Data Breach Litigation – A New Frontier: Anderson v. Hannaford Brothers Co.

By Zachary L. Neal[1. Mr. Neal is a Senior Associate in Alston & Bird LLP’s Litigation and Trial Practice Group, and he is a member of Alston & Bird’s Security Incident Management and Response Team.  He is a graduate of the University of Georgia and the University of Pennsylvania Law School.  The opinions expressed in this article are Mr. Neal’s and do not necessarily reflect the views of Alston & Bird LLP or its potential or current clients.][pullquote][A]lthough Anderson will likely encourage even more data breach lawsuits, Anderson also underscores the difficulty plaintiffs will have in certifying classes even if they clear the other hurdles discussed in this article.[/pullquote]Companies and government entities gather and aggregate an ever-increasing amount of consumer data.  This data runs the gamut from the seemingly innocuous – like shopping habits – to the sensitive – like social security numbers and account numbers.  As these entities gather and store data for their legitimate purposes, instances of unplanned releases of this information – or data breaches – are on the rise.  And with data breaches come lawsuits from plaintiffs – or putative classes of plaintiffs – who fear their personal information may have been compromised.

The United States Court of Appeals for the First Circuit’s recent decision in Anderson v. Hannaford Brothers Co.[2. 659 F.3d 151 (1st Cir. 2011).]  discusses one important aspect of data breach litigation – whether plaintiffs can allege the necessary harm to survive a motion to dismiss.  Anderson is one of the few instances where a court has concluded that the plaintiffs have alleged the necessary harm, meaning it is an important decision to consider in evaluating potential liability arising from a data breach.

Before discussing Anderson, this article first provides a general overview of how data breaches occur and why lawsuits tend to arise from them.  This article then discusses another threshold issue – whether plaintiffs can establish Article III standing when suing in federal courts. If a plaintiff does not have standing, then the issues discussed in Anderson will not come into play.  Finally, the article discusses Anderson in detail and explores its implications for future cases.

In sum, although Anderson will likely encourage even more data breach lawsuits, Anderson also underscores the difficulty plaintiffs will have in certifying classes even if they clear the other hurdles discussed in this article.

Data Breach Causes and Consequences

Data breaches may arise from a number of sources, including:

  • Careless disposal of sensitive information (e.g., a company throws away sensitive information in a Dumpster);
  • Inadvertent loss of sensitive information (e.g., an employee downloads sensitive information to some form of portable media and then misplaces that media);
  • Theft of sensitive information (e.g., an employee’s laptop is stolen from his or her car); and
  • Hacking to obtain sensitive information (e.g., a computer hacker breaches a company’s network and obtains sensitive information).

After a data breach occurs, forty-six states require businesses or government entities to report breaches to consumers in certain circumstances.  If notification is required, the data breach will become public, which, at least in the case of large data breaches, often leads to extensive coverage in both the mainstream media and on the internet.  This publicity, in turn, tends to generate lawsuits, which are often brought as class actions in federal court. These suits are likely attractive to plaintiffs’ lawyers because – at least in the case of large suits – there are potentially millions of class members.  These class members are often sympathetic as almost everyone fears identity theft or other forms of fraud.  And depending on the circumstances of the breach, plaintiffs have a number of claims to choose from, including negligence; breach of express or implied contract, State unfair and deceptive trade practices act statutes; State data breach notification laws; and the Fair Credit Reporting Act.

Article III Standing

A threshold issue in most data breach lawsuits is whether plaintiffs have standing to bring claims where they have not yet been the victim of identity theft or other fraudulent activity.  In particular, courts have focused on whether plaintiffs have suffered an injury-in-fact where a data breach has occurred but the plaintiffs’ information has not been misused.[3. test Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142 (9th Cir. 2010).]

