Lawsuits for Data Breaches: Useless or Strategic?

Solove published an interesting piece today entitled:  “Why Do Lawsuits for Data Breaches Continue Even Though the Law Is Against Plaintiffs?” He explains that while the U.S. law has been far from kind to plaintiffs in data breaches (most courts dismiss claims for lack of harm), lawsuits keep coming.

We have a similar situation in Canada: these types of lawsuits will often be dismissed for lack of harm. The federal courts have not awarded any real damages since PIPEDA came into force. Since 2004, only a few decisions have been issued by the Federal Court, in which—except for one case in 2013 in which the federal court awarded 20,000$ (Chitrakar v. Bell, which even included punitive damages)— there have been either no damages or small amounts awarded in damages.

Many class action lawsuits are also dismissed at the authorization stage for lack of harm. I have blogged recently about the Investment Industry Regulatory Organization of Canada (IIROC) 2013 security breach (the loss by IIROC of a non encrypted laptop containing detailed information on clients of 32 firms and 52 000 individuals). While a privacy class action was filed in Quebec, claiming 1000$ per affected individual, it was not authorized, in part because of the lack of harm. This is consistent with previous decisions on the same issueordinary annoyances and anxieties (fear of identity theft) are often not considered as harmful enough. If there is evidence of some type of financial harm, for instance, if following the security breach there is evidence of identity theft such as in Larose c. Banque Nationale du Canada, this will usually play in favor of an authorization.

Solove refers to an article authored by Sasha Romanosky, David A. Hoffman, and Alessandro Acquisti entitled: “In Empirical Analysis of Data Breach Litigation“, in which the authors analyzed court dockets on more than 230 U.S. federal data breach lawsuits over a ten year period (2000 to 2010). The article provides interesting stats which may explain why data breach lawsuits keep coming even if many courts may dismiss these claims for lack of harm: 76% of data breach lawsuits are filed as class actions (i.e. more money at stake), and data breach lawsuits lacking actual harm or class certification are almost as equally likely to reach settlement as dismissal (50/50 chance). For some, this may well be worth the gamble!

This content has been updated on September 15, 2014 at 20 h 39 min.