Despite Rise in Data Breaches, Companies May Escape Litigation: Lawyers
While cyberattacks and the litigation that stems from them are growing concerns, companies can sometimes escape the legal thicket as courts increasingly are open to dismissing data breach cases, Hogan Lovell lawyers said during a podcast Monday.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
At the outset of litigation, during the motion to dismiss phase, companies have a chance to explain why a data breach should be thrown out, said Adam Cooke.
But he admitted success is a "mixed bag" since such cases have "evolved" from the days when “courts were more skeptical of data breach litigation in general” several years ago. Today, “the jurisprudence on data breaches has grown," and plaintiff arguments have become more “sophisticated.”
Cooke said standing is the key argument, centering on whether the plaintiff can prove a real injury, and that it can “be traced to the defendant's breach” or “conduct” (see 2510270015 and 2508270052). Additionally, whether the data was sensitive and if it was stolen versus published on the dark web, for example, also factor into court rulings.
Cooke and colleague Alicia Paller said basic negligence claims tend to survive motions to dismiss, while dismissed suits often involve privacy claims and the idea that there was “some intrusion into [plaintiffs’] private space.”
Cases survive when it's proved that a defendant "failed to safeguard personally identifiable information,” Paller added. However, some courts are "willing to dismiss [a] failure to timely notify" individuals of a breach, especially if the plaintiffs struggle to allege actual harm.
Hogan Lovells lawyer Allison Holt Ryan noted that judges have gotten increasingly skeptical of data breach cases, and that surviving a motion to dismiss is not “determinative” of the outcome of the case.
Since “data breaches are happening every day … it becomes really challenging for a plaintiff to say, ‘You know what? This particular data breach impacted me in this specific way based on this specific defendant's conduct, as opposed to the host of other breaches where my data has been impacted,’” Cooke said.
Paller said plaintiffs are also “putting forward new and more comprehensive expert reports” than they have in the past, where the expert functions “almost as a translator for the judge to understand some of these concepts that haven't been briefed over and over and to explain this new area of law.”
During oral argument at the 5th U.S. Circuit Court of Appeals on Monday, a panel judge expressed frustration that so many cases lack a trial, where experts can explain to judges modern technologies and concepts (see 2511030030).
But Paller said that since few cases make it beyond class certification, jury trials are lacking, though "several cases ... are now at the class-certification phase," and "being watched closely.” If more class certifications are “granted in plaintiffs' favor, I expect that we'll start to see more decisions on the merits soon.”