Circuit courts have split over whether plaintiffs have standing under such circumstances.[4. Compare Pisciotta, 499 F.3d at 634 (holding such plaintiffs had standing) and Krottner, 628 F.3d 1139, 1142-43 (holding such plaintiffs had standing) with Reilly v. Ceridian Corp., 664 F.3d 38, 43-46 (2011) (finding such plaintiffs did not have standing).]  The Seventh and Ninth Circuits have been willing to find data breach plaintiffs have standing in certain circumstances even where they do not allege that they have been the victim of identity theft or other fraudulent activity.[5. Pisciotta, 499 F.3d at 634; Krottner, 628 F.3d 1139, 1142-43.]  The Seventh Circuit, for instance, found data breach plaintiffs, who alleged the data breach arose from a sophisticated hacking attack, had standing where no misuse of data was alleged but the plaintiffs alleged “a threat of future harm” from potential misuse of their data.”[6. Pisciotta, 499 F.3d at 634.]  Similarly, the Ninth Circuit concluded that plaintiffs had standing even though they did not allege data misuse.  One plaintiff, the court found, had standing where she claimed “generalized anxiety and stress” as a result of a data breach; other plaintiffs had standing under the circumstances where they alleged an increased risk of identity theft.[7. Krottner, 628 F.3d 1139, 1142-43.]

Conversely, the Third Circuit has refused to find plaintiffs have standing where their information has not yet been misused.[8. Reilly v. Ceridian Corp., 664 F.3d 38 (2011).]  The Third Circuit found that before information accessed in a data breach is misused any harm is speculative because whether harm will ever occur depends on the potential future actions of (at least in that case) an unknown party.[9. Id. at 42.]  What must be shown to establish standing, the court found, are not allegations of hypothetical future harm, but allegations of actual or imminent harm.[10. Id. at 43.]  The Third Circuit distinguished the Seventh and Ninth Circuit cases discussed above by finding that the allegations in both cases suggested more imminent harm.[11. Id. at 44.]  The Seventh Circuit case, the court found, involved allegations of a “sophisticated, intentional and malicious” hacking attack.[12. Id.]  And in the Ninth Circuit case someone had attempted – but failed – to steal one plaintiff’s identity.[13. Id.]   More importantly, however, neither the Seventh nor Ninth Circuit decisions, the Third Circuit found, fully considered constitutional standing requirements as they applied to data breach claims.  The Third Circuit thus found the Seventh and Ninth Circuit cases unpersuasive.[14. Id.; cf.  Katz v. Pershing, LLC, --- F.3d ----, 2012 WL 612793 (1st Cir. Feb. 28, 2012) (finding plaintiff lacked standing where she alleged only that a data breach could occur, not that one actually had occurred).]

Thus, at least in some cases, plaintiffs will be able to allege enough facts to establish standing.  Either they will be able to allege actual harm, such as if they have already been defrauded, or their allegations will be enough to establish, at least in some court’s view, a great enough threat of future harm to establish standing.

Actual Harm and Anderson v. Hannaford Brothers Co.

Even where plaintiffs can establish standing, they will still be left with the tall task of surviving a motion to dismiss their claims based on the argument that they have not alleged sufficient actual harm or damages under their substantive claims.  For instance, in both the Seventh and Ninth Circuit cases discussed above, both courts found the plaintiffs had not alleged sufficient actual harm or damages to survive a motion to dismiss.[15. Pisciotta, 499 F.3d at 634 (finding Indiana law “would not permit recovery for credit monitoring costs” under plaintiffs’ negligence and breach of implied contract claims); Krottner v. Starbucks Corp., 406 F. App’x 129 (9th Cir. 2010) (holding that plaintiffs had not alleged the necessary actual loss or damage to sustain a negligence claim under Washington law because plaintiffs alleged only the possibility of future harm).]

In a departure from most other courts, however, the United States Court of Appeals for the First Circuit, in Anderson v. Hannaford Brothers Co.,[16. 659 F.3d 151 (1st Cir. 2011).] concluded that Maine law allows plaintiffs to recover certain damages arising from a data breach. In Anderson, the plaintiffs brought a class action complaint against Hannaford Brothers Company alleging several causes of actions arising from a data breach.[17. Id. at 153.]  The data breach arose out of hackers accessing Hannaford’s credit and debit card processing system.[18. Id.]  The hackers allegedly stole credit and debit card numbers of 4.2 million Hannaford customers, leading to over 1,800 cases of fraud.[19. Id.]

