Once more unto the (corporate data) breach, dear friends.
I. INTRODUCTION II. BACKGROUND A. Corporate Data Privacy Breaches B. Data Privacy Class Actions 1. The Data Regulation Landscape C. Questionable Consumer Protection Outcomes D. Deja Vu and the PSLRA III. ANALYSIS A. The PSLRA's Intended Target: "Strike Suits" 1. Nominal Damages but High Attorneys' Fees: Agency Costs B. PSLRA Provisions and Practical Outcomes 1. The Lead Plaintiff Provision 2. The Heightened Pleading and Discovery Stay Provisions C. Efficacy of the PSLRA 1. The Heightened Pleading Requirement and Silicon Graphics D. Comparing the PSLRA and Data Breach Claims 1. Data Breach Strike Suits IV. RECOMMENDATION V. CONCLUSION
Data security breaches are no longer merely the concern of IT departments; (1) they are now one of the most critical and potentially costly specters corporations face today. (2) To strike a balance between consumer and corporate interests, this Note will advocate that congress should include, as a part of any data privacy reform, a heightened pleading requirement modeled after the standard created by the Private Securities Litigation Reform Act of 1995 (PSLRA), as applied by the Ninth Circuit in Silicon Graphics? With news of new breaches arriving almost daily, implicating significant firms like JPMorgan chase Bank, Sony Pictures, and Anthem Inc., it is clear that an age of large corporate data breaches is just beginning. (4) These data breaches are proving to be extremely costly, due in part to a corresponding increase in class action litigation. Some of these claims bear striking similarities to the securities class actions that a small group of unscrupulous attorneys filed during the 90s-era dot-com boom. (5) These claims negatively affected many corporations individually, while also significantly burdening U.S. capital markets. (6) This Note will explain the similarities and differences between the current era of data privacy class actions and the pre-PSLRA era of securities class actions. It will also evaluate the efficacy of the PSLRA, before ultimately advocating that Congress should adopt a heightened pleading standard for data privacy class action claims modeled after the Ninth Circuit's application of the PSLRA in Silicon Graphics. (7)
A. Corporate Data Privacy Breaches
In 2012, FBI director Robert Mueller ominously stated: "there are only two kinds of companies: those that have been hacked and those that will be." (8) However, even with such a high likelihood of hacking, the majority of corporate data breaches in 2013 had other causes. (9) While hacking gets the glory, system glitches and employee errors are still responsible for the lion's share of corporate data breaches. (10) The average data breach in 2013 cost U.S. companies $201 per record lost, with the average breach implicating nearly 30,000 records. (11) Unfortunately, these statistics conceal significant outliers representing the largest and most costly data breaches. For example, the now infamous 2013 data breach of Target Corporation (Target) exposed 40 million credit and debit card records, in addition to potentially compromising the personal information records of an additional 70 million customers. (12) Unfortunately, this appears to be the new status quo for corporations, (13) as the number of large-scale breaches will likely continue an upward trajectory in 2015.14 The fact that recent breaches occurred at some of the largest companies, presumably with the most sophisticated countermeasures, leads many to believe that no corporation is safe. For example, Anthem and JPMorgan Chase both recently experienced data breaches--compromising 80 million and 76 million records, respectively--the largest breaches that the banking or healthcare industries have ever experienced. (15) Although consumer data is a precious capital asset for companies, (16) it has become abundantly clear that "even the most robust and sophisticated network security will fail," and when it does, the corporation could face significant litigation, regulatory, and public relations costs. (17)
As more corporations announce data breaches, unscrupulous attorneys stand ready--some merely trolling news reports--just waiting for the next opportunity to file a claim, often within 24 hours of a data breach. (18) During Home Depot's recent breach, at least one plaintiff filed a complaint before the company had even confirmed that there had actually been a breach. (19) Home Depot's mere "acknowledgment] [that] it was investigating 'unusual activity' related to a potential breach" was sufficient grounds for plaintiffs to file a class action. (20) Additionally, a single breach event can yield a high volume of class action claims against a corporation. (21) For example, plaintiffs filed over 70 putative class actions against Target--in various jurisdictions across the country--in response to the company's now paradigmatic 2013 breach. (22)
1. The Data Regulation Landscape
Unfortunately, for many plaintiffs injured by corporate data breaches, there is currently no clear route to redress. (23) This is due in large part to the complex "patchwork" of state and federal law currently governing data privacy. (24) The Federal Government's "sectoral" approach, which breaks down laws according to the type and use of data, complicates the potentially available legal remedies for victims who have had multiple types of data compromised. (25) These laws comprise a group of roughly 20 different federal statutes that govern privacy generally, although some have questionable applicability to personal data. (26) For example, some plaintiffs have recently attempted to file data breach claims under the Video Privacy Protection Act (VPPA), a 1988 law passed to protect customers' VHS tape rental history from public disclosure. (27) VPPA bars "video tape service providers" from knowingly disclosing personal information without written consent. (28) Although VPPA still applies to today's modern day movie streaming companies like Netflix, many plaintiffs have attempted to retrofit the law to cover all manner of data breaches, even though Congress clearly never contemplated such coverage. (29) Importantly, VPPA contains a statutory damages provision that allows plaintiffs to recover $2500 per violation, irrespective of any actual damage. (30) Plaintiffs have increasingly attempted to apply such laws in the data privacy context, since a single data breach could yield millions of "violations," converting claims into the practical equivalent of gold mines. (31) In addition, most states have been actively passing legislation governing personal data, generating a lack of uniformity that has muddied the waters for injured plaintiffs. (32) Their lawyers are now forced to throw the "kitchen sink" into complaints to see what, if anything, sticks. (33) Unfortunately for the majority of recent claims, not much has actually stuck, but many commentators characterize this as a "war of attrition," and note that plaintiffs' tactics are rapidly and aggressively evolving and causing some courts to entertain novel applications. (34)
Many courts have dismissed data privacy class actions under the doctrine of standing. (35) Courts generally base these dismissals on one of two grounds: (1) the plaintiffs did not establish an injury in-fact; (36) or (2) the plaintiffs did not adequately quantify or prove recoverable damages (i.e., a legally cognizable injury) pursuant to the Supreme Court's standards in Lujan v. Defenders of Wildlife (31) and Clapper v. Amnesty International (38) Although the majority of courts are still turning aside data privacy class actions that merely allege a fear or increased risk of fraud caused by a breach, (39) plaintiffs have been able to chip away at courts' Article III bulwark. (40) A high-profile example of courts' willingness to modify the injury requirement can be gleaned by the statement of U.S. District Court Judge Paul Magnuson who stated, after partially denying Target's motion to dismiss: (41) "You have people here who were honest to goodness hurt, who were injured." (42) While the judiciary could take it upon itself to reform data breach claims by modifying the standing doctrine, this Note will instead advocate for reform at the congressional level.
