Posts Tagged ‘data privacy’

HarrisMartin’s Data Breach Litigation Conference: The Coming of Age is scheduled for next Wednesday, March 25, 2015, at the Westin San Diego.  I’ll be speaking on a panel titled Creative Approaches to Settling Data Breach Cases with Ben Barnow of Barnow and Associates, P.C., Chicago.  So, the news this week was very timely that Target has reached a settlement in the consumer class actions arising out of its massive payment card breach.  Because a few clients and colleagues on both sides of the bar have asked for my opinion about the settlement, I thought I’d share a few thoughts here.

Settlements in data breach cases have been fairly rare up to this point, as many data breach cases have met their doom at the pleadings stage due to the inability of plaintiffs to show injury-in-fact sufficient to give them standing.  Payment Card cases have been an exception because there are real financial losses to consumers that can flow naturally from a hacking incident.  Importantly, these losses generally do not include the amount of any fraudulent card transactions because federal law limits consumer liability to $50 and the major card brands go further and impose $0 liability requirements on issuing banks.  However, other incidental losses, such as replacement card fees, interest, finance charges by other companies due to missed payments, to name a few, can result from a payment card breach.  For this reason, claims in several payment card class actions, including Target (Target Order on Motion to Dismiss) have survived motions to dismiss, leading many defendants to settle these cases.  Payment card class actions against Heartland Payment Systems, TJ Maxx, Michaels Stores, and others were all resolved by class-wide settlements.

The Target Settlement has been praised and derided by the mainstream and legal trade media with a host of characterizations ranging from “huge” to “affordable” to “tiny.”  In fact, Target’s settlement is not particularly groundbreaking beyond the media attention that it has garnered.  Instead, it shares many of the features of the payment card settlements that came before it, and it is not significantly different in terms of its cost or in terms of the benefits it would provide to consumers, if finally approved.

Here is a summary of some of the key features of the settlement:

Overall Costs to Target

Claims Fund.  Target is to pay $10M to create a fund to pay consumers who claim certain out-of-pocket losses and time spent in connection with those losses (discussed in more detail below).  The fund is non-reversionary, meaning unclaimed funds don’t go back to the defendant.  Instead, the agreement contemplates that the court will decide who unclaimed funds are to be distributed.  (For a discussion of how courts can deal with unclaimed funds, see this February 2010 CAB post.)

Attorneys’ Fees.  The plaintiffs will request court approval of up to $6.75M in fees.  Target may object to the initial request, but it may not appeal any decision by the trial court to award $6.75M or less.  Target must pay the fees awarded in addition to the $10M fund.

Settlement Expenses.  Target must pay for all settlement administrative expenses in addition to claims fund and fees.  This includes the expenses to provide both published and direct notice of the settlement to affected customers and the costs to administer claims and make payments to claimants if the settlement is finally approved.  For a class size as large as Target’s these costs can easily measure in the millions of dollars.

Total Payment by Target.  So, my guess it that the total payout by Target is likely to be closer to $19M, assuming the full amount of fees are approved.

Settlement Benefits to Consumers 

One of the attachments to the Settlement Agreement is a Distribution Plan that generally outlines the benefits available to claimants.  The Distribution Plan doesn’t itemize every conceivable loss that might qualify for compensation, but it attaches sample claim forms that give more insight into the specific benefits that are contemplated.  Most of the categories of reimbursable losses are similar to those provided for in other payment card settlements.  Here’s a summary, with some comments on each category:

