17 October 2018
A global snapshot of data breach class actions
While we are yet to see a successful data breach class action in Australia, data breach class actions have become all too real for many major companies overseas. This article takes a look at some of the most high-profile data breach class actions that have occurred in other jurisdictions, to examine how the cases were framed and the various ways these claims have played out.
- Different class actions, similar outcome. Recent times have seen several high profile data breach class actions brought against major companies in other jurisdictions like the US and Canada. Although each class action was brought in different circumstances – with varied causes of action and by different classes of affected individuals – the outcome has typically involved a large settlement at considerable financial cost and reputational damage for the company.
- After Target suffered a cyberattack that compromised the credit and debit card information of 40 million customers, it faced a raft of class actions from three key stakeholders – consumers (in negligence, breach of contract and unjust enrichment, among others), financial institutions (in negligence) and shareholders (for breach of fiduciary duty). The former two categories of class action were successful, and resulted in settlements of $10 million and $39.4 million, respectively, while the shareholder suit was dismissed.
- Yahoo suffered three data breaches between 2013 and 2016, which it revealed to the public in late 2016. It subsequently faced claims from consumers and shareholders under a number of specific US statutes, and settled the claims for a combined sum of $127 million.
- A Canadian consumer class action against Home Depot in the aftermath of its 2014 data breach, which involved various cause of actions (including breach of confidence, breach of privacy, breach of fiduciary duty, breach of contract, negligent misrepresentation and negligence), resulted in Home Depot establishing a settlement fund of $13 million. Wendy's, AvMed and Anthem have also settled data breach class actions in the US within the past decade.
- These cases are not a reliable indicator of which claims would succeed in Australia. Given that most of the class actions settled before reaching open court, it is difficult to ascertain which of the many claims that the plaintiffs brought would have been successful in court. Moreover, these class actions were brought in foreign countries with laws that are in many respects more favourable to class action plaintiffs than Australian law. In a recent example close to home, a class action against the NSW Ambulance Service has been brought on the basis of alleged breach of confidence, breach of the tort of invasion of privacy, breach of contract and misleading and deceptive conduct. While this case remains on foot, it will be interesting to see which (if any) of these claims succeed in an Australian context. For more information, see our article Where are all the data breach class actions in Australia?.
- Settlements are not always lucrative for individuals. Despite settlement sums being substantial, affected individuals often receive a minimal sum once the settlement is divided amongst group members.
- Settlement often requires more than financial compensation. It may require the affected company to provide remedial services at no cost (eg identity/credit monitoring or fraud resolution services) or to undertake to implement upgrades to IT systems or tighter data-security policies and procedures.
More than 140 lawsuits (including several class actions) were filed against Target following a cyber-attack in which hackers stole credit and debit card information for 40 million Target customers,1 as well as home and email addresses for an additional 70 million customers. The courts grouped these lawsuits into three categories – consumers, financial institutions and shareholders. For a more detailed summary of this case, see Spotlight: Cyber breach at Target.
Consumer class action
- The claim: Consumers accused Target of negligence in its handling of customer data, violation of state consumer laws and state data breach laws, breach of contract, breach of duty of care in relation to the failure to adequately protect customers' data, and unjust enrichment because part of the money paid for goods and services should have been, but was not, used by Target to provide adequate safeguards and security measures.
- The outcome: Target set up a US$10 million consumer fund for affected consumers, following from several class actions through which affected consumers with documented losses could receive reimbursement up to US$10,000. Target also agreed to pay legal fees and costs involved with administering the settlement payment. Between November 2015 and May 2017 more than 225,000 individuals submitted claims for reimbursement under the settlement.2
- The claim: Financial institutions (making up 29 of the more than 140 claims) sought reimbursement from Target for costs arising from the breach, claiming that Target was negligent as its data security was insufficient and it had failed to implement or adhere to federal laws surrounding processing credit card payments. It was alleged that at least 40 million credit cards were compromised.
- The outcome: Target agreed to pay US $39.4 million to resolve claims brought by the banks, as well as settling with Visa for US$67 million and MasterCard for US$39 million.
Shareholder class action
- The claim: Target shareholders filed several derivative lawsuits (which were later consolidated) against Target's board, alleging that the directors had breached their fiduciary duties by failing to take sufficient steps to protect the company from a breach.
- The outcome: Ultimately, this claim proved to be unsuccessful and the case was dismissed on 7 July 2016.
