Feeds:
Posts
Comments

Posts Tagged ‘data breach’

Along with Angela Sabbe of Navigant Consulting, I recently participated in an ABA “Sound Advice” podcast discussing recent trends in data privacy class action settlements.  Members can access the podcast by clicking the link below.  If you aren’t already a member of the ABA section of litigation, you can join by clicking this link.  You’ll get access to this podcast and other useful materials to help supplement your professional development.

http://www.americanbar.org/publications/litigation-committees/class-actions/audio.html

Read Full Post »

I authored a recent article on developments in data privacy class actions, which was published late last week as part of a year-in-review series on BakerHostetler’s Data Privacy Monitor.  For my article, titled 5 Big Developments in Privacy Class Actions in 2015, and 3 to Look for in 2016 and for other great content on data privacy issues, including class action developments, be sure to check out www.dataprivacymonitor.com.

 

 

Read Full Post »

Yesterday, U.S. District Judge Paul Magnuson issued an order granting certification in the consolidated MDL proceeding brought on behalf of issuing banks claiming damages resulting from Target’s 2013 payment card hacking incident.  Click Here for a copy of the order.  The BakerHostetler Class Action Lawsuit Defense Blog will feature a more detailed write-up on the decision soon.

In the way of initial reaction, I don’t think the decision will be impactful in cases outside the specific context of issuing bank class actions against retailers in payment card breach cases because of unique issues having to do with common injury and causation of loss.  In particular, in evaluating whether variations in injury and causation should prevent certification, Judge Magnuson distinguished the issuing bank case from the class actions brought on behalf of individual consumers arising from the same breach.  Judge Magnuson observed that while the injuries alleged by consumers are largely potential future injuries that may or may not occur, the banks claimed to have already suffered concrete injuries in the form of the cost of reissuing cards to customers.  Thus, he reasoned that the any individualized issues regarding causation and injury were not present with regard to the financial institutions’ claims, and any issues regarding variations in the amount of damages did not prevent class certification.  This distinction means that the decision will be of limited value to plaintiffs in consumer data breach class actions.

Read Full Post »

HarrisMartin’s Data Breach Litigation Conference: The Coming of Age is scheduled for next Wednesday, March 25, 2015, at the Westin San Diego.  I’ll be speaking on a panel titled Creative Approaches to Settling Data Breach Cases with Ben Barnow of Barnow and Associates, P.C., Chicago.  So, the news this week was very timely that Target has reached a settlement in the consumer class actions arising out of its massive payment card breach.  Because a few clients and colleagues on both sides of the bar have asked for my opinion about the settlement, I thought I’d share a few thoughts here.

Settlements in data breach cases have been fairly rare up to this point, as many data breach cases have met their doom at the pleadings stage due to the inability of plaintiffs to show injury-in-fact sufficient to give them standing.  Payment Card cases have been an exception because there are real financial losses to consumers that can flow naturally from a hacking incident.  Importantly, these losses generally do not include the amount of any fraudulent card transactions because federal law limits consumer liability to $50 and the major card brands go further and impose $0 liability requirements on issuing banks.  However, other incidental losses, such as replacement card fees, interest, finance charges by other companies due to missed payments, to name a few, can result from a payment card breach.  For this reason, claims in several payment card class actions, including Target (Target Order on Motion to Dismiss) have survived motions to dismiss, leading many defendants to settle these cases.  Payment card class actions against Heartland Payment Systems, TJ Maxx, Michaels Stores, and others were all resolved by class-wide settlements.

The Target Settlement has been praised and derided by the mainstream and legal trade media with a host of characterizations ranging from “huge” to “affordable” to “tiny.”  In fact, Target’s settlement is not particularly groundbreaking beyond the media attention that it has garnered.  Instead, it shares many of the features of the payment card settlements that came before it, and it is not significantly different in terms of its cost or in terms of the benefits it would provide to consumers, if finally approved.

Here is a summary of some of the key features of the settlement:

Overall Costs to Target

Claims Fund.  Target is to pay $10M to create a fund to pay consumers who claim certain out-of-pocket losses and time spent in connection with those losses (discussed in more detail below).  The fund is non-reversionary, meaning unclaimed funds don’t go back to the defendant.  Instead, the agreement contemplates that the court will decide who unclaimed funds are to be distributed.  (For a discussion of how courts can deal with unclaimed funds, see this February 2010 CAB post.)

Attorneys’ Fees.  The plaintiffs will request court approval of up to $6.75M in fees.  Target may object to the initial request, but it may not appeal any decision by the trial court to award $6.75M or less.  Target must pay the fees awarded in addition to the $10M fund.

Settlement Expenses.  Target must pay for all settlement administrative expenses in addition to claims fund and fees.  This includes the expenses to provide both published and direct notice of the settlement to affected customers and the costs to administer claims and make payments to claimants if the settlement is finally approved.  For a class size as large as Target’s these costs can easily measure in the millions of dollars.

Total Payment by Target.  So, my guess it that the total payout by Target is likely to be closer to $19M, assuming the full amount of fees are approved.