Under the current regime, if a data privacy class action claim meets the injury requirement, the next crucial battle occurs at the motion to dismiss stage. (43) If plaintiffs survive a corporation's motion to dismiss, they gain a tremendous amount of leverage (i.e., the looming cost of lengthy discovery combined with the potential for negative publicity). (44) This leverage typically forces corporate defendants to rapidly settle claims. (45) If courts are not able to properly dismiss non-meritorious claims at this stage, this leverage could have a detrimental effect on corporations and the U.S. economy as a whole.
C. Questionable Consumer Protection Outcomes
For those claims that survive dismissal and reach the settlement table, it is unclear what consumer protection goals, if any, many settlements serve. (46) For example, clothing retailer T.J. Maxx, one of the first major companies to experience a large-scale data privacy breach, settled 25 putative class actions by offering plaintiffs a choice of either three years of free credit monitoring and identity theft insurance, or nominal cash payments or vouchers, valued at $15 or $30 dollars respectively (i.e., coupons), for lost time suffered in response to the breach. (47) T.J. Maxx also offered to reimburse any costs incurred to replace drivers' licenses or losses borne from identity theft fairly traceable to the breach, as well as $6.5 million to the plaintiffs' attorneys. (48) While this appears to be a favorable outcome on its face, "only 3% of the eligible [T.J. Maxx] class members sought the credit monitoring service," with most opting to instead collect a nominal "coupon" payment. (49) Moreover, by the time the court resolved the $6.5 million attorneys' fee award, none of the 4800 breach-related claims of identity theft were deemed meritorious. (50) In the end, the majority of affected consumers walked away with a small coupon instead of three years of credit monitoring service, plaintiffs' counsel walked away with a $6.5 million in fees, (51) and T.J. Maxx footed a $256 million bill. (52)
A unique characteristic of data privacy breach class actions is that, of the total number of victims whose data has been compromised, generally only a small percentage actually suffers a subsequent fraud. (53) Furthermore, of those victims that actually experience fraud on their financial accounts, most are not responsible for such charges. (54) These facts help explain many courts' hostility to recent data breach claims and their strict application of the injury aspect of standing discussed in Section II.B. (55)
Since most breaches fail to produce monetary consequences for affected consumers, some commentators suggest American consumers have become numb to breaches altogether, accepting them as a practical inevitability of entering the marketplace. (56) Recent data suggests that in 2013, 32% of consumers who received notice that they were affected by a breach ignored the notice altogether. (57) Furthermore, 71% of those affected stated that they would continue to do business with the corporation. (58) In Target's case, Chief Financial Officer John Mulligan stated the company had not seen any marked drop in patronage as a result of the breach; it has, however, already racked up costs totaling more than $146 million, an expense that is still rising. (59)
Another growing trend in data privacy class action settlements are cy pres awards. (60) These settlements have grown in popularity thanks to support by both judges and corporations. (61) Proponents argue that these settlements provide the best solution to the anomalous "injury" problem, while also promoting consumer protection initiatives. (62) Many large technology companies like Google, Facebook, and Netflix strongly advocate for them. (63) However, consumer protection advocates have been critical of cy pres awards because they do not send any money to class members. (64) Thus, somewhat ironically, many consumer protection advocates have opposed these measures as being out of line with consumer interests, even though most cy pres settlements in this area seek to establish and fund research groups to develop future solutions to data privacy issues. (65)
D. Deja Vu and the PSLRA
In 1995, Congress passed the PSLRA, a sweeping reform seeking to address issues in securities class actions (66) arising during the dot-com boom. (67) Congress intended to construct a series of procedural "roadblocks," which would reduce the filing of nonmeritorious securities class actions. (68) Congress recognized that many of the class actions initiated during this era sought not only nominal damages for individual plaintiffs, but lucrative fees for their attorneys; a financial situation that many unethical attorneys exploited. (69) These attorneys began "act[ing] more like principals than agents," filing claims--regardless of their merit--knowing that corporations were likely to settle any claims that survived dismissal, allowing the attorneys to cash in on lucrative contingency fee agreements. (70) As frivolous claims increased in volume, the speed with which attorneys filed claims following a change in stock price became a identifying characteristic; frivolous claims often had little or no pre-filing investigation. (71) Ultimately, many critics argue that the PSLRA failed to achieve its intended goal. (72) However, data suggests that one aspect was particularly effective at weeding out nonmeritorious claims: the heightened pleading requirement. (73)
This Part evaluates the similarities and differences between the securities class action era and the current era involving data privacy claims. It will critically examine the PSLRA's efficacy and compare its targeted issues to its counterparts in today's data privacy realm.
