Register now for FREE unlimited access to Reuters.com
June 27, 2022 - A decade ago, FBI Director Robert Mueller warned: "[H]ackers for profit do not seek information for political power — they seek information for sale to the highest bidder. These once-isolated hackers have joined forces to create criminal syndicates. Organized crime in cyber space offers a higher profit with a lower probability of being identified and prosecuted."
Former Director Mueller's providential warning, on March 1, 2012, in a speech at the RSA Cyber Security Conference in San Francisco, applies now more than ever, as the costs of data breaches escalate. Along with the high costs of responding to the breaches has come the high costs of settling massive class actions in breaches affecting consumers. For example, on Jan. 13, 2020, the Chief Judge of the United States District Court for the Northern District of Georgia granted final approval of a class action settlement regarding the infamously massive Equifax data breach — a breach in which 147 million Americans saw their personal and financial information accessed.
The settlement includes over $380 million in an initial settlement fund, plus an additional $125 million if needed to pay for out-of-pocket losses. The court-approved class settlement in In re: Equifax Inc. Customer Security Data Breach Litigation also requires Equifax to pay "potentially $2 billion more if all 147 million class members sign up for credit monitoring."
Register now for FREE unlimited access to Reuters.com
Equifax is hardly alone. In the last decade, numerous well-known businesses have faced consumer class action lawsuits for violations of data privacy laws, including the Fair Credit Reporting Act (FCRA). The settlements in data breach class actions have reached well into the millions: Home Depot ($200 Million); Capital One ($190 Million); Uber ($148 Million); Morgan Stanley ($120 Million); and Yahoo! ($85 Million).
The number and size of settlements like these are playing a role as political leaders consider new legislation regarding data privacy protection, especially when considering whether to create private rights of action. At the same time, as a result of the proliferation of data breach litigation, the judiciary has confronted procedural requirements for litigants.
Supreme Court weighs in on standing in data breach class actions
In 2021, the Supreme Court raised the bar for putative class members to establish standing under the FCRA. In TransUnion LLC v. Ramirez, over 8,000 TransUnion customers brought a class action for violations of the FCRA. These customers suffered alerts being added to their credit files indicating that their names were potential matches on the Treasury Office of Foreign Assets Control's list of terrorists, drug traffickers, and other criminals.
Of those over 8,000 customers, 1,853 had their credit reports distributed to third parties. The Supreme Court concluded that only those 1,853 had standing to bring suit. The Court reasoned that only those customers who had their accounts disseminated to third parties could establish a "close relationship" with the harm articulated — being identified as potential terrorists, drug traffickers, or other criminals.
In the wake of TransUnion, plaintiffs will face tougher requirements to identify concrete injuries to establish standing to sue under FCRA. In the context of such federal data breach class actions, future harm is likely to be inadequate. That raises the bar for federal class action plaintiffs who file suit for data breaches immediately following a data breach before any harm is pinpointed. Indeed, the Supreme Court in TransUnion recognized that an "asserted informational injury that causes no adverse effects cannot satisfy Article III [of the U.S Constitution]."
The future of data privacy litigation
So where does that leave class plaintiffs? Instead of bringing suit in federal court on claims under FCRA, plaintiffs can turn to state courts — where standing requirements are typically lower — to advance various common law and state statutory claims. To date, however, California is the only state with a private cause of action for breach of its data privacy statute.
The California Consumer Privacy Act (CCPA) offers statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater. (Cal. Civ. Code § 1798.150(a)(1)(A)). In determining statutory damages, courts are instructed to consider the following: the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant's misconduct, and the defendant's assets, liabilities, and net worth." (Id. § 1798.150(a)(2)).
To date, even while looking to the CCPA (and the newer California Privacy Rights Act) in adopting new data privacy laws (as Virginia, Colorado, Utah, and Connecticut have recently passed), other states have been reluctant to follow California's lead in enacting data privacy statutes with private causes of action.
For example, a 2021 Florida bill, HB 969, included a private cause of action, which would allow customers to sue businesses that violated any provision of the law. After business interests resoundingly came out against the bill, it died. Similarly, the state of Washington recently failed to pass a data privacy bill primarily as a result of controversy over the bill's private cause of action.
Congress is currently considering a federal bill, the American Data Privacy and Protection Act, introduced in June 2022. The bill includes language to preempt many state data privacy laws, with exemptions for certain state laws including those in California and Illinois. The bill also includes language to provide for a limited private right of action. However, Congress has previously tried several times going back many years to pass a comprehensive federal data privacy bill.
How and whether Congress succeeds in its current effort remains to be seen. In any event, with the pending federal bill and numerous states considering their own new laws, this space remains one for businesses and their lawyers to keep watching carefully in 2022.
Fredric D. Bellamy is a regular contributing columnist on data privacy for Reuters Legal News and Westlaw Today.
Fredric D. Bellamy is a partner with Dickinson Wright PLLC, where he practices business litigation. His cases frequently involve scientific, technological, or other complex issues, including those relating to cybersecurity and data privacy issues, insurance coverage, environmental and toxic tort, and intellectual property claims. In 2018, he received a certification from Harvard's Office of the Vice Provost for Advances in Learning following completion of the course, "Cybersecurity: Managing Risk in the Information Age." He is based in Phoenix and can be reached at email@example.com.