Data breach lawsuits can be supported by several legal grounds, and plaintiffs can claim various damages.
Legal Grounds for Data Breach Lawsuits:
- Negligence: Plaintiffs can claim that a company failed to adequately protect their data, breaching a duty of care and causing harm. For example, the Change Healthcare data breach litigation includes negligence claims that the company failed to implement proper security measures.
- Breach of Contract: If a company violates its terms of service or privacy policies that promised to protect user data, it can be sued for breach of contract. The Change Healthcare case also includes such allegations.
- Breach of Warranty: These claims arise when a product or service fails to perform as promised, especially concerning security features or data protection.
- Breach of Fiduciary Duty: If there is a special relationship of trust between the company and the consumer, and the company fails to protect their data, a lawsuit can allege breach of fiduciary duty. For example, the Keenan & Associates data breach case includes allegations of breach of fiduciary duty.
- False Advertising: Companies can be sued for misrepresenting their data security practices or privacy protections. The FTC charged Twitter for using account security data for targeted advertising, requiring them to pay a $150 million penalty for misrepresenting their practices.
- Unfair or Deceptive Trade Practices: Plaintiffs can invoke state consumer protection laws, alleging that a company’s data security practices were unfair or deceptive. Many data breach cases, including the Change Healthcare litigation, include these claims.
Damages Plaintiffs Can Claim:
- Unauthorized charges
- Damage to credit
- Cost of credit monitoring
- Cost of replacing credit cards
- Time and expenses incurred to investigate the breach
- Emotional distress
- Identity theft: Plaintiffs may be able to claim damages from identity theft resulting from a data breach.
- Financial fraud: Plaintiffs may seek compensation for financial fraud resulting from a data breach.
In addition to the above, some courts have also considered the “increased risk of identity theft” as a basis for standing in data breach cases. For example, the Seventh Circuit Court of Appeals held that the theft of debit and credit card information conferred standing to sue due to the increased risk of identity theft. Some courts have held that the risk of future identity theft is too speculative unless actual identity theft has already occurred. Additionally, some courts have found that a violation of the Fair Credit Reporting Act (FCRA) can give rise to standing even without economic or tangible harm. However, it is important to note that the legal landscape is still evolving and these decisions may vary by jurisdiction.
It’s important to note that while many lawsuits are filed, not all result in wins for the plaintiffs, and many cases are settled out of court or dismissed for lack of standing.
Suing a company pro se (representing yourself) for a data breach and collecting a substantial settlement is challenging but possible. Here’s a step-by-step guide on how to proceed:
Determine Your Standing
Before filing a lawsuit, ensure you have standing to sue:
1. Confirm you were affected by the data breach.
2. Gather evidence of harm, such as financial losses, identity theft, or emotional distress. Establish a connection between the breach and your damages.
Prepare Your Case
1. Collect all relevant documents, including breach notifications, financial records, and correspondence with the company.
2. Research applicable laws, such as state data protection regulations and the Federal Trade Commission Act.
3. Draft a complaint outlining the facts, legal basis for your claims, and damages sought.
File the Lawsuit
1. Determine the appropriate court (usually federal court for large data breaches).
2. File your complaint and pay the required fees.
3. Serve the complaint to the defendant company.
Navigate the Legal Process
1. Respond to any motions filed by the defendant, such as motions to dismiss.
2. Participate in the discovery phase, exchanging evidence with the defendant.
3. Prepare for and attend pre-trial conferences and hearings.
Pursue Settlement
Most data breach cases are resolved through settlements. To increase your chances of a substantial settlement:
1. Build a strong case demonstrating clear negligence or fault by the company.
2. Document all damages thoroughly, including financial losses and emotional distress.
3. Be prepared to negotiate, but don’t accept the first offer if it’s inadequate.
Consider Alternative Resolutions
1. Look into class action lawsuits related to the breach, which may offer easier access to compensation.
2. Explore arbitration or mediation as alternatives to a full trial.
Be Realistic
While pro se litigation is possible, data breach cases can be complex. Companies often have substantial legal resources, making it challenging to secure a large settlement without legal representation. Consider consulting with an attorney or legimate council, even if only for initial guidance.
Remember, the success of your case depends on the specific circumstances of the breach, the strength of your evidence, and your ability to navigate the legal system effectively.