Blowing the Cyberalarm

A ruling by the 9th Circuit Court of Appeals in December may have significant implications for businesses, potentially increasing the litigation risk involved with breaches of privacy and data security.

By Patricia Vowinkel

Until now, the courts had placed a heavy burden of proof on plaintiffs to show not just that an event occurred but that damages had been suffered.

This may begin to change with the opinion handed down in Krottner v. Starbucks. In this case, the court ruled that plaintiffs whose personal information had been stolen had suffered an injury sufficient for them to have standing before the court even though the information had not yet been misused.

Welcome to the 'Big Data' Era (09/15/11)
The Hack Attack Worsens (08/01/11)
Beating Back the Breach (06/01/11)
Finally Going Mobile (09/01/11)
Business as Usual Off the Table (10/01/11)

The background to the case: A laptop was stolen from Starbucks that contained unencrypted names, addresses and Social Security numbers of about 97,000 Starbucks employees. After receiving notification from Starbucks, the plaintiffs filed two separate lawsuits for negligence and breach of implied contract.

The court ruled that the plaintiffs faced a credible threat of harm even though the stolen information had not been misused. Although the court ruled that the plaintiffs had standing to bring their lawsuit, it also said the plaintiffs failed to adequately state a claim under Washington state law and both cases were dismissed.

Bob Parisi, the cyberliability expert at Marsh, calls this opinion a game changer, noting that up until now the costs associated with data breaches had to do with regulatory compliance ? the cost of notifying people affected by the breach, setting up a call center and offering a remedy such as credit monitoring.

However this opinion may be used to defeat a defendant's challenges to plaintiff's standing, according to a report Marsh sent out to clients in January. Once the injury-in-fact requirement has been met, a plaintiff need only find a state law allowing it to proceed on some type of legal theory based on the fear of harm due to lost private personal information, according to Marsh.

Jim Whetstone, U.S. Technology and Privacy Manager at Hiscox, on the other hand, did not see this ruling as very significant and notes that precedent continues to be set in other courts that the threat of future harm does not meet the necessary harm threshold to establish damages when alleging negligence.

But, he notes, regardless of whether or not a claim for negligence can proceed and in fact be proven, these court cases can be very costly to defend as novel questions are posed, answered and appealed. He also believes plaintiffs' attorneys are not going to stop looking for ways to recover alleged damages for their clients.

Another expert, Dave Navetta, an attorney with the Information Law Group who specializes in privacy and information security law, said that while more cases may gain standing in federal court, he believes it will remain difficult for plaintiffs to win their cases or even a settlement.

But he and Parisi both see data security litigation evolving in the same way as employment practices litigation did years ago and that means that risk is on the rise.

Parisi said he believes the issue now requires board attention and is now an operational risk.

This ruling is a wake-up call for companies. They need to be sure they have good data security policies and procedures. The case also highlights the importance of a well-rounded insurance policy that covers notification, defense and potential liability costs.

PATRICIA VOWINKEL has worked for national media outlets for more than 20 years.

April 1, 2011

Newsletter Sign-up