Much like the plaintiffs in the Target class action, we expect that plaintiffs in Australia will seek to launch multiple claims in the hope that at least one is successful. Unfortunately, the fact that the majority of the Target claims have settled makes it difficult to determine which of the many claims would have succeeded at trial.
A series of ongoing lawsuits have followed three data breaches which occurred between 2013 and 2016 but were not revealed to the public until late 2016.
- The first breach occurred in 2013, when hackers gained access to Yahoo accounts and stole users' login details, country codes, dates of birth, phone numbers and post codes. Yahoo did not disclose this breach until 2016, when it announced that the accounts of 1 billion users had been affected. However, in October 2017, Yahoo announced that the 2013 breach had actually affected every user account – approximately three billion users.
- The second breach occurred in late 2014, when a handful of high-level Yahoo employees fell for an email scam. Breached were 500 million Yahoo user accounts and email addresses, dates of birth information and passwords were disclosed. In 2016 it was reported that the stolen data was purchased on the dark web by three separate buyers for around $300,000 apiece.3
- The third breach occurred sometime between 2015 and 2016, when hackers used forged cookies to access Yahoo users' accounts. Essentially, this meant that hackers were able to access Yahoo accounts for long periods of time, without needing a password.
While the class actions brought against Yahoo focused on these three breaches, it is worth noting that previous breaches (one as early as 2003) formed part of the evidence in the consumer class action, on the basis that Yahoo should have been put on notice of the need to enhance its data security, well before these attacks occurred.
Shareholder class action
- The claim: These data breaches, and the delay in their disclosure, proved to be particularly problematic for Yahoo in light of its potential sale to Verizon Communications. Following Yahoo's announcement of the data breach on 22 September 2016, Yahoo's share price began to fall rapidly (initially falling 3.06%, and then a further 6.11% in December).
- The outcome: In April 2018, the class action settled for $80 million.5
Yahoo shareholders brought a class action under the Securities Exchange Act of 1934 alleging that Yahoo had made false and misleading statements regarding the company's business, operational and compliance policies. The case centred around a drop in the company's share price, and the impact that this had on the value of Yahoo's sale to Verizon.4 For more on its settlement with the SEC, see Yahoo continues to pay the price for its 2014 data breach.
Consumer class actions
- The claims: The main consumer class action faced by Yahoo in the US grouped together affected individuals from a number of jurisdictions (US, Israel, Australia and Venezuela) and also involved a separate class for small businesses who held Yahoo accounts.
- The outcome: In March this year, Yahoo sought to have the class action dismissed.7 The company was unsuccessful in shrugging off most of the claims, and instead it opted for settlement. On September 17, Altaba, the company that resulted from Verizon's acquisition of Yahoo, announced that it had agreed to settle the consumer class action suit for a sum of $47 million.8 A motion for preliminary approval of the settlement is expected on 22 October.9
In addition to making claims under specific statutes in the US, the different jurisdictional and user groups have made claims for breach of express contract, breach of implied contract, breach of implied covenant of good faith and fair dealing, fraudulent inducement and negligence.6
In 2014, Home Depot suffered a high-profile data breach that targeted its self-checkout systems, resulting in unauthorised access to third-party vendor credentials and over 50 million debit and credit card details. The breach led to 44 lawsuits across the US and Canada.
Consumer class action
- The claims: Of particular note was a class action lawsuit brought in Canada on the basis of negligence, breach of confidence, breach of privacy, breach of fiduciary duty, breach of contract and negligent misrepresentation.10 In this case, it was argued that there were three heads of damage to consumers from the credit card breach: (i) the risk of a fraudulent charge; (ii) the risk of identity theft; and (iii) the inconvenience of monitoring credit card statements for potential fraud. Interestingly, in this case, despite a lack of evidence that any class member had actually suffered a fraudulent charge, a substantial settlement was reached by the parties and approved by the court.
- The outcome: A $13 million settlement fund was established to compensate affected individuals for documented losses as well as time spent remedying issues relating to the breach (up to $5,000). Home Depot also provided affected individuals with access to free identity monitoring services for 18 months.
Between October 2015 and June 2016 Wendy's suffered a data breach when compromised third-party credentials were used to access the company's point-of-sale systems. More than 1,000 locations were affected, and the payment card data of an unknown number of customers were accessed, including each customer's name, account number, expiration date, PIN code and card-verification number. The breach was discovered and reported in January 2016, when Wendy's noticed unusual activity at its restaurant locations. At this stage, Wendy's reported that the breach affected fewer than 300 restaurants. However, by 9 June 2016, once further investigations had been undertaken, Wendy’s issued a press release11 disclosing the earlier representations regarding the limited scope of the data breach were not complete, and that the breach had continued for a further six months after its discovery in January 2016. In 2016, Wendy's was subject to a class action brought by affected customers, as well as a shareholders' derivative class action brought against current and former directors and executive officers.