Settlement Benefits to Consumers 

One of the attachments to the Settlement Agreement is a Distribution Plan that generally outlines the benefits available to claimants.  The Distribution Plan doesn’t itemize every conceivable loss that might qualify for compensation, but it attaches sample claim forms that give more insight into the specific benefits that are contemplated.  Most of the categories of reimbursable losses are similar to those provided for in other payment card settlements.  Here’s a summary, with some comments on each category:

  • Payment for unreimbursed, out-of-pocket expenses, with a $10,000 cap per claim – Note that due to the zero consumer liability rules on fraud losses, combined with the fact that payment card information cannot be used to commit other forms of identity theft, it is extremely unlikely that any individual person will have a claim for an amount near the cap.  If it were otherwise, then the fund would only be sufficient to pay 1000 claims.  Other payment card settlements have included individual caps for the most typical types of expenses, which rarely exceed $200 or so, with a separate fund available for extraordinary claims.  The Target settlement omits this smaller cap, perhaps because experience has shown that it is generally unnecessary to control unreasonable or fraudulent claims.
  • Payment for 2 hours of time at $10/hour associated with each type of actual loss claimed – Payments for time are an interesting feature of payment card settlements.  Because of the zero consumer liability for fraud loss imposed by the card brands, mere lost time and aggravation make up the vast majority of consumer impact in a payment card breach.  However, time and inconvenience are generally not considered injuries for which damages can be recovered, so by agreeing to pay for lost time, the defendant is agreeing to pay for something that the plaintiffs probably couldn’t recover if the case went to trial.  Nonetheless, there is nothing preventing defendants from offering these benefits in a class action settlement setting, and it has become common for defendants to offer payments for lost time.  Because claims for time are susceptible to fraud and abuse and are difficult to document, the amounts available tend to be limited to 1-3 hours.  Based on the sample claim form, the Target settlement seems to allow claims for time spent correcting fraudulent charges, but it doesn’t appear to allow claims for lost time resulting from card replacement (for example, having to change the number on automatic or recurring payments), which is something that affects far more consumers than fraud itself in the aftermath of a payment card breach.  Other payment card settlements have allowed claims for lost time for either fraud or for dealing with replacement card issues.
  • Two different types of claim forms – The settlement contemplates the ability to elect either a documented or undocumented claim.  Documented claims get priority in payment.  From a defendant’s perspective, undocumented claims are problematic, because they are susceptible to fraud and abuse.  From a consumer’s perspective, having to document claims is an added aggravation, on top of the aggravation  of having had to deal with the impact of the breach in the first place.  This structure offers a compromise that permits undocumented claims, but ensures that those claims that are documented will be paid first.

As a practical matter, given the size of the fund, it is likely that there will be plenty of money to pay all documented claims and all plausible undocumented claims.  In fact, in view of past settlements, it is extraordinarily unlikely that the amount of all legitimate claims will get even close to the $10 million available in the fund.  In the Heartland Payment Systems settlement, for example, arising out of an incident that impacted 130 million card holder accounts, the number of claims for reimbursement amounted to a grand total of $1925.  (See Judge Rosenthal’s Order in Heartland Payment Systems).  This miniscule claims amount was due undoubtedly to a lack of public familiarity with Heartland (a payment processor) as a brand and with the incident itself, two things that are certainly not true of Target, and claims rates in other settlements have certainly been higher despite having much smaller numbers of potential class members.  However, various media outlets have quoted a RAND Corporation researcher as estimating that less than $1 million of the $10 million fund will be claimed (see, for example, this article by Jason Abbruzzese at Mashable).

If he’s right, expect a fight ahead on what should happen with the $9M in unclaimed funds which, according to the agreement, “shall be distributed by the Settlement Administrator as directed by the Court.”  Cy pres anyone?

Read Full Post »

In keeping with the time-honored tradition of end-of-the-year top 10 lists, I’ve assembled my annual list of the top 10 most significant class action developments below.  Whether these are actually the top 10 most significant decisions over the past year may be subject to reasonable debate, so please feel free to add your own favorites in the comments section.

1. Certiorari denied in “moldy washer” cases – In my view, the single biggest development impacting class action practice over the past year was the Court’s decision not to take on the question of “issue certification” presented in the Sears and Whirlpool “moldy washer” cases.  This non-decision opens the door for significant litigation over whether isolated issues should be certified for class treatment even where significant individual litigation would be necessary following resolution of the class wide issues.

2. Judge Posner’s class action settlement decisions – Judge Posner wins the award for the jurist having the single biggest impact on class action practice in 2014.  In addition to the Supreme Court declining to take on review of his decision in one of the “moldy washer” cases, Butler v. Sears, Roebuck & Co., Judge Posner authored two significant (and harshly worded) decisions discussing the standards for evaluating the fairness of class action settlements, including Eubank v. Pella Corp., Nos. 13-2091, -2133, 2136, -2162, 2202 (7th Cir., June 2, 2014), and Redman v. RadioShack Corp., case number 14‐1470, 14‐1471 and 14‐1658 (7th Cir., Sept. 19, 2014).  These decisions are emblematic of a more general trend in the courts of subjecting class action settlements, especially coupon settlements, to ever-greater scrutiny.

