These days, companies rely increasingly on e-commerce and social networking to enhance sales. In the process, however, they are collecting enormous amounts of personal consumer data that may be vulnerable to security breaches. The costs of those breaches can be high. Companies that fail adequately to protect consumer data may be subject to Federal and State regulatory investigations, as well as civil lawsuits. Just yesterday, in fact, Sony announced that it had suffered a massive security breach in connection with its popular PlayStation Network, which has already led to a class action lawsuit. Companies that experience data security breaches can also suffer crippling public relations blows and loss of consumer confidence. While most regulatory efforts focus on the loss of financial data, such as bank account numbers and passwords, consumers can get just as riled up over the loss of less sensitive information, such as user IDs and e-mail addresses. Now, a recent federal case in California may make it easier for consumers to sue companies for those losses.
Claridge appeared to suffer no measurable damage from the breach, because the hackers apparently did not use Claridge’s personal data for nefarious purposes such as accessing his bank accounts, stealing his identity, or destroying his credit rating. So RockYou filed a motion to dismiss based, in relevant part, on Claridge’s lack of standing under Article 3 of the U.S. Constitution. (In order to sue someone in federal court, you have to allege that you suffered an “injury in fact” – that is a “concrete, tangible, non-speculative harm or loss.”) Not to be deterred, Claridge argued that his personal information was “valuable property” that he exchanged for RockYou’s products and services, as well as its promise to safeguard that information. While recognizing this was a “novel theory of damages” and expressing “doubts about [Claridge’s] ultimate ability to prove his damages,” the court denied the motion to dismiss, refusing “to hold at this juncture” that Claridge had failed to allege an “injury in fact.”
It is too early to predict whether other federal judges will follow Judge Hamilton’s lead and hold that the mere loss of personal information – without more – will suffice to establish “injury in fact.” If this “novel damages theory” becomes a popular trend, companies may find it harder dispose of weak claims at the pleading stage, adding yet another element to the rising cost of security breaches.
What is clear is that companies cannot ignore the importance of protecting consumer data and responding quickly to security breaches. As an initial step, companies should review their online privacy policies to ensure they are keeping their promises to protect personal data.