Reviewing the trial court’s decision partially granting and partially denying Hannaford’s motion to dismiss, the First Circuit concluded that the plaintiffs had stated two causes of action under Maine law – breach of implied contract and negligence – and could likewise properly claim certain damages under those causes of action.[20. Id.]  In analyzing the damage issue, the court focused on so-called “mitigation” damages.[21. Id. at 162.]  The court first found under Maine law that damages must be “reasonably foreseeable.”[22. Id.]  The court then found that a plaintiff may “recover for costs and harms incurred during a reasonable effort to mitigate[]” harm.[23. Id.]  “To recover mitigation damages, plaintiffs need only show that the efforts to mitigate were reasonable, and that those efforts constitute a legal injury, such as actual money lost, rather than time or effort expended.”[24. Id.]

In deciding the plaintiffs had taken reasonable steps to mitigate their potential damages, including paying card replacement fees and buying credit insurance, the court focused on the fact that the case involved a sophisticated hacking attack that allegedly led to many fraud cases.[25. Id. at 164-65.]  The court went to great lengths to distinguish data breach cases where no subsequent fraud had occurred or where there was no allegation that the data theft was anything other than incidental to the “theft of expensive computer equipment.”[26. Id. at 165.] Instead, the court found, in this case, some people had already allegedly been fraud victims. It was thus foreseeable “that a customer, knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breach” would take steps to mitigate her potential damages.[27. Id. at 164.]

Although Anderson will likely encourage plaintiffs to file data breach lawsuits, Anderson also underscores the difficulty plaintiffs will likely have certifying a class for such claims, particularly a nationwide class.  In Anderson, the First Circuit had to engage in extensive analysis of unsettled state law before concluding plaintiffs had properly alleged damages under a single state’s law. The task of deciding whether multiple states’ laws would allow for damages given the particular facts of a case will likely prevent plaintiffs from satisfying Federal Rule of Civil Procedure 23(b)(3)’s predominance requirement. Under the predominance requirement, plaintiffs must show through extensive analysis that any differences in state law are manageable.[28. Sacred Heart Health Sys., Inc. v. Humana Military Healthcare Servs., Inc., 601 F.3d 1159, 1180 (11th Cir. 2010).] This will likely prove to be a hard – if not impossible – task where more than a few states’ laws are at issue, especially where the law in many states is an issue of first impression or in flux.[27. See, e.g., Sacred Heart, 601 F.3d at 1180-83 (district court abused its discretion in certifying a six-state class because the court had not engaged in a rigorous analysis to determine what state law variations existed); Kirkpatrick v. J.C. Bradford & Co., 827 F.2d 718, 725 (11th Cir. 1987) (affirming district court’s denial of a Rule 23(b)(3) multi-state class involving various state statutory and common law claims because “the differing standards of liability required by the laws of the various states would render class action treatment unmanageable”).]

The Opportunities and Pitfalls of Social Media in Litigation

By Audra Dial and Chiaman Wang [1. Audra Dial is a partner with Kilpatrick Townsend & Stockton LLP, specializing in complex patent and trade secret litigation.  Chiaman Wang is an associate with Kilpatrick Townsend & Stockton LLP, specializing in complex business and trade secret disputes.]

Introduction

In today’s information age, Facebook, MySpace, LinkedIn, and Twitter are ubiquitous.  These social media websites are updated on a daily, if not hourly, basis, and contain a wealth of personal information, including a user’s present state impressions.  Litigators can use these resources to find evidence helpful to prosecute or defend a claim, to impeach a witness, or even to uncover possible bias in a juror.  Under some circumstances, social media content is readily accessible without any significant expenditure of time or money, even without engaging in the formal discovery process.  If formal discovery is needed to access certain “private” sections of a social media website, these sections may offer both current and historical data that may prove to be immensely helpful in litigation.

As helpful as this information may be, counsel must also protect their clients from its downfalls.  Clients who tweet or post comments about their case could put sensitive information at risk.  Regardless of whether one seeks to use or prohibit access to social media websites, counsel must make certain that they satisfy their traditional professional obligations in doing so.

Taking Advantage of the Opportunities of Social Media in Litigation

Information from social media websites may be accessed both prior to and during litigation and may be accessed both formally and informally.  Because of the pervasive use of social media websites, a significant amount of information is presently available.  As such, litigators must take advantage of these novel opportunities to gather even more information about their opponents, witnesses, jurors, and even the judge.

