Cyber Security Update - The FTC and Class Actions

In January, we published a legal alert discussing some of the issues that are expected to be further developed in the coming year with respect to the increasingly complex area of cyber security and data privacy. One of those issues was a clarification of the roles of certain federal agencies, in particular the Federal Trade Commission, in the enforcement and investigation of data breach events. Another issue was the development of consumer class actions arising from data breach events. This past week, there have been some developments with respect to both of those issues:

The FTC Continues to Explore its Role as Administrative Enforcer of Data Security

We previously reported on the FTC/LabMD Inc. dispute. In that matter, the company was accused of leaving customers' names, Social Security numbers, dates of birth and personal health insurance information exposed on publicly accessible peer-to-peer (P2P) file sharing networks. An administrative law judge (ALJ) initially dismissed an FTC data security action against the medical testing company on the grounds that there was no evidence that any consumer whose information was maintained by LabMD suffered any "actual harm." The ALJ's decision is under review by the FTC Commissioners, who conducted a hearing on the matter on March 8.

The key issue in the dispute is the scope of the agency's authority under Section 5(n) of the FTC Act. That provision essentially provides that the agency is without authority to act unless there is conduct that "causes or is likely to cause substantial injury to consumers." The Commissioners' focus is on the meaning of the term "likely to cause."

At the hearing, counsel for both the agency and the company were grilled by the FTC Commissioners on the proposed application of that term. The agency's counsel argued that the mere exposure of sensitive personal data was sufficient to meet the statute's standard of "likely to cause harm" because of the inherent and significant risk of harm based on exposure of the data. The agency attorney went on to argue that evidence of a failure to sufficiently protect such sensitive personal information in and of itself provided sufficient grounds upon which the agency could act under the statute, regardless of whether or not any individual's information was used for a malicious purpose. The attorney for the company argued that evidence of the exposure of sensitive data is not sufficient to demonstrate actual harm or a likelihood of actual harm, and that the agency had the burden of proving concrete harm or harm that was probable rather than merely speculative.

The ultimate determination of this matter will likely not end with the Commissioners' decision, as the losing side is likely to seek court review of the matter. This matter will be the bellwether in determining the scope of FTC enforcement in data breach cases, and the scope of the agency's authority will certainly be a factor for any enterprise that suffers a data breach event.

Consumer Data Privacy Action Update

As we continue to await the U.S. Supreme Court's decision in Spokeo v. Robins and Campbell-Ewald v. Gomez, cases that, as we previously reported, could have a significant impact on class action litigation both generally and as it relates to data breach events, Home Depot has apparently decided to mitigate its risk by settling a putative consumer class action claim arising from its massive 2014 data breach event. Documents filed in a Georgia federal court on March 7 indicate that Home Depot has reached a proposed $13 million settlement to resolve the consumer claims arising from the breach. Much like the FTC issue described above, Home Depot originally sought to dismiss the class action claims on the grounds that the consumers were unable to demonstrate concrete, actual harm.

Rather than continue to fight the claims, however, Home Depot and the plaintiffs' class are now seeking court approval of the class settlement. The proposed settlement would provide compensation to class members for documented out-of-pocket losses, unreimbursed charges, and time spent remedying issues relating to the breach. Altogether, the class members could be eligible to recover up to $10,000 each (including up to five hours at $15/hour for the time spent dealing with breach related issues). The proposed settlement also includes 18 months of identity protection services for all class members who had payment card information exposed in the breach. The motion to approve the settlement also asks for the court to certify a nationwide class, which would include approximately 40 million individuals who has payment card data stolen and 52 million people whose e-mail addresses were compromised (though there is overlap in those groups).

While Home Depot is still facing claims from various financial institutions, its willingness to enter into the proposed class settlement with affected consumers demonstrates the ongoing uncertainly facing companies in consumer class actions arising from data breaches and the need for companies to manage their potential exposure in light of such uncertainty. The proposed terms of the settlement may also provide a road-map of sorts in identifying the types of remedies and/or damages that may be expected going forward in breach event litigation.