A. The PSLRA's Intended Target: "Strike Suits"
In 1995, Congress recognized that frivolous securities class actions were placing a tremendous burden on high growth industries, while generally benefitting only the lawyers who filed them. (74) Congress believed that the volume of frivolous claims was unacceptably high, (75) causing companies to incur unnecessary legal costs, which in turn chilled corporate disclosures. (76) Thus, the PSLRA sought to resolve a classic agency problem: "opportunism." (77) Although the class action vehicle is intended to provide investors with a means of assuring sound business practices, (78) the system also allows for opportunistic misuse by covetous lawyers. (79)
Misuse comes in the form of non-meritorious claims filed merely to cash in on a quick settlement, known as "strike suits." (80) The tactical predicate of these suits is that there is a large disparity in litigation costs between plaintiffs and corporate defendants, which induces rapid settlement on the part of the defendants if claims survive a motion to dismiss. (81) The cost differential is so great that companies are strongly inclined to settle even non-meritorious claims that survive, because doing so could still be cheaper than trying the case to a winning verdict. (82) A trademark of "strike suits" that many critics, including Congress, found highly offensive was that many attorneys filed the claims almost automatically following any increase or decrease in a company's stock price, without any pre-filing investigation or discovery. (83)
1. Nominal Damages but High Attorneys ' Fees: Agency Costs
These strike suits arise from opportunism: some attorneys have stronger financial incentives to pursue claims than their respective clients. (84) This issue stems from the contingency fee model, wherein plaintiffs' lawyers assume the costs and risks associated with litigation, while standing to collect 20-30% of any recovery. (85) In the pre-PSLRA securities context, most class members were generally only entitled to a nominal recovery; (86) however, their counsel could walk away with an extremely lucrative fee award. (87) It is important to clarify, however, that this model alone is not the problem. The problem only arises when unethical attorneys exploit the model. Some simply could not resist the urge to capitalize on the model for pecuniary gain, as evidenced by several settlements that almost irrefutably illustrate that plaintiffs' attorneys were not acting as their investor-clients' "faithful champions." (88) A lack of client oversight in these settlements produces settlement provisions most class members would find highly objectionable. (89) Securities class actions in particular have this problem because most plaintiffs generally suffered insufficient damages to make monitoring their counsel cost-effective. (90) Thus, without client oversight, some attorneys began acting solely out of self-interest. (91) This often included leaving their clients ill-informed about their cases' facts, monetary issues, and ultimate outcomes. (92) As William Lerach, a former attorney and "poster child" for this style of misuse said in 1993, "I have the greatest practice of law in the world. I have no clients." (93) This quote exemplified precisely the type of misconduct Congress sought to target, and the quote itself actually provided some of the momentum necessary to pass the PSLRA. (94)
B. PSLRA Provisions and Practical Outcomes
1. The Lead Plaintiff Provision
One way that Congress sought to address the agency problem was by adding a "lead plaintiff' provision to the PSLRA. This provision specified that the courts would designate the plaintiff with the greatest economic stake in the outcome as the lead plaintiff of the class action. (95) Congress expected this provision to help solve the agency cost issue by assigning the primary duty of oversight to the plaintiff with the greatest financial incentive to actually perform that oversight, which in the securities context would be an institutional investor. (96) Ideally, the new lead plaintiff would also be able to devote the resources necessary to zealously pursue the claims. (97) Thus, this provision was intended to help reduce the overall incidence of opportunism on the part of the lawyers filing securities class actions. (98) Congress sought to close this financial incentive imbalance in spite of the fact that institutional investors often possess unique interests and political agendas that distinguish them from the typical investors comprising a class. (99) As it turned out, institutional investors were reluctant to take the reins in securities class actions, and they remained that way throughout much of the decade after Congress passed the PSLRA. (100) Although they have assumed a larger role since 2005, institutional investors at present are only active in approximately one-third of all securities cases. (101) Furthermore, the attorneys and firms that occupied this field before the Act's passage--Congress' specific targets--remained the dominant choice of counsel for post-PSLRA institutional investors. (102) Thus, incentivizing institutional investors to lead class actions, or more generally, attempting to correct the financial incentive imbalance did not provide the best solution to weed out frivolous lawsuits. In any case, such a provision would not translate well to data breach class actions because there is no analog to the institutional investor in the data privacy context.
2. The Heightened Pleading and Discovery Stay Provisions
To help reduce the incidence of strike suits and relieve the strain on capital markets, the PSLRA also deployed a heightened pleading standard and discovery stay provision. (103) Congress added the first element after recognizing that the notice pleading standard was inadequately weeding out nonmeritorious claims at the motion to dismiss stage. (104) The new heightened standard required plaintiffs to plead: (1) with specificity; (2) if pled on belief, it must include all facts upon which the belief is based; and (3) plaintiffs must also plead with particularity that the defendant acted with the requisite state of mind. (105) The second element stays discovery while motions to dismiss are pending and requires that a party moving to lift the stay must either prove that evidence will be destroyed or the movant will be subject to undue prejudice if it is not lifted. 106 Congress intended the provision to shield corporations from discovery costs and accompanying settlement leverage, at least until a court heard a motion to dismiss, when it would ideally weed out a greater number of nonmeritorious claims. (107) While many scholars believe that the PSLRA did not produce its intended outcome, it did change securities class actions in a manner that merits discussion. (108)
C. Efficacy of the PSLRA
Overall, the PSLRA failed to reduce the number of securities class action lawsuits filed each year. (109) It also failed to remedy the proverbial "race-to-the-courthouse" problem. (110) Though the Act did slow the average filing speed for a short period of time after it became effective, the speed later rebounded. (111) Scholars disagree over the proper interpretation of this data, with some explaining it as merely an acclimatization period for plaintiffs' attorneys. (112) Others, however, suggest that post-PSLRA plaintiffs now file only the most flagrant claims, which require the least amount of pre-filing research. (113) Ultimately, this result is unclear and experts disagree as to the true relationship. (114)
Since Congress passed the PSLRA, the mean settlement value of securities class actions that survive dismissal has increased. (115) Some commentators argue that PSLRA's weeding out of smaller and more frivolous claims caused this phenomenon. (116) Others, however, question the strength of this statistical relationship as another illustration of the disputed impact of the PSLRA. (117) While the Act may not have performed exactly as Congress intended, there is statistical evidence suggesting that the heightened pleading standard improved the overall quality of the securities class actions filed in the Ninth Circuit--the court applying the strictest interpretation. (118)
1. The Heightened Pleading Requirement and Silicon Graphics
Congress intended the heightened pleading requirement to ratchet up courts' ability to weed out "strike suits." The PSLRA pleading standard, which was arguably the most contentious portion of the Act, (119) requires plaintiffs specify in their complaints "each statement alleged to have been misleading, the reason or reasons why the statement is misleading, and, if an allegation regarding the statement or omission is made on information and belief, the complaint shall state with particularity all facts on which that belief is formed." (120) The Act further requires complaints "state with particularity facts giving rise to a strong inference that the defendant acted with the required state of mind. " (121) President Clinton vetoed the PSLRA, fearing that the pleading standard was "an unacceptable procedural hurdle to meritorious claims." (122) However, data suggests that "many, if not more, class actions [were] filed" in the wake of the PSLRA, and the Act ultimately failed to markedly ease the strain on technology-driven capital markets. (123) While this suggests that President Clinton wrongly feared the pleading requirement, it also acutely highlights that the Act was not the solution Congress envisioned it to be. (124) Importantly, however, data also suggests that the PSLRA's pleading standard, as applied by the Ninth Circuit, "may have improved case quality without excessively inhibiting plaintiffs' attorneys from bringing legitimate cases." (125)
This ideal outcome was possible because the PSLRA drafters did not specifically explain the meaning of the pleading requirement in the Act itself, which allowed circuit courts to splinter based upon their own interpretations. (126) Specifically, in 1999, the Ninth Circuit in In re Silicon Graphics Inc. Securities Litigation applied the strictest interpretation of the standard, requiring securities class action plaintiffs plead enough evidence to create a strong inference of "deliberately reckless or conscious misconduct" on the part of the firm. (127) This application effectively "converged] a motion to dismiss into an early judicial screen of the merits of the action and the adequacy of counsel's investigation." (128) Unlike the rest of the PSLRA, data suggests that the Ninth Circuit's application actually improved the overall quality of class actions by reducing the filing of facially weak claims, while also generating a higher percentage of the most seriously alleged fraud cases. (129) Although the data shows that the Ninth Circuit's Silicon Graphics standard correlates to a statistically significant shift in case quality, a lack of empirical methodology (130) makes it unclear whether the standard also caused a decrease in the quantity of meritorious claims. (131) The Ninth Circuit's interpretation of the PSLRA should provide the model for a heightened pleading standard applicable to data security class actions given its efficacy in the securities class action context.