1.   Informal Investigations of Social Media Websites Are Both Cost- And Time-Efficient

[pullquote]Just a few clicks of a mouse and all of this information could be at a diligent litigator’s fingertips without the expense of the formal discovery process, which cost is often exacerbated by objections and vague discovery responses.[/pullquote]Given the prevalence of social media websites, these resources should always be included in one’s arsenal of case-related research.  A quick review of the opposing party’s Facebook page will likely reveal, at a minimum, his or her marital status, present location, and date of birth.  A glance at the LinkedIn profile of a witness will disclose his or her work history, including the positions held, the names of current and former employers and possibly co-workers, and the duration of the employment.  Just a few clicks of a mouse and all of this information could be at a diligent litigator’s fingertips without the expense of the formal discovery process, which cost is often exacerbated by objections and vague discovery responses.

Although this information may be readily available on social media websites, accessing this information must be done within the confines of ethical standards.  Counsel may certainly access public portions of websites, even the websites of represented parties or witnesses.  Counsel should not, however, submit “friend requests” to these same people because these requests may violate the rule prohibiting contact with represented parties outside their counsel’s presence.  See ABA Model Rule 4.3 (“[A] lawyer shall not communicate about the subject of the representation with a person the lawyer knows to be represented by another lawyer in the matter….”).  Even when dealing with unrepresented parties and witnesses, counsel may not misrepresent their identity or hire independent third parties to access information under false pretenses through social media websites.  For example, Attorney X cannot pretend to be John Smith to gain access to an unrepresented party’s MySpace page.  Similarly, Attorney X cannot hire Jane Doe to access an unrepresented party’s MySpace page without also requiring Ms. Doe to disclose her affiliation with Attorney X.  Such actions are generally considered deceptive and thus violate the prohibition against lawyers engaging in dishonest or deceitful conduct.  See ABA Model Rule 8.4 (“It is professional misconduct for a lawyer to: . . . engage in conduct involving dishonesty, fraud, deceit or misrepresentation….”).

Given all of the information that is available on social media sites, litigators should ensure they avail themselves of these websites when investigating their cases and preparing for trial.  This information is readily and legally accessible, provided that it is obtained within the confines of the rules governing professional conduct

2.  Formal Discovery of “Private” Sections of Social Media Websites May Provide a Wealth of Information

Federal Rule of Civil Procedure 26 broadly allows the discovery of “any nonprivileged matter that is relevant to any party’s claim or defense.”  As a result of the breadth of Rule 26, courts have permitted discovery of “private” portions of a party’s social media website.  Courts have reached this conclusion in part because social media content is not privileged and is not protected by any privacy expectations.  See, e.g., Davenport v. State Farm Mut. Auto. Ins. Co., No. 3:11-cv-632-J-JBT, 2012 WL 555759, at *1 (M.D. Fla. Feb. 21, 2012) (social media websites are “neither privileged nor protected by any right of privacy”); Largent v. Reed, No. 2009-1823, 2011 WL 5632688 (Pa. Com. Pl. Nov. 8, 2011) (concluding plaintiff had “no privacy rights in her Facebook postings, and there is no general Facebook social networking privilege”).

Although content from social media websites may be discoverable, discovery requests must be carefully crafted to be “reasonably calculated to lead to the discovery of admissible evidence.”  Fed. R. Civ. P. 26(b)(1).  As with traditional discovery, litigators seeking information from social media websites are not “allowed to engage in the proverbial fishing expedition, in the hope that there might be something of relevance”.  Davenport, 2012 WL 555759, at *1.  Accordingly, courts are heavily inclined to grant access to private sections of social media websites when the party seeking discovery can direct the court’s attention to specific information from the public portions of the same website that is relevant or even contradictory to previous statements made during discovery or in pleadings.  See Largent, 2011 WL 5632688 (granting full access to plaintiff’s Facebook page because there were public photos contradicting plaintiff’s prior statements); Romano v. Steelcase Inc., 30 Misc. 3d 426, 430, 907 N.Y.S.2d 650 (Suffolk Cnty. 2010) (granting full access to plaintiff’s Facebook and MySpace accounts because “the public portions of plaintiff’s social networking sites contain material that is contrary to her claims and deposition testimony”).

