Judge Tosses Class Action Over Michaels Data Breach Citing Lack of Damages

chicksdaddy writes: Data breaches have become so common that they've taken on a kind of formality. One of the phrases that often accompany such incidents goes something like this: "[Company X] has no evidence that any of the stolen information has been used inappropriately." Or you might read that "there is no evidence of fraud linked to the stolen data." Such assurances are generally interpreted as wishful thinking. But when courts are asked to weigh in on the question of damages resulting from cyber incidents in civil suits, the question of what harm resulted from the incident is very different – and very real. To put it simply: if nobody can prove harm resulting from a cyber incident, a company can't be held liable for those damages.

That fact was underscored again late last month, when a federal judge in U.S. District Court for the Eastern District of New York dismissed a class action suit against arts and crafts giant Michaels Stores that was filed in the wake of that company's widely-reported data breach. As part of her ruling, the judge, Joanna Seybert, cited a legal precedent set by the recent Supreme Court ruling in "Clapper v. Amnesty International," concluding that the plaintiffs hadn't proven that any harm resulted from the Michaels breach. "Simply put, Whalen has not asserted any injuries that are 'certainly impending' or based on a 'substantial risk that the harm will occur,'" Seybert wrote in her decision, referring to Mary Jane Whalen, the Michaels customer in whose name the class action suit was filed. "Thus, Whalen's claims are DISMISSED WITHOUT PREJUDICE for lack of subject matter jurisdiction," Seybert concluded.

This isn't to say that Whalen or other Michaels stores customers were not the target of fraudsters. In fact, Whalen's attorneys presented evidence that her stolen credit card (or a clone of it) was presented for payment fraudulently in Ecuador: at a local gym and at a venue that sold concert tickets. But regulations in the U.S. exempt consumers from paying the cost of credit card fraud, and Whalen wasn't asked to pay any unreimbursed charges as a result of the fraudulent use, the court noted. Whalen's other attempts to establish "costs" associated with the breach were also disregarded. They included the cost of credit monitoring services and the cost (in time and effort) to obtain replacement cards, the intrinsic value of her credit card information and the risk of future fraud tied to the theft of her credit card data.

Court was right

[vux984]

The court was right in my opinion. The breach is bad, but showing concrete material damages (outside of copyright infringment suits) is a usual requirement. If the plaintiffs couldn't show they were harmed, Michael's doesn't need to make them whole.

There is still potential for various other types of lawsuits to succeed; PCI compliance, or criminal negligence, etc.

Re:Court was right

[vux984]

Sorry to reply to my own post, but for example the credit card companies CAN show direct harm, and could potentially sue Michael's for damages (or just fine them through the existing contractual agreements) for any losses they incurred as a result. (And that goes back to my earlier comment about PCI compliance penalties, etc).

Re:Court was right

[Wootery]

The broader question is whether this is how it should be.

With the law as it stands, companies aren't well motivated to prevent breaches. They lose a bit of face, but that seems to be all.

Re:Court was right

[KGIII]

Hmm... Has anyone tried asserting that the loss of personally identifiable data (or even financial data) are, in fact, enough to be harmful in and of themselves? Add to that the loss of financial information - even if no direct financial harm has come, is both stressful and a loss of privacy as well as requiring one to take action - and, it seems to me, there's a good, viable, justification for standing.

The demonstrable harm would be, in those case, the concern, the loss of data, and the need to take action as well as remain vigilant. They are actual, viable, impacts and are certainly not absolved away by saying that there is no standing. Yet, strangely, in all the cases that I've looked at - nobody seems to have really argued this. Those are truly demonstrable harm. If they had to change one password, cancel one credit card, or even worry in the slightest then they have been harmed.

I'd also like to think the credit issuers would have cause. Even better, it's a civil matter so the burden of proof is much lower (things like jurisprudence and preponderance of evidence) so I'd think that harm could be shown and a finding for the plaintiff fairly easy to come by. Yet, strangely, I have read a few (not this particular case) and nobody has seemed to argue this. Even just the slightest of action, just one extra step, just one worry - is harm...

Two things...

I'm not normally sue-happy and think many civil cases end up being just plain silly but this matter has been going on for a while and there haven't been many meaningful repercussions handed down. Setting precedent might be nice - I'm not suggesting that the defendants should owe hundreds of millions of dollars because someone had to lock their credit down.

I am not, by any means, a lawyer but I have spent some time in court, read a bunch of findings, briefings, etc, and try to spend some time just going to the courts and observing them because I feel that such is my duty. The courts are our easiest to access branch of the government if we want to make changes. I observe the courts, as I feel it is my duty, and if I find a problem then I use my freedom of speech/press to make others aware of this problem (perhaps like this post) and firmly believe that this is a part of the social contract that we citizens have failed to uphold.