D. Comparing the PSLRA and Data Breach Claims
Emerging data privacy class actions share some important similarities with pre-PSLRA securities class actions. First, settlements are similarly driven by the disparity in litigation costs between plaintiffs and corporate defendants. (132) More importantly, however, the same agency issues that Congress once tried to address in securities are alive and well today in data privacy claims. (133) For example, the T.J. Maxx data breach "coupon settlement" discussed in Section II.C, illustrates that an agency problem has formed in the data breach realm that could lead to the same types of misuse that occurred prior to the PSLRA. (134) The prospect of receiving a "coupon" is unlikely to incentivize consumers to adequately monitor their counsel in corporate data security class actions. (135) To make matters worse, since the majority of breach victims generally do not experience fraud or other financial damage arising from a breach, they have a weak incentive to monitor their counsel. Thus, this disparity in monetary outcomes between plaintiffs and their counsel is analogous to the situation that arose in securities class actions during the early 1990s, except that in data privacy, consumers appear even less interested in actively pursuing claims, (136) creating an area even riper for abuse by opportunistic plaintiffs' lawyers.
1. Data Breach Strike Suits
Some attorneys have already begun filing data privacy breach "strike suits," (137) triggered in response to the mere mention of a corporate data security issue. (138) These attorneys are already cashing in on the agency cost problem, (139) much like their pre-PSLRA counterparts that Congress took issue with. (140) Since the current data privacy legal landscape is best described as a "patchwork," the courts apply a strict, "actual harm" standing requirement as the primary method of weeding out non-meritorious cases. (141) Although this has proven to be an effective gatekeeper, (142) the winds seemed to be changing regarding this standard, with at least some judges now feeling that the current model overprotects corporations at the expense of consumers. (143) Thus, procedural safeguards must be implemented to prevent unscrupulous attorneys from abusing this area of law and repeating the events of 1990s-era securities litigation.
An important difference between securities and data privacy class actions relates to the defendant-corporation's culpability. While most companies that comply with securities regulations are unlikely to be held liable for securities fraud class action claims, no amount of security can completely protect a company from experiencing a corporate data breach. (144) Though it is important to keep channels of redress open regarding data security, balance must be emphasized because even those companies that protect and enforce data security in an aggressive manner may still find themselves facing a data breach and the subsequent litigation. (145)
While Congress' attempt to reform securities class actions via the PSLRA is largely considered a failure, its lessons--particularly those related to the heightened pleading requirement--could provide an excellent tool if applied to data privacy class actions. (146) Although data privacy issues are relatively novel, the government--through both the Federal Trade Commission and United States Department of Commerce--began researching and developing a comprehensive policy for data privacy reform in 2010.147 In 2012, the White House issued its own policy framework, the centerpiece of which was a proposed "Consumer Privacy Bill of Rights." (148) If adopted by Congress, the White House framework would radically reform U.S. data privacy laws, (149) but many observers are skeptical it can reach the critical mass necessary for passage. (150) As a part of any omnibus data privacy reform, Congress should establish a heightened class action pleading requirement similar to the Ninth Circuit's application of the PSLRA in Silicone Graphics.
Data breach plaintiffs should have to plead facts sufficient to create a strong inference of "deliberately reckless or conscious misconduct" on the part of the corporation before proceeding on the merits. This standard would not be overly restrictive and would lend some manner of predictability to the current system. It would help protect companies from facing crushing liability from frivolous class actions while also protecting consumers from higher transaction costs in the market. This reform would increase judicial efficiency and reduce capital costs for corporations by increasing the overall quality of legal claims against corporations. Judicial efficiency would increase simply because plaintiffs would no longer need to file "kitchen sink" claims, thereby lowering plaintiffs' filing costs. (151) As a corollary, defense attorneys--and more importantly, judges--would no longer be required to sift through these dense and varied claims. In exchange, the heightened pleading standard would weed out "strike suits," and improve the overall quality of data security class action claims, much like it did for the securities actions that preceded it in the Ninth Circuit. The lessons learned in the years since the PSLRA's passage should be applied to the current dilemma facing Congress regarding data privacy to prevent history from repeating itself.
