Data breach burdens are are becoming overly harsh

Yahoo recently confirmed a data breach that could impact some 500 million users. It joins a large group of hacked entities, including Target, LinkedIn, Dropbox, UCLA and Hillary Clinton. Of course, the entities themselves are not the only victims; data breaches affect all individuals with information they assumed was safe with the hacked entities. And with these individual victims come lawsuits - lots and lots of lawsuits.

Until recently, data breach cases rarely survived motions to dismiss or demurrers because plaintiffs could not allege a compensable injury. Purely economic losses are not covered by negligence and other torts. Rather, they are governed by contract law. But consumer contracts rarely impose data-security obligations.

In addition, courts often dismiss data breach complaints for lack of standing. The Supreme Court construed Article III standing narrowly in Clapper v. Amnesty Intern. USA, 133 S . Ct. 1138 (2013), requiring plaintiffs to show actual harm or "certainly impending" injury in order to bring a lawsuit. Although this was not a data breach case, courts have applied it to such cases.

But recent case law and legislation in California have made it easier for plaintiffs to win damages for data breaches. A California district court construed standing somewhat generously in In re Adobe Systems, 2014 WL 4379916 (N.D. Cal. 2014), stating that "a credible threat of real and immediate harm" required in the 9th U.S. Circuit Court of Appeals before Clapper may suffice. California legislators amended the California Customer Records Act (CRA) in 2015 to be more plaintiff-friendly. Previously, only companies that "own or license" customer information were required to take reasonable security measures. The new legislation expanded this requirement to include any company that "maintains" personal information on California residents. Violating this requirement may result in civil damages or injunction.

The CRA is but one source of litigation. Plaintiffs also may assert claims under California's Unfair Competition Law (UCL). See In re LinkedIn User Privacy Litigation, 2014 WL 1323713 (ND Cal. 2014) (allowing customers' claim against LinkedIn for misrepresenting its security measures by claiming that users' information "will be protected with industry standard protocols and technology"). And if medical data is breached, plaintiffs may allege violations of the California Confidentiality of Medical Information Act (CMIA). In In re Sony Gaming Networks & Customer Data Security Breach Litigation, 996 F.Supp.2d 942, 1013-14 (S.D. Cal. 2014), the court allowed claims under the UCL, the California Consumer Legal Remedies Act, breach-notification statutes, and for breach of the implied covenant of good faith and fair dealing. In Corona v. Sony Pictures Entertainment, Inc., 2015 WL 3916744 (C.D. Cal. 2015), the court allowed claims of negligence based on breach of duty to maintain adequate security measures, violation of the CMIA, violation of the UCL, and declaratory judgment. In addition, governmental authorities such as consumer protection agencies and state attorney generals may pursue actions against firms that have jeopardized consumers' information.

"[C]yber-attacks can be extraordinarily complicated and, once identified, demand a host of costly responses. These include digital forensic preservation and investigation, notification of a broad range of third parties and other constituencies, fulfillment of a confusing constellation of state and federal compliance obligations, potential litigation, engagement with law enforcement, the provision of credit monitoring, crisis management, a communications plan - and the list goes on." Kevin LaCroix, "Guest Post: Law Firms and Cybersecurity: A Comprehensive Guide for Law Firm Executive Committees" (April 13, 2016). For instance, after Sony Pictures' data was breached, it was the defendant in over 50 class actions.

Insurance protection may be spotty. After Sony Pictures' commercial general liability insurer disputed coverage, the New York trial court sided against Sony. As this example illustrates, companies should not rely on traditional CGL coverage policies to protect them against claims arising from hacking incidents. "Indeed, the case law concerning general property insurance and cybersecurity is all over the map." LaCroix, supra.

Not surprisingly, the largest percentage increase in corporate legal spending in the last decade has been on data security, twice as much as the next highest percentage increase (class actions). Of course, companies should try to protect data. They should encrypt it in transit, restrict vendor access to critical information, limit employees' use of personal devices for work purposes, educate employees on data security, and employ other measures. And companies may protect themselves by purchasing cyber-insurance to cover breaches.

Still, if neither the techies at Yahoo nor former Secretary of State Hillary Clinton can safeguard themselves against cybercrimes, it is unrealistic to blame other entities for being victims of hacking. The trend of courts and legislators toward increasing the burdens of companies suffering data breaches seems overly harsh at best and victim-blaming at worst.