Data Breach Lawsuits on the Rise: Five Tips to Help Minimize Liability

As the frequency of data breaches increases, plaintiffs are turning to new legal theories to bring claims against defendants. Organizations of all types and sizes are at risk of data breaches, which can result in severe financial losses and reputational damage. One recent case highlighting the issue is Trevor Miller v. Syracuse University, 5:21-CV-1073-LEK/TWD, 2023 WL 2572937 (N.D.N.Y. Mar. 20, 2023), in which the plaintiff alleged that the university's deficient cybersecurity measures caused a data breach compromising the sensitive information of almost 10,000 individuals. The plaintiff survived a motion to dismiss by alleging claims of negligence, breach of express and implied contracts, and deceptive practices under New York statutory law.

For litigators, it is essential to understand the potential theories of liability involved in data breach lawsuits and to advise clients on how to protect themselves from such lawsuits. Here are some practice points to keep in mind:

1. Exposure to risk of identity theft may be sufficient to show standing. Many data breach cases in jurisdictions without statutes that grant private rights of action have struggled to survive motions to dismiss based on standing. To have standing to bring a lawsuit, the plaintiff must establish an injury-in-fact, which means a concrete and particularized harm that is actual or imminent, not conjectural or hypothetical. The mere risk of future harm generally does not qualify as a concrete harm. However, in Miller, the exposure of sensitive information to cybercriminals was deemed “plausibly offensive to a reasonable person,” similar to the harm in the common-law tort of public disclosure of private information. An injury-in-fact, thus, may include monetary loss, time and money spent responding to the breach, exposure to the risk of identity theft, and expenses reasonably incurred to mitigate the risk of future identity theft.
2. A single allegation of potential data misuse might be enough to obtain injunctive relief. In data breach cases, plaintiffs must show that, without the requested injunctive relief, there is a significantly imminent and substantial risk of future harm. TransUnion LLC v. Ramirez, 141 S. Ct. 2190, 2197 (2021). In Miller, the plaintiff reported one instance of discovering an attempted unauthorized charge on his bank account. Importantly, the only discernible connection between the data breach and the attempted unauthorized charge was that the attempt occurred after the breach. Nevertheless, the court determined that this lone allegation of attempted bank fraud adequately demonstrated a sufficiently imminent and substantial risk of future harm, allowing the injunctive relief claim to proceed.
3. Negligence claims may be viable in data breach cases. The plaintiff in Miller alleged that the university was negligent in its data security practices, leading to the data breach. New York law generally does not allow negligence actions seeking recovery for economic loss. Although the New York Court of Appeals hasn't directly addressed the economic loss doctrine’s applicability in data breach cases, several courts in the Second Circuit have found it does not apply. Thus, the court denied the defendant’s motion to dismiss the negligence claim based on the economic loss doctrine, which some courts have applied to data breach cases.
4. Breach of contract claims can be based on express or implied promises. In Miller, the plaintiff alleged breaches of both express and implied contracts. The court denied the defendant’s motion to dismiss the breach of express contract claim, finding that the defendant’s privacy policy contained language definite enough to constitute a cognizable contract. Although the defendant argued that its policy did not contain a specific promise to provide a certain level of data security, the court found that language, such as stating that the university “put in place suitable physical, electronic, and managerial procedures to safeguard and secure” the information, was sufficient to survive a motion to dismiss. The court also determined that the plaintiff had adequately alleged a claim for breach of an implied contract based on the defendant’s conduct and the existence of the privacy policy.
5. State laws regulating deceptive practices can also be alleged in data breach cases. In Miller, the plaintiff alleged a violation of New York General Business Law section 349, which prohibits deceptive acts or practices in the conduct of any business. The court denied the defendant’s motion to dismiss this claim, finding that the plaintiff had adequately pleaded several misrepresentations in the defendant’s privacy policy. Although the court dismissed a claim for violation of New York’s Shield Act because it does not provide a private right of action, statutes relating to deceptive practices still offer a means to bring claims for data breaches.

The takeaway from this recent case is that data breaches can be costly and damaging for organizations, and data breach lawsuits are becoming more common. As a litigator, it is important to understand the legal issues involved in these cases and to advise clients on how to protect themselves from these types of lawsuits. This includes implementing effective data security measures, drafting meticulous data security and privacy policies, and promptly addressing any data breaches that occur. By taking these steps, organizations can reduce their risk of facing a data breach lawsuit and minimize the impact if one does occur.