Without reform in data privacy, corporations will face an extraordinary burden in the coming years. While the class action vehicle can provide an effective method of policing corporate business practices, the current system is ripe for abuse by opportunistic attorneys. Many class members today lack the economic incentives necessary to actively pursue claims, and some lawyers could be drawn to act unethically by lucrative fee agreements. This classic agency problem mirrors the issue that the PSLRA sought to address in 90s-era securities class actions. However, data privacy class actions are even riper for abuse given the fact the current FTC and banking regulations protect most consumers from financial damage. (152) Furthermore, in the data privacy context it appears that no firm is safe. The current system fails to materially advance consumer protection goals while costing companies millions of dollars, and it is neither economically nor judicially efficient. To get out in front of this issue and ensure opportunism does not place an economic burden on health, retail, and other important corporate markets, Congress should adopt a heightened pleading standard based on the Ninth Circuit's application of the PSLRA in Silicon Graphics.
Adam R. Foresman, J.D. Candidate, University of Iowa College of Law, 2016; B.S., University of Iowa, 2013. I would like to thank The Journal of Corporation Law editors for all of their help with this Note.
(1.) Paul A. Ferrillo, Cyber Security, Cyber Governance, and Cyber Insurance, HARV. L. SCH. F. ON CORP. GOVERNANCE & FIN. REG. (Nov. 13, 2014), http://blogs.law.harvard.edu/corpgov/2014/11/13/ cyber-securitycyber-governance-and-cyber-insurance/.
(2.) See id (describing the evolution of data security from merely an IT Department problem to a matter of corporate survival); Michael Dell, Michael Dell on Why Data Security Is the Most Important Issue You Face, INC. (Mar. 27, 2014), http://www.inc.com/michael-dell/why-data-security-is-the-most-important-issue-you-face.html (stating the views of Michael Dell--Dell Inc.'s Chief Executive Officer--that cyber security is both his clients' biggest concern and biggest unmet need).
(3.) See generally In re Silicon Graphics Inc. Sec. Litig., 183 F.3d 970 (9th Cir. 1999) (holding that PSLRA requires plaintiffs to plead facts sufficient to show a strong presumption of deliberate recklessness).
(4.) Ferillo, supra note 1.
(5.) See infra Section II.D (discussing the incidence of rapid suit filings, often with little discovery, nominal damages for many class members, and significant attorney's fees awards).
(6.) See Jessica Erickson, Congress Thought It Fixed the Problem of Professional Plaintiffs in 1995, but Some Plaintiffs' Attorneys Have Taken Their Old Tactics To a New Venue, U. RICH. SCH. L. ALUMNI MAG. (Winter 2014), http://scholarship.richmond.edu/cgi/viewcontent.cgi?article=1036&context=law-magazine (describing the pre-PSLRA era where "corporate America claimed to be under siege" from "professional plaintiffs" filing frivolous securities class actions).
(7.) Silicon Graphics, 183 F.3d at 970.
(8.) See Robert S. Mueller, III, Director, Federal Bureau of Investigation, Address at the RSA Cyber Security Conference San Francisco, CA (Mar. 1, 2012), http://www.fbi.gov/news/speeches/ combating-threats-inthe-cyber-world-outsmarting-terrorists-hackers-and-spies (stating that the FBI believes data security could eclipse terrorism as the United States' top threat in the near future); Roberta D. Anderson, Coming This Spring to an Insurance Policy Near You: Cybersecurity Data Breach Exclusions, K&L GATES LLP (May 1, 2014), http://www.klgates.com/coming-this-spring-to-an-insurance-policy-near-you-cybersecurity-data-breachexclusions-05-01 -2014/.
(9.) PONEMON INSTITUTE, 2014 COST OF DATA BREACH STUDY: GLOBAL ANALYSIS 8 (2014) (surveying 314 companies representing ten different countries that attributed only 42% of data breaches in 2013 to hacking).
(10.) See id. (finding that 42% of breaches were caused by criminal or malicious conduct (e.g., hacking), 29% by IT systems glitches or process failures (e.g., software errors), and 30% by human error (e.g., an employee losing a company phone containing protected data)).
(11.) See id at 1-2 (listing the United States as the country with the highest cost of the ten countries studied).
(12.) FORTINET, INCIDENT SUMMARY: TARGET CORP DATA BREACH 2 (2014), http://www.fortinet.com/sit es/default/files/whitepapers/Target-Data-Breach-wp-5-2014.pdf.
(13.) See Kathleen Caulderwood, Retail Security Breaches 2014: Home Depot, Target Should Have Stronger Countermeasures, Experts Say, Int'l Bus. Times (Sept. 9, 2014, 4:46 PM), http://www.ibtimes.com/ retailsecurity-breaches-2014-home-depot-target-should-have-stronger-countermeasures-1683362 (characterizing hackers' targeting of business data as "the new normal").
(14.) Id.; see also Breach Database: Top Data Breaches, BREACH LEVEL INDEX, http://www.breachlevelindex.com/index.html?utm_source=bli-pr-20141112&utm_medium=pressrelease&utm _campaign=breach-level-index#sthash.KlWByIWq.dpbs (last visited Oct. 16, 2015) (displaying data index showing that both the incidence and severity of data breaches is increasing).
(15.) Sarah Halzack, Home Depot and JPMorgan Are Doing Fine. Is It a Sign We 're Numb To Data Breaches?, Wash. Post (Oct. 6, 2014), http://www.washingtonpost.com/news/get-there/wp/2014/10/06 /home-depot-and-jpmorgan-are-doing-fine-is-it-a-sign-were-numb-to-data-breaches/; Anna Wilde Mathews & Danny Yadron, Health Insurer Anthem Hit by Hackers, Wall Street J. (Feb. 4, 2015, 9:39 PM), http://www. wsj .com/articles/health-insurer-anthem-hit-by-hackers-1423103720.
(16.) INSTITUTE FOR LEGAL REFORM, THE NEW LAWSUIT ECOSYSTEM: TRENDS, TARGETS AND PLAYERS 101 (Oct. 2013), http://www.instituteforlegalreform.com/uploads/sites/1/The_New_Lawsuit_Ecosystem_ pages_web.pdf.
(17.) Anderson, supra note 8.
(18.) INSTITUTE FOR LEGAL REFORM, supra note 16, at 102.
(19.) See Jonathan Randles, Home Depot Breach Suit Shows Plaintiffs Firms' Jockeying, LAW 360 (Sept. 5, 2014, 8:23 PM), http://www.law360.com/articles/574262/home-depot-breach-suit-shows-plaintiffs-firmsjockeying (describing suit filed on behalf of two customers by three plaintiffs' firms before the company had officially announced that a breach occurred).
