Data Theft Damages: Who Pays?

By Dawn Causey, Thomas Pinder and Andrew Doersam

When it comes to data breaches, the hack of the archaic Myspace—the failed social media platform that was rendered obsolete by Facebook—proves nothing is safe. After Time Inc. acquired Myspace earlier this year, it discovered that in June 2013, a hacker named “Peace” stealthily stole username and password information from 360 million accounts.

The question posed by this particular breach is simple: did it matter? Was anyone injured as a result of the breach and, if so, did Time Inc. have cyber insurance that covered it? These are the same questions financial institutions of all sizes should ask themselves when confronted with a data compromise, whether it their own data or that of some other vendor or merchant.

Companies spend approximately $2 billion annually purchasing cyber insurance premiums with varying degrees of success, as reflected in current case law. For example, Medidata, a research technology company, sued its insurer for failing to cover $4.8 million in losses caused by an email scam that impersonated the company’s CEO. The email included the CEO’s picture and a “cc” to a pseudo attorney. After several email exchanges and phone calls with the scammers, a Medidata employee transferred $4.8 million to an account in China. The insurer argued that its $5 million policy only covered hacking, not voluntary transfers of money. In March, the judge ordered more discovery and refused to issue a ruling, claiming the record was insufficient regarding the manner in which Medidata’s database was compromised.

P.F. Chang’s 2014 data breach resulted in a mixed outcome from its insurer. While P.F. Chang’s recovered $1.7 million for claims directly resulting from the data breach, the insurer refused to reimburse an additional $2 million in fees and assessments charged back by MasterCard to its payment processor, BAMS. An Arizona federal court sided with the insurer and denied P.F. Chang’s claim for reimbursement. The court ruled that the contractual liability exclusion barred recovery because P.F. Chang’s agreed that its credit card acquirer could charge back the credit card brand costs and assessments.

Depending on the nature of the breach, victims may find it difficult to demonstrate any actual harm resulting from their compromised information. Potential data breach plaintiffs, such as the former Myspace users, commonly claim they have standing to sue based on the risk of possible injury and expenses incurred dealing with that risk. Although most of the Myspace accounts were dormant, many of the users may still be using the same or similar username and password combination on other websites. However, the Supreme Court’s recent decision in Spokeo v. Robins made clear that plaintiffs who claim statutory violations but have not suffered any real harm do not have standing.

Although Spokeo did not involve a data breach, the Court examined the level of harm required for a successful pleading. The Court held that a plaintiff must allege an injury that is both concrete and particularized—in other words, real and tangible. Although the risk of real harm may satisfy the concreteness requirement, the Court explained that bare allegations of a statutory violation, such as the publication of an incorrect zip code, would not qualify as a concrete injury. This new standard was recently applied by a Maryland federal court in Khan v. Children’s National Health System. That court ruled that plaintiffs must allege an injury showing actual or intended misuse of personal data for identity fraud in order to sue.

Case law is evolving concerning data breaches. Insurance coverage cases are becoming more frequent and suggest needing a clear understanding of what is and what is not covered. On the other hand, just because a breach occurs, it is not an automatic payday for plaintiffs. Real, demonstrable harm is required. Are we Myspace accountholders truly injured consumers or just remnants of outdated technology? Time will tell.

Dawn Causey is general counsel at ABA, where Thomas Pinder is SVP for litigation and Andrew Doersam is a paralegal.