The Growth of Class Action Lawsuits Involving Data Breaches

Episode Notes

Transcript

The Insurance Law Podcast
The Growth of Class Action Lawsuits Involving Data Breaches
04/25/2019

[Music]

Intro: This is the Insurance Law Podcast, brought to you by Best’s Recommended Insurance Attorneys.

John Czuba: Welcome to the Insurance Law Podcast, the broadcast about timely and important legal issues affecting the insurance industry. I am John Czuba, Managing Editor of Best’s Recommended Insurance Attorneys.

We are pleased to have with us today attorneys Matthew Berkowitz and Brian O’Shea from the law firm Carr Maloney in Washington, DC.

Matthew Berkowitz is a member of the firm with significant class action experience, regularly representing national, regional, local corporations, employers, retailers, manufacturers, automobile dealerships, credit reporting agencies, financial institutions, debt collection agencies, law firms and among others in class action and federal and states laws.

With the help of associate Brian O’Shea, Carr Maloney, P.C. has successfully defended class action lawsuits involving mass torts, products liability, defective design and warranty claims, cybersecurity and data breach, and consumer protection claims.

And gentlemen, we’re very pleased to have you both with us this morning.

Matthew Berkowitz: Thank you.

Brian O’Shea: Thank you very much.

John Czuba: And Matt, we’ll start our questions with you today. Can you please talk about the growth of class action lawsuits involving data breaches?

Matthew Berkowitz: Sure, absolutely. This is an area where breaches and data breaches have exponentially increased over the last few years. Recent statistics show that only 37% of businesses actually track and control the sensitive data that they have. And as a result, that’s part of the main reason why data breaches have increased so much.

For example, in 2014-2015, there was an increase in data breaches by almost 40%. And then, in 2018 alone the United States had 1.244 million recorded data breaches with over 446 million records exposed.

And the scary thing about this is, with all these records exposed, 80% of the companies that were hacked or that had the breach, it took them at least a week to discover that there was a breach. And this becomes significantly dangerous because during that week’s time, certainly if it happened, if it was discovered within 24 hours, they could have pulled information back. They could have put remedial measures in place, but because it took so long to discover, by then the information was gone. And the hacker, perhaps, is using someone’s credit card information, or gaining financial access, or changing or stealing a person’s identity.

And currently, there is no comprehensive Federal law, but the Federal law to guard against that companies need to abide by is in the works.

Brian O’Shea: And I’ll just add on to what Matt was saying, data breaches and data breach class actions are becoming more and more newsworthy. Hardly a week or a month goes by without us hearing about a significant data breach.

Just for example, companies like Equifax, Target, Yahoo and Facebook have all recently faced significant data breaches and data breach class action litigation just in recent months. So these class actions are becoming more and more newsworthy and a greater part of the class action environment.

John Czuba: Thank you, Brian. We’ll continue a little bit with you. These are all large, and national, and international companies that you’ve mentioned, but what about smaller or medium sized businesses? Do they also have to be worried?

Brian O’Shea: Absolutely, they need to be worried. Any company that keeps customer data on a computer needs to be concerned about data breaches and potential litigation arising out of these data breaches. These companies could be law firms, doctor’s offices, mom and pop retailers, as well. And often, these smaller to medium sized companies don’t have the resources to protect themselves from a data breach, like a company like Target or Facebook might have. They don’t have the expertise and they’re not as tech savvy. So that can potentially create even greater problems for them.

John Czuba: And Matt, what are some of the hot or topical issues in data breach class actions now?

Matthew Berkowitz: Sure. That’s a really good question. There are three areas in class actions involving data breaches specifically that often arises as far as legal issues that the parties often fight over. There are standing issues, something known as ascertainability, and predominancy.

And Brian, I will just talk about them very briefly. The first one is standing. In order to bring a class action lawsuit, the lead plaintiff needs to have standing. And that means the Supreme Court recently in Spokeo reaffirmed that the lead plaintiff needs to suffer a concrete and particularized harm.

(00:05:07)

There needs to be a tangible harm to the plaintiff himself or herself. A lot of times, you can bring these class actions based upon a data breach, and a lot of these class members, their harm or the injury that they have suffered is merely just fear that their data was exposed, and they are claiming perhaps, the plaintiff might be claiming that someday, my data was taken today, but sometime in the future somebody might use my identity. And the majority of jurisdictions say, that’s not enough. It’s kind of like the idea that if a tree falls in a forest but nobody hears, doesn’t make a sound, it’s kind of that analogous.

Some courts have ruled that’s enough, the mere fear that your data was taken is enough to give a plaintiff standing, but the majority of jurisdictions say that fear itself is not enough. And so often defendants can get out of those lawsuits by arguing that the plaintiff lacks a concrete injury, enough to give that lead plaintiff standing to represent an entire class.

Brian, I think, is going to talk about ascertainability.

Brian O’Shea: Yes, ascertainability is another potential defense that’s often used. And all ascertainability is determining who is a member of the class and who is not a member of the class. And generally, for a class to be ascertainable, there need to be — the class needs to be formed from objective criteria. And this is usually done by looking at the company’s records, who is the defendant in the lawsuit.