(21.) Randy J. Maniloff, Measuring the Bull's-Eye on Target's Back: Lessons from the T.J. Maxx Data Breach Class Actions, WHITE & WILLIAMS LLP (Jan. 15, 2014), http://www.whiteandwilliams.com/ resourcesalerts-The-Bull-s-Eye-On-Targets-Back-Lessons-From-The-TJ-Maxx-Data-Breach-Class-Actions.html.
(23.) See INSTITUTE FOR LEGAL REFORM, supra note 16, at 102 (discussing how "no centralized or comprehensive set of laws" applies to data privacy, forcing plaintiffs to fit claims under a variety of different laws and causes of action).
(24.) Id.; see also Andrea M. Matwyshyn, Data Devolution: Corporate Information Security, Consumers, and the Future of Regulation, 84 CHI. KENT L. REV. 713, 715 (2010) (characterizing current status quo of data privacy regulations as a "patchwork").
(25.) INSTITUTE FOR LEGAL REFORM, supra note 16, at 102. To illustrate the "sectoral approach," one must look to the Health insurance Portability and Accountability Act (HiPPA) concerning health data, while the Gramm-Leach-Bliley Act regulates financial data. Thus, if a victim suffers a breach of multiple kinds of data they must look to many different laws to piece together their cause of action. Matwyshyn, supra note 24, at 715-16.
(26.) INSTITUTE FOR LEGAL REFORM, supra note 16, at 102-03.
(27.) Id. at 103; see also Andrea Peterson, How a Failed Supreme Court Bid Is Still Causing Headaches for Hulu andNetflix, Wash. Post (Dec. 27, 2013), http://www.washingtonpost.com/blogs/the-switch /wp/2013/12/27/how-a-failed-supreme-court-bid-is-still-causing-headaches-for-hulu-and-netflix/ (describing that Congress proposed VPPA after Supreme Court nominee Robert Bork's video rental history was released by a journalist who patronized the same store).
(28.) INSTITUTE FOR LEGAL REFORM, supra note 16, at 103.
(31.) See id. at 105 (discussing federal statutes containing damages provisions such as Electronic Communications Privacy Act (ECPA), a potent weapon for plaintiffs in data privacy class actions).
(32.) See 2014 Security Breach Legislation, NAT'L CONF. St. LEGISLATURES (Dec. 23, 2014), http://www.ncsl.org/research/telecommumcations-and-information-technology/2014-security-breachlegislation.aspx (noting Alabama, New Mexico, and South Dakota are the only three states that have not yet passed legislation governing personal data privacy).
(33.) See INSTITUTE FOR LEGAL REFORM, supra note 16, at 103 (describing a tactic deployed against tech companies like Netflix and Hulu).
(35.) Id. at 105. This phenomenon is based on the premise that while class members have all had their data "exposed" by a breach, generally only a small number experience actual fraud or theft on their accounts that would constitute an "injury in-fact."
(36.) Timothy H. Madden, Data Breach Class Action Litigation--A Tough Road for Plaintiffs, 55 Bos. Bar J. 27, 29-30 (Fall 2011) ("Where, as is the case in the vast majority of data breach class actions, the plaintiff merely alleges an increased risk of harm in the form of future fraud or identity theft, but no actual, present harm, courts have frequently held that such plaintiffs lack Article III standing.").
(37.) See Thomas J. Cunningham et al., Settlement Trends in Data Breach Litigation, FINANCIER WORLDWIDE (Aug. 2014), http://www.financierworldwide.com/settlement-trends-in-data-breach-litigation/ #.VDcppSgYJUQ (exploring settlement and proving injury in data litigation).
(38.) See generally Jack Morgan, Clapper v. Amnesty International and Data Privacy Litigation: Is a Change to the Law "Certainly Impending"?, 21 RICH. J.L. & TECH. 3 (2014), http://jolt.richmond.edu/index.php/ clapperv-amnesty-international-and-data-privacy-litigation-is-a-change-to-the-law-certainly-impending/ (discussing application of "certainly impending" injury requirement as applied to data privacy cases).
(39.) INSTITUTE FOR LEGAL REFORM, supra note 16, at 105.
(40.) Id. (citing Reilly v. Ceridian Corp., 664 F.3d 38, 43 (3d Cir. 2011); Katz v. Pershing, LLC., 672 F.3d 64, 78 (1st Cir. 2012)).
(41.) Kevin McGinty, Consumer Claims Survive Motion to Dismiss in Target Data Breach Class Action, MINTZ LEVIN (Dec. 29, 2014), http://www.privacyandsecuritymatters.com/2014/12/ consumer-claims-survive-motion-to-dismiss-in-target-data-breach-class-action/.
(42.) Andrew M. Harris, Target Hacking-Case Judge Disputes Claim Nobody Was Hurt, BLOOMBERG Bus. (Dec. 11, 2014, 12:20 PM), http://www.bloomberg.com/news/articles/2014-12-11/ target-hacking-case-judgedisputes-claim-nobody-was-hurt?cmpid=yhoo.
(43.) Cunningham et al., supra note 37.
(47.) Maniloff, supra note 21.
(50.) See id. (noting the low acceptance of credit-reporting monitoring service could have been due to the slow litigation process, since by the time settlement finalized, the greatest risk of identity theft had already passed).
(52.) See Ross Kerber, Cost of Data Breach at TJX Soars to $256m, BOS. GLOBE (Aug. 15, 2007), http://www.boston.com/business/articles/2007/08/15/cost_of_data_breach_at_tjx_soars_to_256m/?page=full (explaining that the $256 million dollar figure covers not only litigation costs, but also the costs of the company's internal investigations and systems repair).
(53.) See Halzack, supra note 15 (discussing how, of the 53 million people whose credit or debit card information has been compromised by the breach, only a small percentage will fall into the hands of criminals who then make purchases with the information).
(54.) See id. (noting that FTC regulations protect consumers from fraudulent charges on credit cards and many banks generally have policies that do so for debit cards).
(55.) Supra Section II.B.
(56.) See, e.g., Halzack, supra note 15 (characterizing the phenomenon as consumer "data breach fatigue").
