Monday, October 29, 2012

Data breach victims could get damages from careless firms

PCWorld - How federal courts define the damages people suffer from data breaches is broadening dramatically, leaving unprepared companies at greater risk of big payouts in class-action lawsuits, lawyers from a prominent law firm say.

Until a couple of years ago, courts would routinely dismiss lawsuits stemming from data breaches, such as the latest in South Carolina, unless the victims could show specific damages. Judges have since widened their view and are awarding class-action status to lawsuits that can show actual damages or a real possibility of future damages.

The latter would make companies liable for steps taken to prevent financial harm, such as insurance to cover the costs associated with identity theft.

Jeffrey Vagle, a lawyer with Pepper Hamilton, described as a "sea change" in judges' thinking. "Courts are starting to pick up on the fact that the data that can get out there can cause serious harm, maybe not immediately, but sometime in the near future," Vagle said.

Examples include a case in which a laptop containing unencrypted personal data of Starbucks employees was stolen. While there was no evidence that the data was misused, the Ninth Circuit Court ruled in 2010 that the risk alone was enough to warrant a lawsuit, Vagle and colleague Sharon Klein said in a Client Alert published on the law firm's website.