Originally published July 12, 2010

Keywords: data breach litigation, consumer class action, claims, identity theft

On June 25, 2010, a federal court in New York granted summary judgment dismissing consumer class action claims against Bank of New York arising from the loss of unencrypted computer back-up tapes. Hammond v. The Bank of New York Mellon Corp., Case No. 1:08-CV-06060 (S.D.N.Y. June 25, 2010); 2010 WL 2643307 (BNY Litigation). 

The court held, among other things, that alleged increased risk of identity theft constituted neither sufficient injury to confer Article III standing to sue nor, alternatively, legally compensable injury under any of the causes of action asserted by plaintiffs, which included negligence, breach of implied contract, breach of fiduciary duty, negligence per se, and purported violations of state consumer protection statutes. This decision is consistent with decisions of many other courts that have dismissed data breach-claims for lack of standing or compensable injury. 

Although the weight of authority currently is against plaintiffs seeking to recover damages in data breach class actions, plaintiffs continue to bring these actions and assert new legal theories and variations of previously rejected theories based upon allegedly different facts. Many defendants have decided to settle these claims to avoid the cost and risk of continued litigation.

We expect plaintiffs will attempt to distinguish the BNY Litigation decision and other adverse precedents on their facts. Plaintiffs have argued, and likely will continue to argue, that increased risk of identity theft should be treated like increased risk of future medical injury, for which recovery is sometimes allowed depending upon the nature of the medical risk. Although courts have rejected this analogy so far, a few courts have left open the possibility that under a different set of facts, the increased risk of identity theft might be sufficient to support recovery. 

Plaintiffs also have argued that they should be entitled to nominal damages for breach of contract, which, in a class action, could result in a significant money judgment. The court in the BNY Litigation did not resolve this issue. Instead, it dismissed the claim because plaintiffs never pled nominal damages. In addition, plaintiffs have sought injunctive relief to compel defendants to improve data security systems or stop representing that their data security systems are adequate. To date, courts have rejected these claims on the same grounds that they have rejected damage claims, ie., lack of standing or failure to establish an imminent threat of a legally recognized injury. Again, it is likely that plaintiffs will attempt to distinguish these cases. 

It also should be noted that federal and state regulators have authority to seek injunctive relief to compel companies to implement reasonable data security safeguards and to seek penalties under various consumer protection statutes. In fact, the Federal Trade Commission (FTC) has filed more than 25 cases challenging allegedly faulty data security practices by companies that handle sensitive consumer information. These cases generally allege either a violation of the FTC's safeguarding rule promulgated pursuant to Title V of the Gramm-Leach-Bliley Act or Section 5 of the Federal Trade Commission Act, which prohibits unfair acts or practices.

Therefore, although courts so far have refused to open the floodgates to private class action litigation in data breach cases, compelling business and legal reasons remain for companies to comply with state, federal and international data security laws, to take swift and appropriate remedial action if a data breach occurs and to give prompt notice of the breach to affected parties in the manner required by applicable state and federal laws. With 46 states and the District of Columbia having enacted data breach laws, compliance with the varying notice requirements is often challenging and cumbersome. Therefore, companies must have policies and procedures in order to quickly respond to a data breach involving sensitive employee or customer information. Also, the first few days after a company learns of a data breach are a critical time for remedying the breach and, as a result, may become a principal focus of discovery if litigation ensues. Therefore, it is important both to take effective action and to appropriately document the action taken during this important time. 

Learn more about our Privacy & Security and Business & Technology Sourcing practices.

Visit us at www.mayerbrown.com.

Copyright 2010. Mayer Brown LLP, Mayer Brown International LLP, Mayer Brown JSM and/or Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. All rights reserved.

Mayer Brown is a global legal services organization comprising legal practices that are separate entities (the Mayer Brown Practices). The Mayer Brown Practices are: Mayer Brown LLP, a limited liability partnership established in the United States; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales; Mayer Brown JSM, a Hong Kong partnership, and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.