  • Payment for unreimbursed, out-of-pocket expenses, with a $10,000 cap per claim – Note that due to the zero consumer liability rules on fraud losses, combined with the fact that payment card information cannot be used to commit other forms of identity theft, it is extremely unlikely that any individual person will have a claim for an amount near the cap.  If it were otherwise, then the fund would only be sufficient to pay 1000 claims.  Other payment card settlements have included individual caps for the most typical types of expenses, which rarely exceed $200 or so, with a separate fund available for extraordinary claims.  The Target settlement omits this smaller cap, perhaps because experience has shown that it is generally unnecessary to control unreasonable or fraudulent claims.
  • Payment for 2 hours of time at $10/hour associated with each type of actual loss claimed – Payments for time are an interesting feature of payment card settlements.  Because of the zero consumer liability for fraud loss imposed by the card brands, mere lost time and aggravation make up the vast majority of consumer impact in a payment card breach.  However, time and inconvenience are generally not considered injuries for which damages can be recovered, so by agreeing to pay for lost time, the defendant is agreeing to pay for something that the plaintiffs probably couldn’t recover if the case went to trial.  Nonetheless, there is nothing preventing defendants from offering these benefits in a class action settlement setting, and it has become common for defendants to offer payments for lost time.  Because claims for time are susceptible to fraud and abuse and are difficult to document, the amounts available tend to be limited to 1-3 hours.  Based on the sample claim form, the Target settlement seems to allow claims for time spent correcting fraudulent charges, but it doesn’t appear to allow claims for lost time resulting from card replacement (for example, having to change the number on automatic or recurring payments), which is something that affects far more consumers than fraud itself in the aftermath of a payment card breach.  Other payment card settlements have allowed claims for lost time for either fraud or for dealing with replacement card issues.
  • Two different types of claim forms – The settlement contemplates the ability to elect either a documented or undocumented claim.  Documented claims get priority in payment.  From a defendant’s perspective, undocumented claims are problematic, because they are susceptible to fraud and abuse.  From a consumer’s perspective, having to document claims is an added aggravation, on top of the aggravation  of having had to deal with the impact of the breach in the first place.  This structure offers a compromise that permits undocumented claims, but ensures that those claims that are documented will be paid first.

As a practical matter, given the size of the fund, it is likely that there will be plenty of money to pay all documented claims and all plausible undocumented claims.  In fact, in view of past settlements, it is extraordinarily unlikely that the amount of all legitimate claims will get even close to the $10 million available in the fund.  In the Heartland Payment Systems settlement, for example, arising out of an incident that impacted 130 million card holder accounts, the number of claims for reimbursement amounted to a grand total of $1925.  (See Judge Rosenthal’s Order in Heartland Payment Systems).  This miniscule claims amount was due undoubtedly to a lack of public familiarity with Heartland (a payment processor) as a brand and with the incident itself, two things that are certainly not true of Target, and claims rates in other settlements have certainly been higher despite having much smaller numbers of potential class members.  However, various media outlets have quoted a RAND Corporation researcher as estimating that less than $1 million of the $10 million fund will be claimed (see, for example, this article by Jason Abbruzzese at Mashable).

If he’s right, expect a fight ahead on what should happen with the $9M in unclaimed funds which, according to the agreement, “shall be distributed by the Settlement Administrator as directed by the Court.”  Cy pres anyone?

Read Full Post »

BakerHostetler’s 2014 Year-End Review of Class Actions (and what to expect in 2015) was published on February 2, and is available for download at the firm’s website.  This annual summary is a joint effort of numerous attorneys throughout the firm, but for the second year in a row, the 2014 edition was ably edited by Dustin Dow in the firm’s Cleveland Office.

As the title suggests, the 59-page document provides a comprehensive update on the key decisions and trends in a variety of subject matter areas, including consumer protection, insurance, banking, data privacy, antitrust, securities, and labor and employment, as well the latest procedural developments impacting class action practice, both throughout the United States and abroad.

It’s free, so don’t miss it!

Read Full Post »

Anyone still checking this site will have noticed a complete lack of new content lately, which is mostly the result of pure laziness on my part but partially due to the demands of several other writing projects I’ve been working on.  I’m pleased to announce that one of these articles it out, and the folks at Practical Law the Journal have graciously given permission for me to post a reprint here.  Click the following link to view the article, entitled Key Issues in Data Breach Litigation, which is featured in the October 2014 issue.  Please be sure to visit the Practical Law website to learn how to subscribe to more great content on timely legal topics.

