Just when you thought it might be safe to go back into the water, another significant data breach lawsuit may be settling. Last week, I wrote about the proposed settlement in the AvMed lawsuit. The motion for a preliminary proposed settlement in that case was granted on Friday, and a Final Hearing is set for February 28, 2014.
At the end of last week, however, the St. Louis Post-Dispatch reported that Schnuck Markets has agreed to settle a proposed class action arising from a breach of its systems (a cyber attack in which a computer code was inserted into Schnucks’ payment system, allowing the capture of magnetic strip data from approximately 2.4 million customers’ payment cards between December 2012 and March 2013).
The Legal Theories
The lawsuit, which is pending before a St. Louis Circuit Court, alleges that Schucks: (1) failed to secure customers’ personal financial information, and (2) did not notify customers in a clear and timely manner that their information had been stolen.
The “failure to secure” theory is based on an argument that Schnucks did not abide by “best practices and industry standards concerning the security of its computer and payment processing systems.” This allegation should scare every corporate entity. Why? Because the phrase “best practices and industry standards” is so ambiguous and can be defined so differently depending on who you ask. For example, is the standard best measured by the Payment Card Industry’s Data Security Standards? Perhaps it’s measured by NIST? How about ISO? Should you use some amorphous common law standard that has developed in the case law or laws that may not directly apply to you (e.g., HIPAA if you’re not a Covered Entity or Business Associate)? Regardless of what standard you choose, it’s a moving target and changes as technology changes. In other words, compliance with the “reasonableness” standard can be both expensive and very difficult to determine.
The second legal theory (that Schnucks failed to timely and adequately notify consumers) should also cause some concern to organizations that maintain sensitive information. How did Schnucks notify its customers? According to the plaintiffs, Schnucks, issued a national press release within two weeks of learning that its systems had been compromised, though they claim that no “individual notification” to class members occurred. With respect when the notice took place, anyone who is experienced in breach response will tell you that notification within two weeks of learning of an incident involving a cyber attack is prompt. It takes time to identify the affected systems, determine the source and scope of the intrusion, identify what information was affected, learn where the individuals whose personal information was affected are located (assuming the incident even affected personal information), and confirm that the compromise has been contained so there is no threat of a live hacker moving to other areas of your information systems while you’re undertaking notification. With respect to how the notice took place, it is not clear whether Schnucks was perhaps trying to provide substitute notice under the applicable state data breach notification laws, which would have obviated the need for individual notice.
The causes of action in the Second Amended Class Action Petition are as follows:
(1) Breach of implied contract – plaintiffs claim that in providing financial data to Schnucks, plaintiffs entered into an implied contract with Schnucks obligating it to reasonably safeguard plaintiffs’ information and notify plaintiffs if the information was accessed without authorization.
(2) Violation of Missouri’s Merchandizing Practices Act – plaintiffs claim that Schnucks engaged in “unfair conduct” by failing to properly implement adequate, commercially reasonable security measures to protect their personal information while shopping at Schnucks. Plaintiffs also contend that Schnucks’ failure to provide timely and sufficient notice of the breach of its computer systems was an “unfair practice.”
(3) Invasion of Privacy by Public Disclosure of Private Facts – plaintiffs also allege that the breach resulted in a public disclosure of the plaintiffs’ private information.
Plaintiffs do not claim violation of any state data breach notification law as a cause of action, despite their factual allegations that Schnucks’ notification was inadequate and untimely.
The plaintiffs seek damages for: (1) out of pocket expenses incurred to mitigate the increased risk of identity theft, (2) the value of their time spent mitigating identity theft and the risk of identity theft, (3) the increased risk of identity theft, (4) the deprivation of the value of their personal information, and (5) anxiety and emotional distress. These damages, for the most part, fall into the “weaker” side of the cognizable damages spectrum based on existing case law. The proposed settlement, however, attempts to limit recovery to those plaintiffs who suffered cognizable damages.
Terms of the Proposed Settlement
The terms of the proposed settlement are set forth in the parties’ motion for preliminary approval of class action settlement. Schnucks denies any wrongdoing as a term of the proposed settlement. The proposed settlement fund would provide the plaintiffs with the following relief:
- Fraudulent Charges – up to $10 for each credit or debit card that was compromised and had fraudulent charges posted on it, even if the charges were later reversed.
- Out-of-Pocket Expenses – unreimbursed out-of-pocket expenses (bank fees, overdraft and late fees), and $10 per hour for up to three hours of time spent dealing with the security breach. There would be a $175 per person cap on these expenses.
- There is an aggregate cap of $1.6 million for the above two categories. If the total claims exceed that amount, customers are guaranteed $5 for each compromised card.
- Identity Theft – up to $10,000 for each related identity theft loss, with a cap of $300,000 in total
- Attorney’s Fees – up to $635,000 for the plaintiffs’ attorney’s fees
- Incentive Awards – $500 to each of the nine named plaintiffs in the lawsuit
It would be interesting to know how many members of the class can actually demonstrate the type of quantifiable and specific damages for which the settlement provides relief.
The Fat Lady Isn’t Singing Just Yet . . .
Before the case can settle, however, the court must first consider a motion to intervene that was filed by an individual pursuing a related federal lawsuit against Schnucks elsewhere. She argues that there are four pending federal class action lawsuits that arise from the same operative facts as the state court case, and the proposed settlement risks releasing Schnucks from the federal lawsuit. Ostensibly, the intervening party believes she can obtain greater relief in federal court.
Whether the intervening party succeeds, the proposed settlement still has value because it is another example of the types and extent of damages some defendants are willing to agree to in data breach lawsuits. It is also a glimpse into what the plaintiffs individually are being awarded as damages, and how much their lawyers are being awarded as fees. But the bigger lessons to be learned from all of this are: (1) there appears to be a standard of “reasonableness” developing in data breach cases that is amorphous and therefore difficult to comply with, and (2) when and how you notify affected individuals can be a source of potential liability in a data breach class action.
A case review is scheduled in this case for December 25, 2013. Merry Christmas.
DISCLAIMER: The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients. All of the information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.