The Shopify Hacker-Powered Security Story » Get the Report from HackerOne!
Welcome Guest | Sign In
TechNewsWorld.com

Data Breach Lawsuits: A Growing Risk for E-Commerce

By John K. Higgins
Oct 6, 2018 5:00 AM PT
e-commerce companies should prepare defenses in advance for data breach litigation

This story was originally published on the E-Commerce Times on June 15, 2018, and is brought to you today as part of our Best of ECT News series.

The expanding world of Internet commerce likely will generate a corresponding expansion of data breaches, with the result that e-commerce businesses increasingly will become the targets of consumer class action lawsuits.

Breach litigation has become more prevalent as a result of a perceptible legal trend favoring consumers. Various federal appeals courts have allowed consumers to launch class action suits even though the alleged injury from a breach was small, or even nonexistent, in terms of a current and tangible financial loss.

Decisions in two back-to-back cases earlier this year appeared to solidify greater legal leverage for consumers. The cases involved online retailer Zappos.com, and bookseller Barnes & Noble.

Generally speaking, consumers need to achieve legal standing, addressed in Article III of the U.S. Constitution, in order to file a class action suit stemming from a data breach. Standing depends upon proving that some type of significant injury has occurred. That's an easy call if the members of a class have had their bank accounts drained by hackers who invaded the data base of a retailer or restaurant chain.

However, in a spate of recent cases, courts have tended to allow lawsuits based on a lower threshold for establishing injury. Minor actual costs, subjective opportunity costs, and the threat of future impacts -- even though no current theft or fraud has occurred -- have become viable reasons for class action suits.

Injury Rulings Favor Consumers

For example, the U.S. Court of Appeals for the Ninth Circuit in March reversed a lower court decision and allowed consumers to participate in a class action suit against Zappos, triggered by a breach reported in 2012. A district court had denied standing, ruling that the alleged harm was not significant enough.

However, the appeals court ruled that although the plaintiffs could not prove they had suffered any actual financial loss, their exposure to undetermined potential danger was enough to meet the legal standard for injury. The court said those consumers had "sufficiently alleged an 'injury in fact' based on a substantial risk that the Zappos' hackers would commit identify fraud or identity theft" in the future.

The Barnes & Noble case followed a similar path. The U.S. Court of Appeals for the Seventh Circuit in April overruled a district court that had rejected a consumer class action suit for lack of sufficient injury. The litigation resulted from a breach of consumer records due to the hacking of some of the company's PIN pad machines.

The district court five years earlier had ruled that the alleged injuries to the value of the consumers' personally identifiable information, time spent with bank and police officials, and emotional distress were not enough to establish injury.

Also, the inability to use bank accounts for several days was "not a monetary injury in itself," the court had said. The court also had ruled that the cost of resuming a credit monitoring service was only partly the result of the breach, and did not qualify as an injury.

In reversing the district court, the Seventh Circuit ruled that the plaintiffs met the legal test for injury "because the data theft may have led them to pay money for credit monitoring services," and "because unauthorized withdrawals from their accounts caused a loss (the time value of money), even when banks later restored the principal."

Additionally, "the value of one's own time needed to set things straight is a loss from an opportunity-cost perspective," the appeals court ruled.

This pattern of decisions in favor of consumers has been evident in an increasing number of courts. The Seventh U.S. appeals court "remains the friendliest circuit for data breach class action plaintiffs -- but its company is quickly growing," noted Edward McAndrew, a partner at Ballard Spahr.

"The D.C. Circuit, plus the third, eighth, and ninth, have all issued decisions that have allowed consumer data breach class actions to progress past initial motions to dismiss asserting pleading deficiencies," he told the E-Commerce Times.

The sixth and eleventh circuits were added to the group of U.S. appellate courts that "have found allegations of data theft with the attendant risk of future harm sufficient to confer Article III standing," according to a commentary by law firm Cleary Gottlieb.

"I think it's fair to say that more of these payment card class action data breach cases appear to be surviving challenges related to the Article III standing of the named plaintiffs," Joshua Jessen, a partner at Gibson Dunn, told the E-Commerce Times.

Effects on Damage Claims

The injury concept affects not only standing, but also another element consumers need to be successful. That is, proving to a court that there is sufficient injury to qualify for making damage claims. While related, the standing and damage arguments usually are treated separately in the pleading stage of litigation, when motions to dismiss are considered.

However, it's noteworthy that the appeals court in the Barnes & Noble case suggested that the injury basis for successful standing could be applied equally to the damage claim burden. That would relieve consumers from having to meet a separate and likely more stringent injury test for damages.

Importantly for defendants, however, the full context of the court's ruling tells a somewhat different story, according to Gibson Dunn's Jessen.

"At first blush, the Seventh Circuit's holding in Barnes & Noble appears to be favorable to consumers in payment card data breach class actions at the pleadings stage, but a closer inspection of the opinion illustrates that the court limited the application of the ruling to situations where plaintiffs are able to allege an actual 'present' loss," he explained.

"At least as to consumer data breach class actions, plaintiffs will continue to have a tough road ahead to meet their burden of proving actual damages caused by one particular data breach," said Ballard Spahr's McAndrew.

"This is due, in part, to the sheer number of breaches of the same individual information, and the fact that most plaintiffs do not appear to have suffered any economic harm traceable to a particular breach for which they haven't already been made whole by banks or other third parties," he pointed out.

That won't stop advocates from using the Seventh Circuit's language as a possible additional legal tool favorable to consumers, and as a result become a troublesome factor for companies targeted in lawsuits.

E-Commerce Defendants Forewarned

"Still, it's likely that the plaintiffs' class action bar will attempt to seize on the Barnes & Noble ruling when their claims are challenged at the pleading stage for failure to allege cognizable damages," Jessen said.

"It will be up to the defense attorneys to explain why the decision does not mean that pleading Article III injury is tantamount to pleading damages or cognizable harm under state law claims," he added.

"I agree that the Seventh Circuit's equating injury for standing and damages at the pleadings stage increases the leverage that plaintiffs will have at the early stages of a class action," said McAndrew.

"In the Seventh Circuit, at least, data breach class action plaintiffs will have a better chance of surviving these motions to dismiss, and the parties will head into discovery and additional motions practice," he observed.

"Data breach defendants therefore will have to value early settlement options differently than in past cases in which courts were more receptive to motions to dismiss based on standing or lack of damages," McAndrew noted.

Not all federal appeals courts have issued such favorable rulings to consumers in breach cases, and the split among jurisdictions may have to be resolved by the U.S. Supreme Court. However, the bottom line is that defending against class action breach suits likely will be much more challenging for e-commerce businesses in the future.


John K. Higgins has been an ECT News Network reporter since 2009. His main areas of focus are U.S. government technology issues such as IT contracting, cybersecurity, privacy, cloud technology, big data and e-commerce regulation. As a freelance journalist and career business writer, he has written for numerous publications, including The Corps Report and Business Week. Email John.


Facebook Twitter LinkedIn Google+ RSS
What best describes your video-calling preferences?
I almost always prefer video calls over voice calls.
I think video calls are very useful for some business purposes.
I enjoy video calls with friends and family, but not with business associates or strangers.
They are nice if planned in advance -- I don't like spontaneous video calls.
I find it difficult to speak naturally on video calls.
I feel video calls are a huge invasion of privacy.
I have never tried video calling, and I probably won't.