Also, speaking of data privacy litigation, I’ll be part of a panel presenting on the topic at the ABA Institute on Class Actions next week in Chicago.  It’s not too late to register.

Read Full Post »

An article posted by my colleagues Judy Selby and Zack Rosenberg in the BakerHostetler Class Action Lawsuit Defense Blog raises some important issues for any company that could find itself the target of a class action lawsuit.  With the proliferation of data privacy and other consumer class actions, that’s just about any company these days.  The article, titled Courts Are Liberally Construing Litigation Insurance Coverage for Class Action Defenses and So Should Defendants, addresses the important issue of liability insurance covering class action lawsuits.  

I’m often surprised in speaking with in-house attorneys and risk management personnel that they are unaware of the extent to which their current insurance coverage might protect them if they were ever sued in a class action, and that they have not considered certain types of specialty lines insurance, such as cyber risk insurance, that might protect them from potentially catastrophic liability and defense costs arising out of a class action.  This is an especially important consideration for companies in industries that aren’t frequently targeted in class actions, because those companies may not think about the benefits of insurance protection until it’s too late.

Read Full Post »

Data breach cases are popular targets for class actions these days because a single incident of hacking or theft can expose the sensitive personal or financial information of millions of people at a time.  However, a key hurdle in these cases has been proof of harm sufficient to satisfy the Article III injury-in-fact standard for cases filed in the federal courts (or in state courts that apply a similar injury-in-fact standard).  Recently, plaintiffs have been attempting to get around the standing problem by alleging that they had to incur credit monitoring fees or other out-of-pocket expenses due to a fear of identity theft.

Shannon Tan, associate corporate counsel for Raymond James Financial, Inc., in St. Petersburg, FL, recently authored an insightful article for the IAPP newsletter The Privacy Advisor, titled Supreme Court Wiretap Ruling Upholds Stringent Standing-To-Sue Requirements.  Tan’s article discusses the potential impact of the Supreme Court’s decision in Clapper v. Amnesty International USA on the question of Article III standing in civil data breach cases.  Tan points out that while Clapper is case involving alleged wiretapping by the government, it is likely to make it more difficult for plaintiffs to meet the Article III standing requirements in civil data breach cases because data breaches often don’t result in any immediate harm but only a threat of potential future harm.  A threat of harm must be “certainly impending” to satisfy the Article III standard set forth in Clapper.  This issue is exacerbated in the class action context, because even if some members of the class can prove actual harm, such as identity theft, it is a rare case where the plaintiff would have some common proof that identity theft occurred for all class members, a problem that recently doomed certification of a class action in In re Hannaford Bros. Co. Customer Data Security Breach Litigation.

Read Full Post »

My article for the University of Denver Law Review’s Online Edition entitled Statutory Penalties and Class Actions: Social Justice or Legalized Extortion?  was posted today.  The article discusses potential reforms to address the problem of class actions for statutory penalties giving rise to potentially annihilating liability in cases involving little or no actual harm.  Please check it out.  While you’re there, check out some of the other excellent content on a wide variety of legal topics that the DU Law Review has to offer in its online supplement to its regular print publication.

Read Full Post »

Work commitments have prevented me from posting over the past week, but I wanted to take the opportunity to point out that there have been some notable developments in the privacy class action area over the past week.  Judy Selby covered these developments in a recent blog post for the BakerHostetler Class Action Defense and Data Privacy Monitor blogs.  Selby’s post, titled Hannaford v. comScore – Up and Down Results for Privacy Class Action Defendants, compares and contrasts two recent decisions, one granting and one denying class certification, in privacy cases.

Read Full Post »

Older Posts »


Get every new post delivered to your Inbox.

Join 57 other followers