In the majority of US states, mandatory data breach notification legislation requires organisations who suffer data security breaches to notify regulators and relevant individuals where there has been an unauthorised disclosure of personal information. Since the introduction of these laws in 2003, there has (until recently) been a significant amount of class action litigation against companies involved in such breaches of data security.
These mandatory breach reporting laws have facilitated class action activity by providing claimants with early notification of breaches, and have assisted in identifying the affected class of individuals, with plaintiff firms often launching claims within days (and in some cases, hours) of notification of a breach. In extreme cases, the overall financial and reputational costs of such breaches have been significant (such as an estimated $216 million in the case of the TJX Companies Inc breach which affected over 45 million customers, and over $100 million in relation to the Heartland Payment Systems Inc breach involving the theft of the details of approximately 100 million credit cards).
However, all this changed in late 2013 with the US Supreme Court decision in Clapper v. Amnesty International USA1 (“Clapper decision”), which has raised the barriers to commencement of a successful class action for a breach of data security. Courts have dismissed the vast majority of data breach class actions since this decision was handed down.
The Clapper decision involved a challenge to an amendment of the US Foreign Intelligence Surveillance Act which allowed the Foreign Intelligence Surveillance Court to authorise the US government to undertake surveillance without the need to establish probable cause that the target is an agent of a foreign power. The plaintiffs (who included journalists and human rights activists) argued that as their work involved sensitive telephone and email communications with individuals who would most likely be targeted for surveillance, their own communications would likely be intercepted in future, which resulted in injury as they had to take onerous steps to protect their communications from future surveillance (such as travelling overseas to conduct meetings in person etc).
The Supreme Court dismissed the claim on the basis that the plaintiffs failed to meet the ‘standing’ requirement of Article III of the US Constitution, which requires a plaintiff to have suffered an injury sufficient to confer standing to bring a claim. It was also noted that the possibility of future harm is insufficient to establish standing unless the injury is ‘certainly’ impending, and that the voluntary incursion of costs was insufficient to demonstrate the requisite ‘injury’ has occurred.
This decision has since been relied on by defendants in data breach claims to argue that plaintiffs lacked standing as they have not suffered any injury as a result of a data breach. For example, in the case In re Science Applications International Corp. Backup Tape Data Theft Litigation,2 an employee of a company which handles data for the US Government had their car broken into, with the thieves taking data tapes containing personal and medical information of US military personnel and their families (in addition to the employees’ GPS and car stereo). Despite the theft, the court stated that the mere loss of data, without evidence that it has been either viewed or misused, did not constitute an injury sufficient to confer standing.
Standing post-Clapper: Parallels to Australian law and implications for future data breach class actions
Under Australian law, standing may be established where a person has a ‘real interest’ in bringing a claim. The issue of standing was recently considered in the context of class actions in Melbourne City Investments (“MCI”) v WorleyParsons Limited.3 MCI, which had purchased approximately $700 worth of shares in WorleyParsons, sought to bring representative proceedings concerning publication by WorleyParsons of allegedly misleading financial forecasts of increased earnings.
The Supreme Court of Victoria found that MCI lacked standing to bring representative proceedings as a lead plaintiff due to the lack of a real interest in the proceedings, since MCI had purchased its shares before the forecasts were published (and hadn’t sold them), and that it was only seeking declaratory relief on its own behalf, but damages for the rest of the class.
As with the Clapper decision, the MCI case demonstrates that without an actual claim of loss, plaintiffs will have difficulties in establishing they have standing to bring representative proceedings in data breach claims. Accordingly, for future proceedings to have any likelihood of success, it is essential that a suitable representative plaintiff is selected; ie, one who has suffered economic loss as a result of the relevant data breach.
The selection of the representative plaintiff is also evidently of importance to a defendant, given Australia’s relatively plaintiff-friendly class action regime. In particular, plaintiffs classes can be broadly defined by reference to certain characteristics (eg, people who have been a customer of a particular company and who had their personal information disclosed), with every person who falls within the definition of a class automatically becoming a member of that class unless they notify the court they wish to opt-out. Coupled with the requirement that there only needs to be one substantial common issue of law or fact between class members (rather than requiring common issues to prevail over the circumstances of particular individuals as in the US), it can be difficult for defendants to test whether other members of the class are in fact in the same position as the representative plaintiff.
Unlike in the US, Australian companies are somewhat shielded from the prospect of facing data breach class actions as there are presently no mandatory data breach reporting obligations in Australia, meaning potential plaintiffs (or entrepreneurial lawyers) are less likely to know of data breaches. That said, legislation imposing such a regime (the Privacy Amendment (Privacy Alerts) Bill 2014 (Cth)) was introduced on 20 March 2014 and is currently being considered by the House of Representatives. Whilst the Coalition has previously expressed in-principle support for mandatory data breach notifications, it has raised concerns there has been insufficient consultation and discussion on the current process, which may impede its passage.
With respect to the actual prospects of a breach occurring, the Ponemon Institute recently estimated there is an 18% chance of one or more ‘data breach occurrences’ involving at least 10,000 records occurring within the next 24 months in Australia. However, in relation to the prospects of a serious breach (ie, involving 100,000 records or more), the likelihood is less than 1%.4 Overall, by taking practical steps to avoid data breaches in the first place (such as by ensuring security protocols are adequate and up to date), companies can manage the legal risks of class actions in this area.