3. Basic framework remains largely unchanged after Halliburton II – One of only three Supreme Court decisions of significance on class action issues this past year, the Court largely maintained the status quo in declining to overrule the framework for evaluating “fraud on the market” theory of reliance in securities class actions.

4. Whirlpool trial ends with victory for the defendant – Not long after the Supreme Court declined review, the first of the “issue” class cases went to trial against Whirlpool.  The trial ended in a defense verdict, although as I wrote in October, I’m not sure that’s necessarily a good thing for defendants in the long-term.

5. Court clarifies removal pleading standards in Dart Cherokee Basin Operating Co. v. Owens – In one of the Roberts Court’s most helpful class-action-related decisions, at least from a practical standpoint, the majority removed barriers to corporate defendants’ ability to remove cases under the Class Action Fairness Act (CAFA), clarifying that jurisdictional facts need only be pled, not supported by evidence, in the notice of removal.

6. California Supreme Court issues significant decision on the use of statistical evidence to support class certification – An individual state court decision has to be pretty significant to make my annual top 10 list, but I think Duran v. U.S. Bank National Association fits the bill.  The decision is one of the most comprehensive to date in addressing the potential pitfalls of reliance on statistics as a proxy for common, class wide proof.

7. Supreme Court holds in AU Optronics that consumer actions brought by state attorneys general are not “mass actions” subject to the Class Action Fairness Act – It’s probably a misnomer to call AU Optronics a “class action” case, since the issue presented was whether actions brought by state AGs on behalf of consumers were “mass actions.”  But because the case involved interpretation of CAFA, it makes this year’s list.

8. International class and collective action litigation continues to expand – Class, collective, and multi-party actions continue to expand outside of the United States and Canada.  Examples included France joining the list of Civil Law jurisdictions in Europe to enact a “class action” law, and a group action in Austria, joined by more than 25,000 litigants, challenging Facebook privacy policies.

9. Data breach class actions proliferate – High profile data breaches and hacking incidents made news, and resulted in class actions, in 2014.  From a rash of payment card breaches impacting customers of large retailers like Target and Home Depot to the more recent Sony hacking incident, data breach class action litigation shows no signs of slowing down any time soon.

10. Supreme Court grants, then dismisses, certiorari in Public Employees’ Retirement System of Mississippi, v. IndyMac MBS, avoiding a high court ruling on the question of whether statute of repose can be tolled for absent class members under the American Pipe tolling doctrine.  In what has become a trend of the past year, this is yet another missed opportunity for the Supreme Court to address a class action issues of significance.

Read Full Post »

Anyone still checking this site will have noticed a complete lack of new content lately, which is mostly the result of pure laziness on my part but partially due to the demands of several other writing projects I’ve been working on.  I’m pleased to announce that one of these articles it out, and the folks at Practical Law the Journal have graciously given permission for me to post a reprint here.  Click the following link to view the article, entitled Key Issues in Data Breach Litigation, which is featured in the October 2014 issue.  Please be sure to visit the Practical Law website to learn how to subscribe to more great content on timely legal topics.

Also, speaking of data privacy litigation, I’ll be part of a panel presenting on the topic at the ABA Institute on Class Actions next week in Chicago.  It’s not too late to register.

Read Full Post »

Data breach cases are popular targets for class actions these days because a single incident of hacking or theft can expose the sensitive personal or financial information of millions of people at a time.  However, a key hurdle in these cases has been proof of harm sufficient to satisfy the Article III injury-in-fact standard for cases filed in the federal courts (or in state courts that apply a similar injury-in-fact standard).  Recently, plaintiffs have been attempting to get around the standing problem by alleging that they had to incur credit monitoring fees or other out-of-pocket expenses due to a fear of identity theft.

Shannon Tan, associate corporate counsel for Raymond James Financial, Inc., in St. Petersburg, FL, recently authored an insightful article for the IAPP newsletter The Privacy Advisor, titled Supreme Court Wiretap Ruling Upholds Stringent Standing-To-Sue Requirements.  Tan’s article discusses the potential impact of the Supreme Court’s decision in Clapper v. Amnesty International USA on the question of Article III standing in civil data breach cases.  Tan points out that while Clapper is case involving alleged wiretapping by the government, it is likely to make it more difficult for plaintiffs to meet the Article III standing requirements in civil data breach cases because data breaches often don’t result in any immediate harm but only a threat of potential future harm.  A threat of harm must be “certainly impending” to satisfy the Article III standard set forth in Clapper.  This issue is exacerbated in the class action context, because even if some members of the class can prove actual harm, such as identity theft, it is a rare case where the plaintiff would have some common proof that identity theft occurred for all class members, a problem that recently doomed certification of a class action in In re Hannaford Bros. Co. Customer Data Security Breach Litigation.

Read Full Post »

Older Posts »