To ensure one is carefully preparing his case, counsel should take advantage of researching all publicly available information, as such information may then reveal the relevance of private sections of the social media website.  If successful in establishing the relevance of the private portions, a party may be rewarded with full access to the opponent’s social media website, including current and deleted content such as photographs, postings, and even conversations.  See Zimmerman v. Weis Markets, Inc., No. CV-09-1535, 2011 WL 2065410 (Pa. Com. Pl. May 19, 2011) (ordering plaintiff to “provide all passwords, user names and log-in names for any and all MySpace and Facebook accounts”); Romano, 30 Misc. 3d at 435, 907 N.Y.S.2d at 650 (granting access to plaintiff’s “current and historical Facebook and MySpace pages and accounts, including all deleted pages and related information”).  Access to this information provides an opportunity to discover a wealth of information that may assist counsel in prosecuting or defending her case.

Protecting Your Clients From the Pitfalls of Social Media

Although social media websites contain an abundance of personal information about one’s opponents, this information is equally discoverable from one’s own clients.  As such, lawyers should counsel their clients on the risks of maintaining active social media websites, especially during litigation.

As an initial matter, individuals should set their privacy settings to exclude access to their site by the general public.  In addition, clients should be advised to reject any new “friend requests” from unknown contacts.  [pullquote]The less information available in the public portions of a social media website, the less likely an opposing party will be able to gather the requisite information to show that the private portions could be relevant.[/pullquote]  Importantly, clients should also refrain from posting, tweeting, or commenting on aspects of their case during the pendency of litigation.  The less information available in the public portions of a social media website, the less likely an opposing party will be able to gather the requisite information to show that the private portions could be relevant.  In the absence of such a showing, courts will not authorize discovery into private portions of a party’s social media website.  See Tompkins v. Detroit Metro. Airport, No. 10-10413, 2012 WL 179320, at *2-3 (E.D. Mich. Jan. 18, 2012) (denying request for access to plaintiff’s Facebook account because nothing in the public portions indicated the relevance of the private portions).

Depending on the nature of the claims and the client’s use of social media, it may be advisable for clients to deactivate their social media accounts as soon as litigation is contemplated.  This action will ensure that potentially privileged information is not revealed.  Although litigators may recommend the deactivation or decreased use of such sites, counsel must not recommend that their clients “clean up” or delete potentially negative posts, photographs, or tweets when litigation is reasonably anticipated or ongoing.  The deletion of any social media content that could be relevant will likely constitute spoliation and such destruction will subject both the attorney and client to sanctions.

For example, in Lester v. Allied Concrete Company, No. CL08-150 (Va. Cir. Ct. Sept. 1, 2011), defendants submitted discovery requests seeking certain contents of plaintiff’s Facebook pages.  Upon receipt, plaintiff’s counsel advised his client to delete certain photographs on his Facebook account and stated, “we do NOT want blow ups of other pics at trial so please, please clean up your facebook and myspace.”  In compliance with his counsel’s instructions, the client deleted 16 photographs and thereafter deactivated his Facebook account.  Plaintiff’s counsel submitted the following discovery response the day after this deactivation: “I do not have a Facebook page on the date this is signed.”  The court concluded that plaintiff’s counsel’s actions were sanctionable, awarding the defendants the attorneys fees that they incurred in pursuing the Facebook data.  The court also referred plaintiff’s counsel to the Virginia State Bar “for any action it deems appropriate.”  As for the plaintiff, the court awarded monetary sanctions against him and also referred perjury allegations against him to the prosecutor’s office for potential criminal prosecution.  As the Lester case makes clear, severe sanctions can be imposed for the intentional destruction of social media content.  Thus, it is important to ensure that any suggestions regarding the use or non-use of social media during litigation are also coupled with clear instructions not to delete or remove any content that is currently or was previously on the client’s social media websites.

Conclusion

Social media can be both a litigator’s dream and nightmare.  At times, it may lead to immensely helpful information and, at others, it could destroy a client’s credibility.  As such, counsel must ensure they take advantage of the benefits of social media websites during pre-suit investigations and discovery while simultaneously protecting their clients from its pitfalls and ensuring that information contained on these sites is preserved for discovery.  Preservation of the contents of social media is very important and will become increasingly so as the use of social media sites continues to grow.