Since the first data breach class actions were filed, complaints were often dismissed (and decisions affirmed by appellate courts). Courts found that an alleged increase in risk of future harm was insufficient to allege actual injury and plaintiffs lacked Article III standing. While other courts found standing, these courts held that alleged out-of-pocket expenses related to the breach (including the money spent to prevent identity theft) were not recoverable damages (unless plaintiffs could show that criminals had an interest in the data at issue). While class action plaintiffs were rarely successful in obtaining any recovery, change may be coming.
The United States Court of Appeals for the First Circuit held recently that out-of-pocket mitigation costs (such as credit insurance and fees associated with new credit cards) were reasonably foreseeable expenses and, therefore, were legally cognizable damages. Anderson v. Hannaford Bros. Co., Nos. 10-2384, 10-2450 (1st Cir. Oct. 20, 2011). The Hannaford decision from the First Circuit should serve (and has served) as a wake-up call for those companies storing personally identifiable information.
On December 16, 2011, Ron Raether was interviewed by Tom Field of the Information Media Group about this recent decision and what it means to future breached entities and their customers. Ron counsels that “companies need to take more care with their data breach response plans in terms of who actually needs to be provided notification.” Ron discusses the significance of this recent decision and provides practical advice for organizations about their breach preparedness in 2012.
Read the article and listen to the interview http://www.bankinfosecurity.com/interviews.php?interviewID=1321.