Strategic considerations include whether suing puts you at risk if you are later breached and sued.
As data breaches increase in frequency, the much-publicized warning from data-privacy experts worldwide is becoming more true every day: It’s not a matter of if your data will be breached but when. Any entity that has experienced a data breach can tell you that dealing with the fallout can be incredibly costly. Indeed, a data breach can be costly even when it’s someone else’s data that has been breached.
When a large merchant, restaurant operator, or processor sustains a data breach and customers’ card data is stolen, it’s not just the compromised entity that can suffer financially. The financial institutions that issued the cards face economic losses too. Card issuers often incur costs for reimbursement to customers, remediation and associated expenses. These costs can be significant.
In the last few years, a number of credit unions and community banks have found themselves on the plaintiffs’ side of class-action data-breach litigation over the costs resulting from other parties’ data breaches. Several of these cases have resulted in large settlements. In 2015, Target Corp. agreed to pay almost $40 million to a class of banks and credit unions that sued over a 2013 data breach that affected at least 70 million consumers. In 2017, Home Depot agreed to pay $25 million to financial institutions that incurred costs as a result of a 2014 data breach that affected 56 million credit and debit card numbers. And, in February of this year, Wendy’s announced a $50 million settlement with financial institutions over a 2015-2016 data breach that affected 18 million cards.
So why aren’t all financial institutions that have been affected by a data breach lining up to act as plaintiffs in lawsuits seeking compensation from entities that allowed a breach?
As an initial matter, not all of these lawsuits have been successful. In 2017, a federal court in Colorado dismissed a lawsuit brought by credit unions affected by a 2016 cyberattack on hundreds of Noodles & Company restaurants. The court held the credit unions’ remedies were limited by the network of interrelated contracts that govern card processing, and that a specific legal doctrine—the economic loss rule—disallowed the credit unions’ negligence claims because Noodles’ duties were defined by these contracts.
Similarly, in 2017, a federal court in Illinois dismissed a complaint brought by banks and credit unions against Schnuck Markets over a hack that affected 2.4 million cards. The court found (among other things) there was no legal duty to support the plaintiffs’ negligence claims. That ruling was later affirmed on appeal. In short, a large settlement is not guaranteed.
Moreover, financial institutions may be looking ahead and deciding that acting as plaintiffs could have repercussions if they find themselves as data-breach defendants down the road. Among other things, a credit union acting as a plaintiff may have to take legal positions that it would not want take if it were being sued. For example, a plaintiff in a data-breach suit is likely to advocate that the defendant (the breached entity) should have acted with the highest degree of care. But if the credit union is itself facing a lawsuit from one of its customers or business partners, it will want to advocate for a more limited standard of care. Ultimately, the credit union will therefore have to measure the risk of advancing a higher standard of care as a plaintiff with the understanding that its own arguments could be used against it if it sustains a data breach.
Another such legal issue is standing. In simplified terms, Article III of the U.S. Constitution requires plaintiffs who want to bring a case in federal court to have suffered a “concrete, particularized, and actual or imminent” injury. Allegations of a possible or speculative injury do not suffice. Applied to data breach litigation, defendants in data breach cases have had some success arguing that plaintiffs whose data had been stolen, but who had not incurred fraudulent charges or other costs as a result, lacked standing to sue, and that the cost of mitigating possible future harm was not enough to confer standing. As a data breach plaintiff, a credit union would want to advance the most expansive view of its own standing, and one that would take into account the potential costs of mitigating future harm. As a data breach defendant, however, that same credit union may want to advocate the exact opposite position.
Another commonly litigated legal issue in credit union data breach suits is the economic loss rule. The economic loss rule generally prohibits a plaintiff from recovering for an economic loss under a tort theory (i.e. negligence), where: 1) there is no injury to a person or property; 2) damages can be recovered under a breach of contract theory; and 3) there is no tort duty separate from the claimed contractual breach.
As noted above, several defendants in credit union data breach suits have been able to defeat the claims by arguing that: 1) credit unions are parties to a contract (i.e. the network of contracts that connect the credit unions with payment processors that in turn are connected with merchants and the end consumer) and therefore cannot recover in tort; and 2) the data breach did not cause actual property damage because there was no physical destruction in the commonly understood sense of the word.
In some jurisdictions, based on the limitations imposed by the rule, credit unions may be able to successfully argue that the rule bars negligence claims for data breach by business partners or consumers with whom the credit unions have contractual relationships. Such an argument, however, may be more difficult to make for a credit union that has argued the opposite in prior public filings.
Whether or not it makes sense for a financial institution to undertake a lawsuit as a plaintiff is certainly beyond the scope of this article, given all of the unique circumstances and facts. What is clear is that there are issues to consider beyond just recouping losses caused by the breach.cues icon
Luke Sosnicki and Ashley Fickel are members of the Dykema law firm’s Los Angeles office. Scott Pressman, an associate in Dykema’s business litigation group, contributed to this article by providing critical research support.