Published by Al Saikali

September 2011

A data breach can result in the exposure of private customer information (credit card information, social security numbers, email addresses, etc.) to unknown third parties who may fraudulently use that information.  In instances where the information is used fraudulently, the customer suffers a harm that can usually be quantified or measured in some way.

But what happens when the harm to the consumer is harder to quantify?  Does a plaintiff have the necessary standing or harm to bring a lawsuit?  More specifically, does the customer’s private information have its own separate, inherent value that is diminished by the data breach?

At least one federal District Court recently addressed these issues and determined that yes, the private information a consumer provides a company in exchange for the company’s services may have its own inherent value for the purpose of determining whether the plaintiff has suffered harm.

In Claridge v. RockYou, Inc.the plaintiff, Mr. Claridge, was informed by the defendant, RockYou, a developer of applications for social networking sites, that his personal information including his email address, passwords, and login credentials for social networks like MySpace and Facebook might have been compromised through a security breach.  Claridge filed a class action lawsuit against RockYou based on the data breach. RockYou moved to dismiss, arguing that Claridge lacked standing and suffered no injury as required for the underlying causes of action.  Claridge responded with “a novel theory” that he paid for RockYou’s services by providing his private information, and that the private information is inherently valuable.  He argued that as a result of the breach, RockYou caused plaintiff to suffer diminished “value” of his private information.

The court expressed its “doubts about plaintiff’s ultimate ability to prove his damages theory” but it nevertheless rejected RockYou’s standing argument, reasoning that there was no controlling authority one way or the other regarding the legal sufficiency of Claridge’s damages theory.  The court noted that “the context in which plaintiff’s theory arises—i.e., the unauthorized disclosure of personal information via the Internet—is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts.”  The court did, however, dismiss several of Claridge’s counts for failure to allege the more particularized injury required for those causes of action.

The RockYou decision is important for a number of reasons, including because it appears to be one of the first to address this issue of valuing private information.  It is unclear whether RockYou will start a new trend or be an outlier, but it will be interesting to look back several years from now to see what sort of impact it has had on the development of data security law.

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.

Some of the most alarming statistics concerning data breaches relate to how frequently they occur, who is suffering them, and the cost such breaches impose on their victims.

According to a recent survey of 583 IT practitioners (more than half of whom were employed by organizations with more than 5,000 employees), 90% of organizations had suffered at least one data breach in the last year, 59% said they suffered two or more breaches in the last year.  The cost can be staggering.  According to a one study, the average organizational cost of a data breach in the United States was $7.2 million and cost companies an average of $214 per record compromised.

If nothing else, these statistics tell us why businesses of any size should care about this issue – data breaches are happening to almost everyone, they’re happening now, and they’re expensive.  Technology is making the world increasingly “flat.”  It is easier to disseminate large quantities of data in shorter periods of time over larger geographical areas.  There is no sign that this trend will reverse itself.

So we should probably assume that as a result, more and more organizations will become susceptible to data breaches. In addition, as the security threats increase and become more complex, the costs associated with defending against such threats will also increase.  Based on the above studies, it appears that larger organizations are no more immune to such attacks simply because of their size.

What steps are you taking to protect yourself?  What policies and preventative measures are your company taking to minimize the risk of a data breach and, as a consequence, the exposure of its customers’ private information to the outside world?

 

DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.