was the lone plaintiffs lawyer on the panel—and the subject of a lot of lighthearted ridicule from the other panelists. But he may be getting the last laugh as courts across the country, regardless of state politics or which administration appointed the judge, are increasingly demonstrating what Raether described as a lack of patience with companies’ handling of data. Raether said judges are willing to make “legally obtuse” arguments to “fit a square peg into a round hole.”

From Givens’ perspective, courts are beginning to realize the impact that data breaches have on those affected. So when a proposed class of plaintiffs say their data was breached, but they have yet to suffer harm, judges are increasingly finding that those plaintiffs still have standing to sue.

“Now the standing issue is becoming a hurdle that we’re able to surmount,” Givens said.

And while most defendants look to settle before discovery, Givens said some are pressing forward. And the judges who are hearing arguments over class certification are starting to approve the class, he said.

But for plaintiffs lawyers, it’s all about adapting.

Givens likened plaintiffs data-breach litigation to Pac-Man—when the ghost comes, you run the other way.

“There is always going to be a way to plead your case based on what is happening in other circuits and we’re going to find those and latch onto them,” Givens said.

Kobus said these cases don’t have to be about fear. He said plaintiffs are “preying on” defendants’ fear by using “outdated” statutory damages claims.

The damages and settlement processes for data-breach class actions are just starting to evolve, Givens said. He noted one case he settled involved a $1.2 million settlement for a class of 750,000 people while another case involving 20,000 potential class members settled for $3.3 million. Pricing is difficult, particularly when actual harm hasn’t occurred yet, Givens said. But courts have shown skepticism toward settlements that consist only of credit monitoring, he said.

“You are essentially filing a lawsuit knowing you have a class that doesn’t have damages,” said Robert Parisi, managing director and national cyber-risk practice leader for insurance and risk management company Marsh.

Parisi said data privacy laws in the United States focus more on who to blame for spilling the milk rather than the laws around the world that focus on stopping the milk from spilling.

Kobus said the price points for a data breach will be what the various settlements bear out until defendants start pushing these cases and doing discovery to uncover the true damages.

“We have to litigate and force them to prove damages,” Raether said.

potential targets

Givens said any business that stores consumer or business data is a potential target for a breach and a lawsuit. He said he included business data because he could see a class of merchants suing over their data being breached.

Finding clients is “trivial these days,” Givens said.

When a breach occurs, a state attorney general will typically put a notice on the office’s website or the breach will be mentioned publicly in some fashion. Plaintiffs lawyers then buy Google AdWords so that an ad with an intake form to become part of the class is posted near search results about a certain company’s breach.

Givens said it is important for companies to have a consistent message between what it says in its breach notification letter, what it tells the general public and what its lawyers are saying. If one message says there were 50,000 people affected by the breach and another says there were 20,000, Givens said he could paint the picture for the court that the company doesn’t have a handle on its data.

The first thing plaintiffs lawyers ask for is the company’s written security policy and vendor management contracts.

“If you live by your policy, it’s difficult for us to make a case,” Givens said.

Raether noted plaintiffs are arguing in some cases that it is the company’s own privacy policy that should be the standard to which it is held against, but there are other standards too. What the judge will use becomes the question.

Robin Campbell, an attorney with Crowell & Moring and founder of Click 4 Compliance, said the biggest trend since the highly publicized Target data breach has been on cleaning up vendor contracts and ensuring vendors are going to pay if they are the cause of a company’s breach. It’s an area regulators are highly tuned into as well, Campbell said.

Kobus noted there is a lot more pushback from vendors now, however, in an attempt to limit their liability. Cyberinsurance policies are also attempting to ensure vendors have the financial wherewithal to assume that liability, he said.

Parisi said more people have data breaches than have cyberinsurance. He said companies are trying to fit the damages of a data breach into the coverage of a commercial general liability policy and insurers are fighting that hard.

Staying off the Radar

Campbell said it is important not to mess up the breach notice. Companies don’t want to look weak or like they are admitting liability. Kobus said words should be chosen carefully. Parisi and Campbell noted it’s most important to have strong standards in place before a breach and follow those standards. If companies do the right compliance upfront, Campbell said, they can be more confident in negotiations.

Raether had a simple approach to managing data breaches: “Don’t piss people off.”

While Givens may have made it seem easy to find clients, cases that go the furthest have strong lead plaintiffs with actual damages to show, Raether said. A company may want to isolate those affected by the data breach who were most deeply affected and give them a remedy that makes them not want to pursue litigation, Raether said.

Coming hot topics

While companies are currently battling large-scale class actions, the trend may be moving toward smaller, state court cases or individual cases, the attorneys said.

Raether said plaintiffs want to take on manageable cases and the smaller, state cases are a good target.

Givens said he expects to see more cases based on the representations made by defendants about their data security policies and their failure to adhere to them. Kobus said he thinks single-plaintiff Health Insurance Portability and Accountability Act cases will increase.

Parisi said he would play the devil’s advocate and suggest there may be less data breach litigation. He said millennials have a different take on privacy and what information is available. He said they may not want to sue over a data loss.

But Parisi noted litigation is only the tip of the iceberg for companies that experienced a data breach. There are business interruption and reputational issues, to name a few.

Gina Passarella can be contacted at 215-557-2494 or at gpassarella@alm.com. Follow her on Twitter @GPassarellaTLI.