(59.) Sarah Halzack, Target's Biggest Challenge Isn't Bouncing Back from the Data Breach, WASH. POST (Aug. 20, 2014), http://www.washingtonpost.com/news/business/wp/2014/08/20/ targets-biggest-challenge-isntbouncing-back-from-the-data-breach/.
(60.) See INSTITUTE FOR LEGAL REFORM, supra note 16, at 107 (stating how in cy pres awards, "settling defendants make a payout--often in the millions of dollars--to non-profit activists and research groups that may have an interest in the issues underlying the litigation").
(63.) See Allison Grande, Google's $8.5 Million Privacy Deal Cracks Puzzling Injury Issues, Law360 (Aug. 26, 2013, 9:43 PM), http://www.law360.com/articles/467370/google-s-8-5m-privacy-deal-cracks-puzzlinginjury-issues (discussing Google's $8.5 million dollar cy pres settlement and explaining that some have criticized it for failing to provide money damages to consumers).
(66.) Michael A. Perino, Did the Private Securities Litigation Reform Act Work?, 2003 U. ILL. L. REV. 913, 913-14 (2003).
(67.) See MARTIN D. CHITWOOD ET AL., CHITWOOD & HARDLEY, PRIVATE SECURITIES LITIGATION REFORM ACT OF 1995 (2001 UPDATE) 4 (Nov. 9, 2001), http://www.chitwoodlaw.com/downloads/CLE_Paper_PSLRA _2001.pdf (characterizing this era from the 1980s into the 1990s, when over 9000 new public corporations formed in the then-novel and highly volatile technology sector, as marred by tremendous pressure to produce positive earnings increases, leading to a higher incidence of fraud).
(68.) Perino, supra note 66, at 915.
(69.) See id. ("Congress wanted to reduce litigation risk for high technology issuers, which it found were disproportionately targeted in securities class actions.").
(70.) Id. at 920.
(71.) Id. at 915.
(72.) See id. at 916-17 (stating the act had to overcome a veto from then president Bill Clinton and has since been challenged for its efficacy in the wake of major securities frauds, like Enron, that followed in recent years).
(73.) Perino, supra note 66, at 916-17.
(74.) See 141 CONG. REC. S9320-01 (daily ed. June 28, 1995) (Senator Chris Dodd characterizing the former system as one "that works for no one--save plaintiffs' attorneys").
(77.) See Perino, supra note 66, at 919 n.25 (explaining that this system allows for agents to act in own selfinterest rather than in the interest of the principal, an agency cost known as "opportunism").
(78.) See Elliot J. Weiss & John S. Beckerman, Let the Money Do the Monitoring: How Institutional Investors Can Reduce Agency Costs In Securities Class Actions, 104 YALE L.J. 2053, 2058 (1995) (describing deterrent function of securities class actions as support of the SEC's traditional enforcement activity).
(79.) 141 CONG. REC. S9320-01 (daily ed. June 28, 1995).
(80.) Joshua D. Fulop, Agency Costs and The Strike Suit: Reducing Frivolous Litigation Through The Empowerment of Shareholders, 7 J. BUS. & SEC. L. 213, 213 (2007).
(81.) Id. at 215; Weiss & Beckerman, supra note 78, at 2086.
(82.) See Weiss & Beckerman, supra note 78, at 2085 (illustrating one study that found that 40% of all securities suits were settled for less than the cost of trying the case to verdict).
(83.) Id.; see also Perino, supra note 66, at 913-14 (describing Congress' attempt to curb the filing of securities class actions filed contemporaneously with stock price changes, "apparently with little prefiling investigation").
(84.) See Weiss & Beckerman, supra note 78, at 2059-60 (describing how many individual plaintiffs sought to recoup relatively nominal damages from a class action while their attorneys could potentially be awarded substantial fees).
(85.) Perino, supra note 66, at 918.
(86.) Id. at 919.
(87.) See id. (recognizing, however, that this assumption excludes institutional investors, who often had significant losses in these classes, a fact that Congress recognized and attempted to use in the PSLRA).
(88.) See Weiss & Beckerman, supra note 78, at 2074-76 (citing three examples from three different jurisdictions where the settlement included a provision stating that if the class member claimed an amount greater than an agreed upon "ceiling," the defendants would be entitled to serve notice of a challenge on the claimant, at which point the claimant would either request a hearing and be responsible for their own costs and fees, or have their claim denied, essentially to coerce claimants to reduce the value of their meritorious claims).
(89.) Perino, supra note 66, at 919.
(91.) See id. at 919-20 ("Under these circumstances, the attorney was left with largely unfettered discretion in deciding what cases to bring, how to prosecute those cases, and how to settle them.").
(92.) See Weiss & Beckerman, supra note 78, at 2060 (citing three cases as examples, one where a named plaintiff did not know he was the named plaintiff and thought he could recover $100,000 when his stock fell less than $1000, and three others where plaintiffs were unfamiliar with the basic elements of their claims).
(93.) Bruce Angiolillo, Can Congress Legislate Litigation?, 32 LITIG. 1, 23 (Fall 2005) (citing Neil Weinberg & Daniel Fisher, The Class Action Industrial Complex, FORBES (Sept. 20, 2004, 12:00 AM), http://www.forbes .com/forbes/2004/0920/150.html).
(94.) Robert Goff, Follow-Through, FORBES (November 17, 1997, 12:00 AM), http://www.forbes.com /forbes/1997/1117/6011014a.html.
(95.) Angiolillo, supra note 93, at 23 (citing 15 U.S.C. [section] 78u-4(a)(3)(B)(iii)(I)(bb) (2014)).
(96.) Perino, supra note 66, at 923-25.
(99.) See Angiolillo, supra note 93, at 24 (noting that some of the largest "institutional investors" are actually municipal or state pension funds, often possessing their own political agendas).
(100.) See Fulop, supra note 80, at 222 (citing data suggesting that, as of 2001, only 5-10% of securities litigations involved institutional investors).
(101.) See id. at 223 (highlighting that institutional investors--such as banks, mutual funds, and insurance companies--all potentially interact with the typical defendant companies in other commercial arenas, and thus, may be hesitant to pursue them aggressively in such litigation).
