Following the latest major security breach, this time aimed at Target Corp. in which data connected to approximately 40 million credit and debit card users was stolen, over a dozen lawsuits have been filed, including 3 class action lawsuits. The claims range from negligence in failing to protect customer data, to invasion of privacy, to failure to notify of the breach. And a number of states have breach notification laws requiring the attorney general be notified. This could also that governmental action will be taken possibly resulting in fines and penalties.
Civil lawsuits are becoming more prevalent to enforce data privacy policies and data protection laws. Thus far, the biggest hurdle to overcome by plaintiffs, is proving damages. Courts have dismissed a number of these suits simply because the plaintiffs could not establish that the data breach caused the plaintiff injury. Plaintiff’s schooled off previous cases are becoming more clever in carefully in establishing damages.
One of the early cases, Burrows v. Purchasing Power, LLC, 12-cv-22800-UU (S.D. Fla. Oct. 18, 2012), filed claims for identify theft, negligence, invasion of privacy, and a violation of Florida’s Deceptive and Unfair Trade Practices Act. The Plaintiffs, employee’s of Winn-Dixie, alleged that Winn-Dixie failed to protect and secure their personal information from theft. An employee of a Winn-Dixie service provider, Purchasing Power, had obtained the Plaintiff’s personal information and misused it. The case was eventually settled, and the defendants were required to maintain rigorous security safeguards going forward. In order to receive settlement proceeds the plaintiffs had to prove they were victims of fraud and the circumstances of any loss.
In another case, there was no data breach, rather the plaintiffs alleged that their personal information was collected and sold to media outlets without their consent. The claims included violations of the Electronic Communications, the Computer Fraud and Abuse Act and the Stored Communications Act. This Seventh Circuit upheld certification of the class action, giving little weight to the defendant’s argument that the plaintiffs would each have to establish damages.
A Massachusetts law, the Song-Beverly Credit Card Act, prohibited retailers from collecting ZIP code information, thus preventing retailers from using ZIP code to find other personal information. The Massachusetts Supreme Judicial Court broadened the term “personal information” to include ZIP codes and allowed the plaintiffs to proceed without having to establish that their data was compromised.
The number of cases involving claims of breach of data privacy or unauthorized use of information will undoubtedly continue to grow. Businesses must keep vigilante to ensure compliance data protection laws wherever customers are located. Take precautions to avoid inadvertent breaches and update data privacy policies at least bi-annually.