Can Companies Pre-Emptively Avoid Class Action Suits from Massive Data Breaches? (A Blog Series)
The usual narrative leads to a class action lawsuit brought on behalf of all victims of the breach, who can easily number in the millions. For the most part, these class action lawsuits have been summarily dismissed because plaintiffs have not been able to show that they’ve been damaged. After all, if credit card information, for example, has been stolen, the old account is put on hold, a new one is issued, and the account holder won’t be have to pay for fraudulent charges. The companies that had suffered data breaches usually offer credit monitoring services free of charge to the victims.
However, a recent decision by a federal appellate court in Florida could change the trend. In that Florida case, a medical provider’s laptops containing customer’s personal information was stolen. Information from one customer was used to start fraudulent bank and credit accounts. The case was initially dismissed by the trial court early on, but on appeal, the higher court reversed, holding that the claim that the company charged its customers fees, which should have been used to properly secure the data but wasn’t, was an unjust enrichment on the part of the company. Once back in the trial court, this opened the door to a $3 million settlement in March. Conventional wisdom says that in a class action suit, the lawyers benefit the most, and this case didn’t buck the trend. Each breach victim received up to $10 for each year they paid the company, up to a maximum of $30. In short, the massive number of potential plaintiffs in large data breaches will continue to be attractive to lawyers willing to risk potential dismissal for a very large settlement, even if the actual victims receive very little individually.
But inversely, how many breach victims would individually pursue a case? If at best an individual breach victim can only show that she was temporarily put out by having to monitor her credit and obtain new cards, for instance, would it be worth pursuing? Without class actions, a company’s risk to damages following a massive data breach could be significantly reduced, while at the same time, the actual breach victims left no worse. Already, larger companies have recognized this and have placed into user agreements the requirement that customers waive any participation in class actions and pursue claims only by individual arbitration or small claims actions. In time, it may come as no surprise that insurance companies that issue policies covering data breaches will require similar agreement be put in place before insuring the company.
As consumers, we’ve clicked on the “Agree” button countless times to get to our online streaming movies, purchases and gaming, with hardly an afterthought. After all, nobody is inclined to go through all the fine print before continuing what has now become as common as watching TV or speaking on the phone used to be. But if we take a look at some of the user agreements many of us have likely clicked on already, we’ll see that we’ve agreed to not participate in any class actions and pursue claims only through individual arbitration or smalls claims court.
Not long after a massive data breach of an online gaming service was disclosed several years ago, Microsoft made all of its Microsoft Live gaming subscribers agree to a new user agreement before being permitted to use its services. The agreement in part presently states that the user may bring a claim in small claims court or binding arbitration, and that, “Neither you nor Microsoft will seek to have any dispute heard as a class action, private attorney general action, or in any other proceeding in which either party acts or proposes to act in a representative capacity.” Microsoft’s standard Services Agreement, covering Hotmail, Microsoft accounts, Windows Live Messenger, Bing, Office.com and other “Microsoft branded services” have similar agreement terms.
It should be noted that when both companies first added these provisions to their terms of usage around 2011, they explicitly stated that the class action waiver did not apply to California resident. At the time, California law considered such waivers to be unconscionable and illegal. But this changed when the Supreme Court, in its 2010 decision in AT&T Mobility LLC v. Conception, held that arbitration and class action waiver agreements are contracts that must be enforced as such. We’ll discuss this decision in our next segment.