(104.) See Angilillo, supra note 93, at 23 (stating that the notice pleading standard "gave plaintiffs nearly immediate access to discovery upon filing their case. As a result, a threadbare complaint, standing alone, could suffice to permit trolling through a corporation's internal files in search of a fraud.").
(105.) Perino, supra note 66, at 925 (citing 15 U.S.C. [section] 78u-4(b)(1) (2014)).
(106.) Id. at 928-29 (citing 15 U.S.C. [section][section] 77z-1(b), 78u-4(b)(3)(B) (2014)).
(107.) Angiolillo, supra note 93, at 23.
(108.) Perino, supra note 66, at 913.
(109.) See id. at 930 (The PSLRA actually produced an increase in the number of lawsuits in subsequent years, but deviations from year to year make such variation statistically insignificant. One potential explanation is the behavior of the market itself is a more significant factor in determining the amount of securities class actions.).
(110.) Id. at 962-65.
(111.) Id. at 965-67.
(112.) Id. at 965-69.
(113.) Perino, supra note 66, at 965-69. The author suggests that this phenomenon could be reflective of plaintiffs' lawyers choosing to only file the most flagrant fraud claims. However, since the overall change in number of post-PSLRA securities fraud filings is statistically insignificant, this analysis suggests, without explanation, that the incidence of flagrant securities fraud has increased since Congress enacted the PSLRA.
(114.) Id. at 966.
(115.) Id. at 955.
(116.) Angiolillo, supra note 93, at 24.
(117.) See Perino, supra note 66, at 941 (arguing although the "evidence suggests the possibility of an increase in post-PSLRA settlements ... that does not mean that the PSLRA caused an increase in settlement size").
(118.) See id. at 956 (showing a geographic shift away from the Ninth Circuit correlating to that court's strict interpretation of the PSLRA's heightened pleading requirement in In Re Silicon Graphics Inc. Sec. Litig., 183 F.3d 970 (9th Cir. 1999)).
(119.) See Perino, supra note 66, at 914 (describing that President Clinton vetoed the Act due in part to the inclusion of the heightened pleading standard).
(120.) 15 U.S.C. [section] 78u-4(b)(1) (2014).
(121.) Id. [section] 78u-4(b)(2)(A).
(122.) 141 Cong. Rec. H15, 215 (daily ed. Dec. 20, 1995) (statement of Pres. Clinton).
(123.) Perino, supra note 66, at 913 (emphasis removed).
(124.) See id. (describing the Act's failure to achieve its intended goals related to delaying filing times and decreasing the amount of claims filed).
(125.) Id. at 954.
(126.) Erin Brady, Determining the Proper Pleading Standard Under the Private Securities Litigation Reform Act of 1995 After In re Silicon Graphics, 28 Pepp. L. Rev. 471, 473 (2001).
(127.) In re Silicon Graphics Inc. Sec. Litig., 183 F.3d 970, 974 (9th Cir. 1999).
(128.) Perino, supra note 66, at 917.
(129.) Id. at 916.
(130.) See id. at 950-54 (concluding that "the Silicon Graphics standard may have improved case quality without excessively inhibiting plaintiffs' attorneys from bringing legitimate cases," an ideal solution to this problem).
(132.) See, e.g., Cunningham et al., supra note 37 (suggesting that many companies face increased pressure to settle simply to avoid a public relations disaster that could arise from an ongoing trial).
(133.) Maniloff, supra note 21.
(134.) See supra Section II.C (discussing a settlement where class members received a nominal fee (coupon) while their counsel received $6.5 million).
(135.) Maniloff, supra note 21.
(136.) See Halzack, supra note 15 (coining the phrase "data breach fatigue" to reference many consumers' apparent disinterest in data privacy breaches).
(137.) INSTITUTE FOR LEGAL REFORM, supra note 16, at 102 ("These days, plaintiffs' lawyers troll news reports and public records, sometimes filing class actions within 24 hours of a data breach.").
(138.) See Randles, supra note 19 (describing a suit filed on behalf of two customers by three plaintiffs' firms before the company had official announced that a breach occurred).
(139.) See Maniloff, supra note 21 (quoting Massachusetts Federal Judge William Young, who oversaw the major data breach case involving retail chain T.J. Maxx, stating, "there are surely plaintiffs' lawyers who bring putative class action lawsuits without merit, assuming, correctly, that in many cases the defendant will settle the case to avoid a small probability of a substantial judgment").
(140.) 141 Cong. Rec. S9320-01 (daily ed. June 28, 1995).
(141.) INSTITUTE FOR LEGAL REFORM, supra note 16, at 102.
(143.) See Harris, supra note 42 (discussing Judge Magnuson's sentiment that the precedent on the "injury" requirement may not sufficiently protect data breach plaintiffs).
(144.) Anderson, supra note 8.
(145.) See id. (discussing how even the most robust security systems can and will fail, creating legal liability).
(146.) See Perino, supra note 66, at 950 (discussing data suggesting that the Ninth Circuit's application of PSLRA pleading requirement appears to have increased overall quality while not being overly restrictive towards meritorious claims).
(148.) The White House, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (Feb. 2012), http://www.whitehouse.gov/sites/default/ files/privacy-final.pdf.
(149.) See Kenneth Corbin, White House Calls for Big Data and Cloud Privacy Overhaul, CIO (May 2, 2014), http://www.cio.com/article/2376602/govemment/white-house-calls-for-big-data-and-cloud-privacyoverhaul.html (describing the report as calling for a national data privacy law to replace the current "patchwork," and an overhaul of archaic privacy statutes to more accurately reflect and apply to modern technologies).
(150.) Omer Tene, Privacy Law's Midlife Crisis: A Critical Assessment of the Second Wave of Global Privacy Laws, 74 OHIO St. L.J. 1217, 1236 (2013).
(151.) See Brady, supra note 126, at 474 (discussing the increased likelihood of plaintiffs' claims surviving a motion to dismiss with a higher standard).
(152.) Supra Section II.C.
|Printer friendly Cite/link Email Feedback|
|Author:||Foresman, Adam R.|
|Publication:||The Journal of Corporation Law|
|Date:||Sep 22, 2015|
|Previous Article:||Serving more than one master: a social network analysis of section 8 of the Clayton Act.|
|Next Article:||The evolution of Virginia's public-private partnership enabling statutes.|