“Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual . . . the right ‘to be let alone.’”
Samuel Warren and Louis Brandeis, The Right to Privacy, 4 Harvard L.R. 193 (Dec. 15, 1890).
Warren and Brandeis’ article is widely regarded as the first American publication to advocate for a “right to be let alone.” It highlighted the privacy invasions that result from “instantaneous photographs” and “numerous mechanical devices [that] threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”
The technological landscape has changed dramatically since 1890, but personal information still risks being “proclaimed from the [digital] house-tops.” Indeed, as more of our private data is gathered, stored and disseminated electronically, it becomes increasingly likely that an unauthorized third party will get access to that information. That threat embodies the distinct but inherently connected principles of privacy and security, particularly cybersecurity. The growing ability to protect electronic information duels with the corresponding ability to steal the same.
Our legal framework is racing to keep up with these advances in two ways: (1) by applying already existing laws and claims to the issues raised by ever developing technologies and digital transformation, or (2) by enacting new laws and regulations. In either event, it is clear that privacy and cybersecurity litigation will continue and likely escalate. This piece provides an overview of key issues to flag in such proceedings1:
1. Does the plaintiff have standing to sue?
In order to have standing to bring any type of lawsuit, plaintiffs must be able to show that they have suffered a concrete injury that is traceable to the asserted wrongful action or inaction. Plaintiffs attempt to show such injury by alleging:
Parties vigorously litigate a plaintiff’s standing to pursue privacy and cyber claims, but the courts have not reached a consensus on how to rule on the issue. Litigants will focus on the facts and on the applicable law. They will also watch for further guidance by state and federal appellate courts, including the U.S. Supreme Court.
2. What types of claims have been raised?
Many legal principles applied to privacy and cyber disputes are not new, but they are being applied differently to the current technology. Plaintiffs tend to bring claims sounding in:
In addition, the boundaries of these doctrines will be tested even further as companies that already have access to some personal data start to expand into different industries (for instance, technology companies entering the health care industry).
3. What are the possible damages?
If a case survives a motion to dismiss for lack of standing, the plaintiff may seek a variety of remedies including:
The potential amount of damages can be daunting, particularly if the matter involves multiple plaintiffs or a certified class action.
4. Is this a class action?
Class actions may become more prevalent, raising complex issues such as:
A critical hurdle in class action litigation is at the class certification stage, and the parties may expend a significant amount of time and resources during this process, particularly relating to factual and expert discovery. Additionally, while most of the privacy and cyber-related class actions settle, that process can be costly and complicated.
5. Who is responsible?
Because most, if not all, cases are resolved on a motion to dismiss or through settlement, there has not been much guidance on who can (or should) be held liable for the privacy and cyber claims. This raises a number of questions that should be considered during the litigation process:
As privacy and cyber claims continue to be litigated, the universe of parties who may be held liable for these claims will continue to expand.
6. What possible challenges can arise during the litigation process?
The litigation process can be unwieldly, even for simple matters. This is only going to be exacerbated by the increasing complexity in the relevant technologies and subject matter. Some of the factual and legal challenges will include:
Preparedness for these challenges and the use of experts may help mitigate the risks.
7. What should your company do after a cyber incident?
For matters arising out of a cyber incident, a lawsuit is usually filed quickly after the incident is disclosed, and therefore time is of the essence. Here are a few of the steps that your company may consider taking immediately upon discovering a potential cyber incidence and that may be appropriate to incorporate into its response plan:
Conclusion: As more of our lives become dependent on technology, and as vulnerabilities in accessing personal data are exploited, it becomes increasingly likely that companies will become the target of a privacy or cyber related lawsuit. While it may not be possible to completely avoid litigation, being prepared and understanding the issues may improve your strategic options.
1 Future QuickStudies and articles will expand on these issues.
Sign up for our newsletter and get the latest to your inbox.