Locke Lord QuickStudy: An Overview of Key Issues in Privacy and Cyber Litigation

“Recent inventions and business methods call attention to the next step which must be taken for the protection of the person, and for securing to the individual . . . the right ‘to be let alone.’”

Samuel Warren and Louis Brandeis, The Right to Privacy, 4 Harvard L.R. 193 (Dec. 15, 1890).

Warren and Brandeis’ article is widely regarded as the first American publication to advocate for a “right to be let alone.”  It highlighted the privacy invasions that result from “instantaneous photographs” and “numerous mechanical devices [that] threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”

The technological landscape has changed dramatically since 1890, but personal information still risks being “proclaimed from the [digital] house-tops.”  Indeed, as more of our private data is gathered, stored and disseminated electronically, it becomes increasingly likely that an unauthorized third party will get access to that information.  That threat embodies the distinct but inherently connected principles of privacy and security, particularly cybersecurity.  The growing ability to protect electronic information duels with the corresponding ability to steal the same.

Our legal framework is racing to keep up with these advances in two ways: (1) by applying already existing laws and claims to the issues raised by ever developing technologies and digital transformation, or (2) by enacting new laws and regulations.  In either event, it is clear that privacy and cybersecurity litigation will continue and likely escalate.  This piece provides an overview of key issues to flag in such proceedings¹:

1. Does the plaintiff have standing to sue?

In order to have standing to bring any type of lawsuit, plaintiffs must be able to show that they have suffered a concrete injury that is traceable to the asserted wrongful action or inaction.  Plaintiffs attempt to show such injury by alleging:

• Actual damages or harm;
• A reasonable fear of future damages; and
• Statutory damages. 

Parties vigorously litigate a plaintiff’s standing to pursue privacy and cyber claims, but the courts have not reached a consensus on how to rule on the issue.  Litigants will focus on the facts and on the applicable law.  They will also watch for further guidance by state and federal appellate courts, including the U.S. Supreme Court.

2. What types of claims have been raised?

Many legal principles applied to privacy and cyber disputes are not new, but they are being applied differently to the current technology.  Plaintiffs tend to bring claims sounding in:

• Tort (such as negligence);
• Contract (such as breach of contract) or quasi-contract (such as unjust enrichment); and
• Statutory violations (such as the California Consumer Privacy Act or the Illinois Biometric Privacy Act). 

In addition, the boundaries of these doctrines will be tested even further as companies that already have access to some personal data start to expand into different industries (for instance, technology companies entering the health care industry).

3. What are the possible damages?

If a case survives a motion to dismiss for lack of standing, the plaintiff may seek a variety of remedies including:

• Compensatory damages;
• Contractual or liquidated damages;
• Punitive damages; 
• Statutory damages; 
• Injunctive relief; 
• Interest; and
• Reasonable attorney fees and costs. 

The potential amount of damages can be daunting, particularly if the matter involves multiple plaintiffs or a certified class action.  

4. Is this a class action?

Class actions may become more prevalent, raising complex issues such as: 

• Impact of a class action being filed, including from a public relations perspective;
• Increased issues if a class is certified; 
• Evidentiary issues; and
• Complicated settlement structures.

A critical hurdle in class action litigation is at the class certification stage, and the parties may expend a significant amount of time and resources during this process, particularly relating to factual and expert discovery.  Additionally, while most of the privacy and cyber-related class actions settle, that process can be costly and complicated.

5. Who is responsible?

Because most, if not all, cases are resolved on a motion to dismiss or through settlement, there has not been much guidance on who can (or should) be held liable for the privacy and cyber claims.  This raises a number of questions that should be considered during the litigation process:  

• Was the correct party sued?
• Can the company be responsible (whether by contract, common law, or statute) for an employee or a vendor action or omission?
• Was the cyberattack a result of shortcomings in the company’s administrative, technological or physical safeguards, or a misstep by the company’s personnel or service providers, or was there a bad actor such that the incident could not reasonably have been prevented?
• What test or standard determines the adequacy or inadequacy of the company’s administrative, technical and procedural safeguards?
• Should the company consider filing a third party complaint to bring in new defendants and on what basis for each?

As privacy and cyber claims continue to be litigated, the universe of parties who may be held liable for these claims will continue to expand.

6. What possible challenges can arise during the litigation process?

The litigation process can be unwieldly, even for simple matters.  This is only going to be exacerbated by the increasing complexity in the relevant technologies and subject matter.  Some of the factual and legal challenges will include:

• Proving or disproving harm;
• Explaining technical aspects;
• Establishing the meaning of “reasonable security measures” given constant developments in available technology;
• Managing multiple parties, counsel, and agendas; and
• Handling multiple cases related to the same situation. 

Preparedness for these challenges and the use of experts may help mitigate the risks. 

7. What should your company do after a cyber incident?

For matters arising out of a cyber incident, a lawsuit is usually filed quickly after the incident is disclosed, and therefore time is of the essence.  Here are a few of the steps that your company may consider taking immediately upon discovering a potential cyber incidence and that may be appropriate to incorporate into its response plan:    

• Consult with your insurer as appropriate;
• Engage experienced external counsel to lead the response;
• Consider attorney-client privilege and work product protection issues; 
• Keep a record of all actions taken to mitigate the situation;
• Evaluate all legal, regulatory and contractual notification requirements; and
• Consider scope of response as to legal, technical, crisis management and public relations activities. 

Conclusion: As more of our lives become dependent on technology, and as vulnerabilities in accessing personal data are exploited, it becomes increasingly likely that companies will become the target of a privacy or cyber related lawsuit.  While it may not be possible to completely avoid litigation, being prepared and understanding the issues may improve your strategic options. 

---
_{1 Future QuickStudies and articles will expand on these issues.}