Wednesday, June 4, 2014

Jason Atchley : Data Security : Stand Up to Sue Companies for Data Breaches

jason atchley

Stand Up to Sue Companies for Data Breaches

Before a data breach class action can make it to class certification named plaintiffs must show that they have standing.
, Law Technology News
    |0 Comments

Deborah Renner
Deborah Renner
Data breach cases are often brought as class actions because large numbers of people can potentially be affected. But the potential for injury is not enough to create constitutional standing. Before a putative data breach class action can make it to the class certification stage, the named plaintiffs in the case must show that they have standing to pursue the case for themselves, which boils down to a showing that they were injured as a result of the breach.
While the question of standing remains hotly debated in the data breach context, the defense bar has been winning many recent cases, most recently in In re: Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, slip op., Misc. Action No. 12-347 (JEB) MDL 2360 (U.S. D.C. May 9, 2014), in which the U.S. District Court for the District of Colombia held that the “mere loss of data” in a data breach case does not constitute an injury sufficient to confer standing.
The ruling follows on the heels of two other district court rulings holding that standing was not satisfied in the data breach context, Polanco v. OmnicellInc., 2013 WL 6823265  (D.N.J. 2013); Barnes & Noble Pin Pad Litigation, 2013 WL 4759588, (N.D. Ill. 2013).
SAIC is an information technology company that was handling data for Tricare, a government agency that provides insurance coverage and health care to active-duty service members and their families.
Plaintiffs alleged that tapes containing personal and medical information for 4.7 million members of the U.S. military and their families were stolen from the parked car of an SAIC employee. The breach victims sued Tricare and SAIC, among others, asserting numerous causes of action (some of which were creative), including increased risk of identity theft, costs related to mitigating future harm, the loss of privacy, failure to adequately protect data and a violation of the right to truthful personal information.
The court granted the defendants’ motions to dismiss the claims all of the plaintiffs who lacked an actual injury traceable to the data breach on the ground that they lacked standing. Only two plaintiffs pled sufficient injury to confer standing.
The court held that plaintiffs lacked standing because the “degree by with the risk of harm has increased is irrelevant — instead, the question is whether the harm is certainly impending.” The court also found that costs incurred to prevent future injury did not create standing. The court also rejected the invasion of privacy claim of most plaintiffs because they did not allege that their personal information had been viewed or exposed in a way that would facilitate access to the data.
The plaintiffs’ claims that were based on alleged legal violations were also found to be deficient: “Standing . . . does not merely require a showing that the law has been violated, or that a statute will reward litigants in general upon a showing of a violation," the court ruled. "Rather, standing demands some form of injury — some showing that the legal violation harmed you in particular, and that you are therefore an appropriate advocate in the federal courts.”
The court also dismissed the plaintiffs’ claim based on deprivation of their “right to truthful information about the security of their PII/PHI,” holding that no independent harm has flowed from that alleged deprivation.
Significantly, as the courts did in Omnicell and Barnes & Noble, the SAIC court relied in large part on the U.S. Supreme Court’s decision in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), a case outside of the data breach context, decided under the Foreign Intelligence Surveillance Act (“FISA”). In Clapper, the court relied on well-settled precedent to hold that “allegations of possible future injury are not sufficient” to confer constitutional standing. 


Read more: http://www.lawtechnologynews.com/id=1202657423964/Stand-Up-to-Sue-Companies-for-Data-Breaches#ixzz33gR5Y0Xr





No comments:

Post a Comment