Advisen FPN

Advisen Cyber FPN - Friday, December 1, 2017

California's Proposed Pandora's Box: Data Breach Suits Without Damage


California's Proposed Pandora's Box: Data Breach Suits Without Damage

Sometimes issues presented by new technology call for new and different legal approaches. Sometimes though it requires the use of traditional legal concepts to avoid opening Pandora’s box and, to mix metaphors, a slippery slope.

Such is the case with a new California proposed Proposition aimed at doing something—anything—about the continuing and vexing problems with data breaches. Perhaps out of fear data breaches are out of control and/or this problem is a Frankenstein that must be tamed or destroyed, the proposal would provide sweeping rights and claims to consumers at the expense of businesses, while also creating a litigation bonanza.

The proposed Proposition in question was recently introduced by a San Francisco real estate developer named Alastair Mactaggart. It is currently being circulated for voters’ signatures; signatures of some 5% of the number of people who voted in the most recent California governor’s election are required to place it on the actual ballet. If enacted, the Proposition would make two significant changes.

The Proposed Prop

First, the proposal would require significant new disclosures from companies that collect, buy or share the personal information. It would require businesses to disclose what they plan to do with such information and allow consumers to “opt out” once they know who’s using their information. It would also ban businesses from charging a higher price to those who make that choice.

Second, and perhaps more importantly, the measure would give new power to individuals to file civil lawsuits against a business after a data breach or for selling personal information once a customer says “no” to sharing, even if no damage has occurred.

Section 4.9 of the Proposition states unequivocally that a violation of the Act shall be deemed to be an injury in fact and a claimant need not suffer a loss of money or property to sue. To repeat: a claimant need not suffer any damage to sue—a pretty amazing concept since it essentially turns the entire body of jurisprudence relating to the concept of standing on its head. Perhaps recognizing the inherent difficulty in allowing lawsuits for no damage, the proposed Proposition goes further and provides a statutory remedy of $1000 for each violation.

What Would This Mean?

What would this mean? By allowing a private cause of action without damage and causation (damage linked to an act), California would open litigation floodgates for those who really suffer no recognizable harm. Take your typical data breach involving credit cards. The consumer rarely suffers any damage since if there are fraudulent charges. The credit card companies and/or the banks pay them. Yes, it’s a pain to get a new card and number. But really there is no damage, at least of the type traditionally recognized as providing standing to use our judicial system.

This concept of standing is based on the idea that our court system should be reserved for those who suffer a loss connected in a causal sense to a wrongful act. If someone cuts you off in traffic it might make you mad, but that doesn’t mean you can sue the offender. Or, take the situation where a person has a rush-hour accident which creates a traffic delay. It may rob you of time but that doesn’t mean you can sue the person who had the wreck.

But with a California data breach, you may be able to sue. And more than that, your case can be combined with hundreds or thousands of others creating a significant exposure in litigation costs and risk for companies who then have little economic choice but to settle. And settle or fight makes little difference: at the end of the day, the costs of this will be borne by the consumer. No-damage lawsuits raise troubling questions: Do we really want to pay for lawyers to bring or defend these kinds of no-damage actions? Do we really want to help those who have no damage get a recovery?

And if enacted, this statue would impact companies outside of California who do business there or have California customers or consumers.

California’s UCL Experience

California’s experience under its Unfair Competition Law (UCL) is instructive. The UCL allows private suits for “unfair, deceptive, untrue or misleading statements or advertising”, among other things. In its original version, this Act did not require claimants to suffer actual damage linked to an offending act before they could sue. This quickly proved to be too much, creating frivolous lawsuits where no one was harmed. The UCL was quickly amended by Proposition 64 to require some loss of money or property by a plaintiff as result of offending act to bring an action. Even with this limitation, UCL claims still clog and vex the California court system.
The new proposed data breach Proposition would return California to the pre- Proposition 64 days, at least for data breach claims and allow anyone to sue-with or without harm.

A Gross Negligence Standard?

Granted, the new proposed Proposition provides a plaintiff must show gross negligence to pursue claims for data breach violations versus those involving the of authorization provisions. But the gross negligence definition is so broad as to appear to include even simple negligence: “‘Gross negligence’ means a failure to use reasonable diligence, including taking available steps, to maintain the security of a consumers’ personnel information…”

What does this mean? What are “available steps”? And consider this: many breaches occur due to employee error and failure to take safeguards about which they have received training. When this happens, will the business be responsible even though it provided training the employee didn’t follow? Questions abound on all sides.

Will It Become Reality?

Given California’s experience, who knows if the Proposition will get on the ballot or if it will pass. And if it does pass, no doubt it will be tested in court. But it seems odd to acknowledge, on the one hand, that data breaches are almost impossible to prevent but then, on the other, allow undamaged claimants to sue when they occur. Perhaps in this case, traditional legal concepts are relevant to new questions created by our technology.

About the author:  Stephen Embry is a member of Frost Brown Todd LLC and is a member of the firm's Class action, Privacy and Mass Tort groups. He frequently defends partici­pants in consumer class actions and mass tort litigation. Stephen is a national litigator and advisor who is experienced in developing solutions to complex litigation and corporate problems. He is the former chair of Frost Brown Todd’s mass tort practice group.  Stephen is also a member of fbtTECH, the firm’s technology industry group that focuses on the future and anticipating the ways in which technology will impact the legal system and the issues facing our clients.