Be Careful: Court Ruling Makes Data Breach Lawsuits Much Easier

Do you collect, store and use client and prospect data as part of your business? If so, you must know and follow the rules to keep your business safe from an expensive, unnecessary lawsuit.

Data breaches involving retailers and Internet services are common these days. Naturally, litigation has followed. Breaches involving such notable companies as Target, J.P. Morgan, Home Depot, and Sony have resulted in federal lawsuits claiming that the theft or exposure of private information caused harm to those whose information was compromised.

Federal courts dismissed early data breach cases, finding a lack of standing. This means that the courts found that the plaintiffs who filed suit had suffered no injury to warrant a lawsuit, as required by Article III of the U.S. Constitution.

In later years, however, the tide started to turn in the other direction when, in 2007, the Seventh Circuit Court of Appeals found that a threat of future harm could meet the injury requirement. The Ninth Circuit followed that lead in a case against Starbucks in 2010.

In 2013, the U.S. Supreme Court clarified the standard, ruling that threatened injury must be “certainly impending” to constitute an injury sufficient to support a lawsuit.

Since the Supreme Court’s decision, federal courts have struggled to define the level of necessary injury to support a valid data breach claim. In the Seventh Circuit, cases against Barnes & Noble and Neiman Marcus were both dismissed for lack of standing. The Ninth Circuit, however, did not abandon its position that a threat of future harm could meet the injury-in-fact requirement. In a case against Sony, the U.S. District Court for the Southern District of California found that the allegations of Sony’s collection and subsequent disclosure of personal information was sufficient to establish standing.

Most recently, in July 2015, the Seventh Circuit came full circle when it reinstated the previously dismissed class action against Neiman Marcus. In doing so, the appeal court held that there was a non-speculative, substantial risk of future harm.

What does this mean for you and your business? It means that you must follow established industry standards relating to the collection, use, and storage of data.

A Creative Business Lawyer can help you protect the confidentiality, integrity, and accessibility of data you collect. Make an appointment today to discuss any questions you have about data breach avoidance, or schedule a LIFT Start-Up Session, which includes employment structuring, financial, and tax systems you need for your business.