Tuesday, November 1, 2011

Landmark Data-Breach Class-Action Suit Ruled Actionable in Federal Court

In a decision likely to impact ongoing and potential data-breach litigation among firms like Sony, Epsilon, and RSA, the Federal bench has allowed to proceed a potentially landmark suit permitting negligence and contract putative class-action litigation.

Following the breach of 4.2 million credit card numbers by the Hannaford grocery store chain in 2008, 26 separate lawsuits were filed with claims of 1800 instances of unauthorized uses of the lost card numbers. The cases have since been consolidated into a single class action suit, John Anderson et al. vs. Hannaford Bros. Co. et al, now given the green light by the 1st U.S. Circuit Court of Appeals in Boston.

As reported by Judy Greenwald in Business Insurance News, the ruling is thought to be the first of its kind, marking a shift in judicial thinking on litigation resulting from the ever growing spate of data breaches:

Discussing the decision, Scott L. Vernick, a partner with law firm Fox Rothschild L.L.P. in Philadelphia, said until the ruling, potential class actions relating to data breaches generally have been dismissed early on, either because the plaintiffs did not have standing to sue or there was no threat of actual injury.”

According to the ruling, “Plaintiffs' claims for identify theft insurance and replacement card fees involve actual financial losses from credit and debit card misuse,” the court panel wrote in its Oct. 20 ruling. “Under Maine contract law, these financial losses are recoverable as mitigation damages as long as they are reasonable,” the court ruled in a reversal of a lower court ruling.

In a similar Federal appeals case (not a class action) involving the data breach of 32 million usernames and passwords by the online gaming site RockYou, a Federal Judge for the Northern District of California ruled unfavorably against the defendant in Alan Claridge v. RockYou, Inc.

As reported in InfoSecurity News in April:

RockYou filed a motion to have the lawsuit dismissed because the Plaintiff, Allan Claridge, had not demonstrated that he suffered actual harm from the breach. But Judge Phyllis Hamilton of the US District Court in the Northern District of California allowed the lawsuit to proceed.

"The court concludes that at the present pleading state, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII [personally identifiable information] has caused him to lose some ascertainable but unidentified 'value' and/or property right inherent in the PII. As such, the court declines to dismiss plaintiff's breach claims on grounds that plaintiff has failed to allege damages harm as a matter of law", Hamilton wrote.

Commenting on the ruling, InfoLawGroup noted that the ruling seems to be a shift in judicial thinking on data breach lawsuits.