As Wootery says below my post - is this how it *should* be? As near as I can tell, there was harm. It may be minimal harm but that's for a jury to decide. They should have standing and they should be allowed their day in court. I think this can be appealed (the finding of no demonstrable harm) and a higher court might decide they have demonstrated harm and thus have standing and chuck it back down for them to actually put it in front of a jury.

Someone has to set precedent so that when really bad things do happen there is recourse for the victims. I have a notice that says my data was, indeed, in the OPM hack. I have a lawyer on retainer. I should have him look into it - it might be kind of fun, I could even present it myself with, of course, council to assist. Unfortunately, I've a very busy year coming up. Still... Someone's gotta try making a reasonable argument to the judges and, from what I've seen, they're not really giving the judge reason to believe there's harm. I'd argue that differently or, more accurately, ask a lawyer and see if it's a viable option to argue it differently.

Thoughts? There are a couple of lawdogs here. raymoris perhaps?

Re:Court was right

[hey!]

Yes, showing concrete damages is the usual requirement, so the judge is technically correct which he has to be. But that doesn't mean that the plaintiffs haven't been harmed. People don't steal private information to do harmless things, and exposure and the uncertainty that comes with it inflicts harm as well -- we just can't precisely quantify that harm.

The legal system in effect sets a conventional amount to the value of harm it knows happened but can't quantify, and that value is $0. And that's arguably the right general convention to use; it keeps the courts from being clogged with speculative lawsuits. But it doesn't mean that it's the right conventional amount in these kinds of situations. In effect Michaels gets off with simply having to do what it ought to have been doing all along; it shifts the risk of its practices onto its customers, and we know from economics that risk has real monetary value. This is to say nothing of the distress and time the uncertainty over exposure costs the customers.

So $0 in this case is quite demonstrably unjust, even if we can't put a precise dollar figure on that injustice. Fortunately there's a solution to this: the legislature can set a conventional amount of damages for a particular kind of situation that is greater than $0; this is called "statutory damages". This amount should be set, not necessarily to cover all the potential damages suffered by victims, but at least to force companies to bear some of the financial risks of their sloppy practices. Let's say we set the amount of statutory damages at $20; not much from the victim's standpoint I know. Multiply that by three million customers, and we're talking sixty million dollars. That's a lot of money, well worth hiring some security experts to audit your system to avoid, but according to Michael's most recent 10Q they have over a billion dollars in current assets that could be liquidated to cover that sixty million; in fact fifty million of that is in cash.

So clearly it is possible to set statutory damages at a level which will strongly incentivize companies to act more responsibly without destroying them financially over speculative damages.

Re:US banks deserve a spoonful of their own medici

[phantomfive]

At this point merchants are starting to give me the stink-eye for not having a C&P card as they now have to pick up the tab for fraudulent transactions.

They don't have to pick it up......if the bank hasn't sent you a C&P card, but the merchant has a C&P card reader, then it's up to the bank to pay for fraud.

Define 'Damage'

[PPH]

Hint: It doesn't always have to be monetary.

What about the psychological damage of the details of your life falling into the hands of someone you'd rather not want having them? Freedom of association also includes the right to choose not to associate with someone.

Re:Time is Money

[phantomfive]

I've had my credit card number stolen. Research was 5-10 minutes. Filling out the forms was another 5-10. When I got the new card, updating places that used the card for payments was yet another 5-10.

So that's 30 minutes of lost time for you (genius that you are, you do it quickly)........multiply 30 minutes of lost time by several million people and you have the kind of damages that class action lawsuits were created for.

It's a real pain in the ass

[Bruinwar]

It's a real pain in the ass when a data breach allows credit card fraud to occur. Anyone who's had it happen to them know that. So the credit card company doesn't make you pay (oh, they don't eat it, ever, they don't pay the vendor), that's great. But you still have to catch the fraudulent charges (in time), call, make a claim, change your account number, remember all the subscribed accounts that use that number (netflix etc...), wait & see, worry.

But the company that can't keep their shit secure has no liability.

Attorney goof?

[theophilosophilus]

The cost of a credit protection service enrolled in as a precaution is damage enough. This is a forseeable injury regardless of actual fraud. The class representatives could have subscribed to some service and pled the class as existing of all persons that incurred this expense. The result is the negligent company is held accountable and other companies are on notice that they will be held accountable. If there was actual fraud for some persons, it would destroy the commonality requirement for class certification; the persons suffering fraud would all have had different levels and types of damages.