Class Action Suits in the Data Breach Context

The number of reported data security breaches has significantly increased of late, as has the number of lawsuits that focus on the alleged access to or misuse of personal information resulting from such breaches. These lawsuits are often brought as class actions in order to capitalize on the high number of individuals about whom misappropriated data pertain and the increasing public sensitivity to privacy and security issues in general. Historically, establishing standing and damages in such suits has proved difficult. Indeed, the vast majority of suits, class action or otherwise, premised on common-law theories (1) fail to survive the pleadings stage because courts generally deem proof of an increased risk of future identity theft insufficient to confer standing, and (2) are difficult to prove in the absence of clear standards of conduct against which companies can be judged.

Enter privacy laws—particularly those directed to payment card and health care information breaches—that provide for statutory damages, minimum security standards, and other things that merit increased attention and purport to allow privacy and security plaintiffs to avoid historical pitfalls in bringing suit.