First Tuesday Update is our monthly take on current issues in commercial disputes, international arbitration, and judgment enforcement.

Legislative solutions to problems associated with cybersecurity and data privacy are not new, but a recent trend should be of concern to companies doing business in the United States. A small but increasing number of state laws seek to dispense with the requirement that aggrieved consumers must show harm in order to maintain a claim based on a data breach or other privacy violation. If it continues, this trend will encourage data breach and privacy lawsuits, particularly class actions, by permitting plaintiffs to seek statutory penalties in the event of a breach, without proving they were actually harmed.

One strategy for protecting your company against these "harm-less" data breach and privacy claims is to ensure that such claims must be arbitrated on an individualized basis, without any class action or other aggregation of claims.

One of the most significant hurdles facing plaintiffs who allege data breach and privacy claims has been the common law requirement to show harm caused by the incident in question. For many reasons, it is difficult to prove a particular incident caused harm to a specific plaintiff. Sometimes, the plaintiff has not been harmed at all (at least not in the legal sense) because he or she has not yet become a victim of identity theft or some other fraud. Additionally, the frequency with which data breaches occur across many consumer-facing industries may effectively prevent attribution of blame to any particular breach.

US courts may be warming to arguments for lowering the harm hurdle, as exemplified by a recent decision in the Northern District of Georgia permitting plaintiffs to proceed with data-breach claims against Equifax and finding legally cognizable harm based on allegations that plaintiffs had "to take measures to combat the risk of identity theft," that some theft had "already occurred to some members of the class," that plaintiffs expended "time and effort to monitor their credit and identity, and that they all face a serious and imminent risk of fraud and identity theft." See in re Equifax, Inc., Customer Data Security Breach Litigation, MDL Dkt. No. 2800, 1:17-md-2800 (Order dated Jan. 28, 2019).

But in the meantime, some states have taken it upon themselves to give a legislative boost to plaintiffs claiming misuse of their personal information or other violations under state data breach and privacy laws. For example, the Massachusetts Senate is considering comprehensive privacy legislation (SD 341) that, like Illinois' Biometric Information Privacy Act (BIPA), creates a private right of action without the need to prove actual damage beyond a violation of the act itself. Specifically, the legislation provides that a violation constitutes "injury in fact" and "the consumer need not suffer a loss of money or property as a result of the violation in order to bring an action." Penalties are set at the greater of $750 per incident or actual damages and include an award of attorney’s fees to successful plaintiffs, all of which can add up quickly when a breach or other violation impacts thousands of residents.

One strategy for companies to consider in this context is arbitration, which has long been favored as a matter of US policy. Importantly, arbitration can be required on an individualized basis, thereby precluding class and collective actions that seek to aggregate claims for relief. See Epic Sys. Corp. v. Lewis, 138 S. Ct. 1612 (2018). Thus, arbitration offers a way to decrease the potential for contentious and costly litigation by requiring putative plaintiffs to proceed individually, rather than pooling small claims into one large claim with a commensurate threat of a large award of attorney's fees to plaintiffs' counsel.

For companies that deal directly with consumers, there are several approaches to consider with the advice of outside counsel. It may be possible to include an arbitration clause as part of a dispute resolution provision in the terms of service or as part of the process that consumers engage in when purchasing goods and services. Whatever avenue you choose, we suggest three important points to keep in mind:

  • Use clear terms: be explicit and specific in your language. Avoid unnecessary jargon or prose. Leave no doubt that arbitration, and only arbitration, is the mechanism for resolving disputes.

  • Use fair and reasonable terms: avoid one-sided terms or terms that put consumers at a disadvantage. Consider paying the arbitrator costs and agreeing to a neutral forum that will be convenient for your customers.

  • Address class claims specifically: ensure that the arbitration clause uses specific language requiring individualized arbitration and prohibiting claimants from proceeding as a class or otherwise aggregating claims.

Arbitration is not suited to every company or every situation. But in a world of unpredictable and evolving state laws, it may provide a hedge against mounting litigation risk under those laws.