With data breaches, this ascertainability becomes especially complex, because we could be talking about potentially, thousands, tens of thousands, or even millions of potential class plaintiffs. Additionally, with data breaches, it can be very hard to identify whose data was actually breached.

This can take a significant amount of time, and it’s possible that a clear answer might never be reached. So it can be very difficult in the data breach space to determine who is actually a member of the class, who is not, and this is why this is such a common issue in defense that comes up in these cases.

Matthew Berkowitz: And then dovetailing off that is the predominancy. This predominancy issue comes right out of the Rule 23, which governs class action. And Rule 23(b) talks about common questions must predominate over individual questions. It often, in class actions, there may be some individual questions that vary from class member to class member. But the idea is that there needs to be commonality. The common questions must predominate. And in a data breach, you may have kind of what Brian was talking about and what I was talking about earlier, especially with respect to damages that there are a lot of different questions about individual harms, for example.

A lot of questions of whether — we have a data breach, but who, you start asking questions of whose information was exposed. Of those people whose information was exposed or breached, how many of those people are just based on fear — suffered damages based on fear alone? How many of those people had actual damages themselves other than fear?

And it leads to what’s called individual inquires, and we have these individual inquires whether it may be for example, economic harm. You start asking, what is the harm? And each person’s harm is different. And once you get into a place of each harm is different, you start resulting in, essentially, mini trials. You start having to have a trial on everybody’s damages or everybody’s individual question.

And it’s these mini trials that class actions seek to avoid. But the idea is to do, for a class wide resolution, you want to be able to handle this case in one fell swoop.

Now, courts on the other hand, often will, for purposes of liability, can do run it as a class action but then bifurcate and have individual cases in terms of damages.

So those are kind of the three hot topics in the class action arena when the underlying matter involves a data breach.

John Czuba: So Matt, what can companies do to guard against data breaches and protect their businesses from significant exposure?

Matthew Berkowitz: I think there’s a lot of things that companies not only can do but they should be doing, no matter how big their size. And the first thing, and Brian talked about it a little bit about the resources that, yes, the smaller businesses, the mid-sized businesses, they may not be as tech savvy, but every business that holds sensitive data should hire an IT consultant or an in-house expert to help guide them.

(00:10:07)

And it’s important, in doing that, that person that you hire or retain can help identify the sensitive data. I mean that’s in what procedures and policies you need to put in place to protect that data.

The first step is identifying what data is it that you have that is sensitive. Are you a doctor’s office that has medical information that’s going to be sensitive, a law firm that has attorney-client privileged information, a business that has credit card records?

What data do you have? Where is that data stored and who has access to that data? Just because you have access to the data doesn’t mean that everybody in the company needs to have access to it.

And that kind of gets to the next thing, making sure that there is proper training, policies, and procedures, that employees are aware of the data and you can go through that, especially with having security measures, and that leads to training about passwords, that passwords should constantly be changed every 30, 60, 90 days. At most 90 days.

Employees should be trained not to use common passwords. Also, should be trained about a lot of big things. Hacks today occur through phishing emails, where it looks like it’s an email intended. There should be — employees should be trained how to respond and react to that if they’re not sure if the email is intended for them.

In addition, talking about physical lock up of security, maybe their laptops, firewalls, who has access, limited access to certain employees. Separate networks. Keeping the server locked up. Having the server located at a third-party vendor.

A lot of different things that just little things that I’ve just mentioned in the few minutes with the help of an IT consultant or an in-house expert could protect the company from a data breach, as well as liability and significant exposure.

The other thing, in the event there is exposure, I think that one of the best pieces of advice for business is to make sure that they have a cybersecurity policy in place, especially for smaller businesses, a lot of them, they will get a CGL policy or just think their standard policy is going to cover a data breach, often, they don’t.

It’s important for businesses to contact their broker and ask about a specific policy with respect to data breaches.

Brian O’Shea: And I’ll just make one last point based on what Matt said. Just like companies take seriously the possibility of someone physically breaking in and taking files out of a file cabinet or medical records out of a doctor’s office, data breaches are essentially the same thing, and they should take it just as seriously, even though the breach itself happens in cyberspace and is not actually a physical break in.

John Czuba: Gentlemen, thank you both so much for joining us today.

Matthew Berkowitz: Thank you very much.

Brian O’Shea: Thank you.

John Czuba: That was Matthew Berkowitz and Brian O’Shea from the Carr Maloney Law Firm in Washington, DC. And special thanks to today’s producer, Frank Vowinkel.

And thank you all for joining us for The Insurance Law Podcast. To subscribe to this audio program, go to our web page, www.ambest.com/claimsresource. If you have any suggestions for a future topic regarding an insurance law case or issue, please email us at [email protected].

I am John Czuba, and now this message.

[Music]

Outro: Best Insurance Professionals and Claims Resource is the top website for locating qualified professionals and need to know insurance information for the claims market, brought to you by A.M. Best, the world leader in insurance industry information. Visit ambest.com/claimsresource.