Lawrence Technology Services (LTS) recently published a post I authored on the subject of a company’s legal liability for a data security breach. I actually drafted the post a couple months ago, and since that time there has been some new case law addressing this issue. Below is a brief summary of these decisions and how they fit into the larger points raised by the LTS post.
Community Bank of Trenton v. Schunck Markets
The U.S. Court of Appeals for the Seventh Circuit, which issued one of the key decisions discussed in the LTS post, issued another decision involving data breach liability in April 2018. Unlike the prior case, which involved a class of consumers seeking damages due to the theft of their personal data, the plaintiffs in this most recent lawsuit are actually financial institutions that issue credit cards. The defendant, a chain of grocery stores, suffered a data breach in December 2012. Attackers acquired access to the defendant’s computer network and installed malware designed to harvest “track data,” i.e., information collected and transmitted to the customer’s bank or credit card issuer whenever a purchase is made.
Because of the malware’s presence, the attackers were able to access the track data from more than three-quarters of the defendant’s stores, including locations in Illinois and Missouri. The attackers subsequently sold the data, which was used by other parties to commit identity theft. The defendant itself failed to learn of the breach until March 14, 2013, and did not make a public announcement until March 30.
According to their lawsuit, the plaintiff financial institutions said as many as 2.4 million customer credit cards were compromised by the attack. Of particular note, an estimated 300,000 cards may have been affected during the last two weeks of March 2013–that is, during the time when the defendant knew of the data breach but failed to make a public announcement. Consequently, the plaintiffs sought compensation for their losses beyond what they already received under their respective credit card network contracts.
A federal judge in Illinois dismissed the plaintiffs’ lawsuit in a May 2017 order. A three-judge panel of the Seventh Circuit affirmed the district court. As the appeals court explained, the plaintiffs chose to participate in a credit card network that included the defendant as a merchant. This means that the defendant was subject to “assessments and fines from the card networks in the event that it was responsible for data breaches and unauthorized card activity.” But beyond that, neither Missouri nor Illinois state law recognizes a claim for additional “economic losses” suffered by a third party as the result of a data breach.
Ree v. Zappos.com, Inc.
Around the same time as the Seventh Circuit’s Schunck decision, the Ninth Circuit Court of Appeals in San Francisco issued a decision in a class action arising from a 2012 data breach involving a well-known online retailer. In this breach, attackers acquired the records of approximately 24 million customers.
The class action plaintiffs were all customers of the defendant. But only some of them had already suffered identity theft as a result of the data breach. Other plaintiffs alleged they were still at “imminent” risk of identity theft. Essentially, these plaintiffs were in the same position as the ones in the Seventh Circuit’s Neiman Marcus decision, which is discussed in the LTS post.
In the present case, the trial court held the “imminent risk” plaintiff lacked constitutional standing to sue the defendant. The Ninth Circuit disagreed. Indeed, the Ninth Circuit previously addressed this issue in a 2010 decision, when the court held that an “increased risk of future identity theft” was sufficient to establish standing. But there was some question as to whether the 2010 precedent remained good law in light of the U.S. Supreme Court’s 2015 decision in Clapper v. Amnesty International USA, which again is discussed in the LTS post.
Basically, the Supreme Court said a person could not sue based solely on a “speculative” injury arising from an unauthorized disclosure of personal data. But in this case, the Ninth Circuit said the purported injury was far from speculative. The plaintiffs alleged their credit card information was acquired by the attackers, and given that some plaintiffs have already been victims of identity theft, it was reasonable to assume that all of the plaintiffs were still at imminent risk.
Will Credit Card Companies Demand New Laws?
The Seventh and Ninth Circuits are both part of a growing judicial consensus that holds customers have the right to seek damages arising from a corporate data breach without having to wait for attackers to actually use their personal data. But the Seventh Circuit’s decision in Schunck also suggests that courts are reluctant to create new legal claims for third parties in data breach situations who seek damages outside of their existing contractual arrangements. Obviously, this will not be the last word on the subject, especially if financial institutions opt to lobby state legislatures for new statutory protections in this area.