As we look to 2008, I foresee the most prominent issues facing privacy and security litigation to be the "No Damages" barrier, statutory damages class actions and federal standards of care in state negligence actions. First, will the TJX cases (or some other new set of cases) get plaintiffs over the "damages" hurdle in a class action case? To date, plaintiffs in privacy and security cases—typically those seeking class certification for security breach claims—have been stymied by an inability to allege actual damages. Initially, this "no damages" barrier arose in a privacy notice case, where a company did not live up to the standards stated in its notice—but no one seemed to be harmed merely by a mis-statement (even an intentional one) in a privacy notice. More recently, courts have been reluctant to find damages in connection with security breaches, even in situations where (some) plaintiffs have alleged actual injury through the payment of costs related to activities undertaken in response to the fear of identity theft. Absent actual identity theft—which most plaintiffs cannot show— courts, for the most part, have not let security breach class action cases move forward. Will the ongoing TJX cases—which appear to be based on real security weaknesses and an orchestrated effort to obtain consumer billing information—change this approach? So far, they have not, although some cases are still percolating through the courts. Will some other case get over this hurdle?
Second, I want to see how courts handle the variety of cases asserting violation of the FACTA rules on the "truncation" of credit card numbers on retailer receipts. Across the country, class action lawsuits have been filed against retailers and others who allegedly failed to drop the expiration date from receipts provided to customers. The creative plaintiffs' attorneys in these cases are trying to get over the "actual damages" hurdle by asserting willful behavior—in which event, statutory damages are available. To date, most courts seem to recognize that class certification (in the words of one court) would bring "ruinous" damages upon defendants, and that no real harm can be found. These cases clearly have a long way to go. Moreover, there is some noise in Congress about a legislative solution that would eliminate these suits. If any of these cases results in a substantial verdict—based on a regulatory failure with no allegations of real harm whatsoever—then plaintiffs' lawyers may start looking harder at whether privacy and security cases can result in the pot of gold at the end of the litigation rainbow.
Third, I'm watching whether the "standard of care" argument made in the North Carolina case of Acosta v. Bynum, 638 S.E.2d 246 (N.C. Ct. App. 2006) becomes a trend. The case raised the possibility that a failure to meet a privacy or security regulatory standard could constitute negligence for purposes of a traditional negligence lawsuit. While this decision doesn't address the "damages" issue (which, frankly, is less of an issue in "individual harm" cases), it does provide a means for plaintiffs to find a way to sue even for violations where the relevant regulations themselves provide no private cause of action.
If any of these issues results in big plaintiff successes, we can expect a much more aggressive and extensive set of privacy and security lawsuits in the years to come.