Lawyers: Defendants concede too fast in data breach suits

Share with others:


Print Email Read Later

Plaintiffs are increasingly winning in the earlier stages of data breach litigation and defendants may be helping set unrealistic settlement figures out of a fear of going through discovery, attorneys on both sides of the issue agree.

“Instead of thinking of ways to make [the plaintiffs lawyer’s] life more difficult and fight class certification, people are settling,” said Baker & Hostetler data privacy lawyer Theodore J. Kobus III. He was speaking on a panel to a Philadelphia ballroom full of cybersecurity professionals attending NetDiligence’s annual Cyber Risk and Privacy Liability Forum.

“Are we going to stand up and challenge them on class certification and summary judgment?” asked Ronald I. Raether Jr., a partner at Dayton, Ohio-based Faruki Ireland & Cox.

Chandler Givens of Edelson PC was the lone plaintiffs lawyer on the panel — and the subject of a lot of lighthearted ridicule from the other panelists. But he may be getting the last laugh as courts across the country, regardless of state politics or which administration appointed the judge, are increasingly demonstrating what Mr. Raether described as a lack of patience with companies’ handling of data.

From Mr. Givens’ perspective, courts are beginning to realize the impact that data breaches have on those affected. So when a proposed class of plaintiffs say their data were breached, but they have yet to suffer harm, judges are increasingly finding that those plaintiffs still have standing to sue.

Mr. Givens likened plaintiffs data-breach litigation to Pac-Man — when the ghost comes, you run the other way.

“There is always going to be a way to plead your case based on what is happening in other circuits, and we’re going to find those and latch onto them,” he said.

Mr. Kobus said these cases don’t have to be about fear. He said plaintiffs are “preying on” defendants’ fear by using “outdated” statutory damages claims.

He noted one case he settled involved a $1.2 million settlement for a class of 750,000 people while another case involving 20,000 potential class members settled for $3.3 million. Pricing is difficult, particularly when actual harm hasn’t occurred yet, Mr. Givens said. But courts have shown skepticism toward settlements that consist only of credit monitoring, he said.

“You are essentially filing a lawsuit knowing you have a class that doesn’t have damages,” said Robert Parisi, managing director and national cyberrisk practice leader for insurance and risk management company Marsh.

Robin Campbell, an attorney with Crowell & Moring and founder of Click 4 Compliance, said the biggest trend since the highly publicized Target data breach has been on cleaning up vendor contracts and ensuring vendors are going to pay if they are the cause of a company’s breach. Mr. Kobus noted there is a lot more pushback from vendors now, however, in an attempt to limit their liability.

Mr. Givens said it is important for companies to have a consistent message between what it says in its breach notification letter, what it tells the general public and what its lawyers are saying. If one message says there were 50,000 people affected by the breach and another says there were 20,000, Mr. Givens said he could paint the picture for the court that the company doesn’t have a handle on its data.

The first thing plaintiffs lawyers ask for is the company’s written security policy and vendor management contracts.

“If you live by your policy, it’s difficult for us to make a case,” Mr. Givens said.

Gina Passarella: gpassarella@alm.com or 1-215-557-2494. Follow her on Twitter @GPassarellaTLI. To read more articles like this, visit www.thelegalintelligencer.com.


Gina Passarella: gpassarella@alm.com or 1-215-557-2494. Follow her on Twitter @GPassarellaTLI. To read more articles like this, visit www.thelegalintelligencer.com.

Join the conversation:

Commenting policy | How to report abuse
To report inappropriate comments, abuse and/or repeat offenders, please send an email to socialmedia@post-gazette.com and include a link to the article and a copy of the comment. Your report will be reviewed in a timely manner. Thank you.
Commenting policy | How to report abuse

Advertisement
Advertisement
Advertisement

You have 2 remaining free articles this month

Try unlimited digital access

If you are an existing subscriber,
link your account for free access. Start here

You’ve reached the limit of free articles this month.

To continue unlimited reading

If you are an existing subscriber,
link your account for free access. Start here