Consumer class action
- The claim: Wendy's customers filed a class action alleging that Wendy's failed to use proper data security to protect customers' payment card data, and failed to provide notice that the credit card information had been compromised. The class action alleged breach of implied contract, breach of consumer protection laws and negligence.
- The outcome: In July 2016, the class action was dismissed, on the basis that the claims alleged were 'highly speculative'. In 2017, the plaintiffs filed a second amended complaint, and moved for certification of a nationwide class of customers, broadening the potential number of affected individuals who could join the consumer class action. Following this, the parties entered into mediation, ultimately reaching a settlement agreement in May 2018.
Shareholder derivative class actions
- The claim: The claim was brought against certain members of Wendy's board and particular executive officers on the basis of alleged breaches of state privacy laws and breach of fiduciary duty.12
- The outcome: A further derivative class action was brought, and the two class actions were consolidated. Upon the consolidation of the claims, settlement discussions commenced, and on 6 May 2018, preliminary approval of the settlement was sought. The settlement specifies13 that Wendy's must introduce a board-level Technology Committee, additional security services and implement additional processes, policies and procedures. Further, Wendy's D&O insurer agreed to pay $950,000 as an award of attorneys' fees and reimbursement of expenses to the shareholders' counsel.
In 2009, two laptops owned by health insurance provider AvMed were stolen, and the names, social security numbers, address and phone numbers of more than one million customers were compromised.
- The claims: A claim was brought on the basis of negligence, breach of contract and unjust enrichment, for the company's failure to properly protect the data.
- The outcome: In 2014, the parties reached a $3 million settlement.
This was a particularly interesting case, as even individuals who were unable to prove loss were able to claim damages. This was because even where an individual had not been the victim of identity theft, the matter was pleaded on the basis that AvMed was unjustly enriched by the receipt of insurance premium in exchange for insufficient measures to protect their data. While AvMed attempted to have this claim struck out, the Eleventh Circuit ultimately concluded the plaintiffs had a viable unjust enrichment case, and reasoned that the monthly premiums paid by customers should have been used by AvMed to cover the costs of adequate data security, which the company failed to do.14
In February 2015, Anthem disclosed that hackers had accessed health insurance records during a data security breach that occurred sometime between December 2014 and February 2015. This resulted in the theft of personally identifiable information and personal health information of around 80 million current and former health insurance plan members.
Consumer class action
- The claim: A class action, consolidating claims across a number of states in the US, was brought by affected individuals claiming that Anthem failed to take security precautions to protect their data. The class action claimed negligence, unjust enrichment, breach of statute (consumer protection, medical privacy, insurance privacy and data breach notification statutes) and breach of contract.15
- The outcome: A US$115 million settlement agreement was approved by a federal judge in California on 20 August 2018.16 Most of the settlement fund will be used to fund two more years of credit monitoring and fraud resolution for affected individuals. However, as part of the settlement sum, Anthem is required to make changes to its data security systems and policies, as well as increase its cybersecurity budget.
This case provides an interesting insight into how loss is quantified, and certainly confirms that despite large settlement sums being reached, often affected individuals will receive minimal recovery once a settlement sum is divided amongst group members. In this instance, District Judge Lucy H. Koh noted that the settlement, representing approximately 14.5% of the class members total claims, was 'within the range of reasonableness after taking into account the costs and risks of litigation'.
New South Wales Ambulance Service
Between 14 January and 1 February 2013, a contractor of the NSW Ambulance Service accessed, compiled, and sold the medical records of ambulance employees without their knowledge or consent.
Employee Class Action
A claim has been brought on behalf of all NSW Ambulance employees whose sensitive health and personal information was involved in the incident, against both the Health Administration Corporation and Waqar Malik, a contractor of the NSW Ambulance Service. The class action has been brought on the basis of alleged breach of confidence (in equity), breach of contract, breach of the tort of privacy, and misleading and deceptive conduct. As well as damages for breach of contract and misleading and deceptive conduct, the plaintiffs are claiming losses sustained as a result of psychiatric illness, distress, embarrassment and injury to feelings as a result of the breach. This case provides an interesting insight into how data breach class actions might be pursued in Australia, and we will be watching this case with great interest to see which (if any) of the claims are successful.
- See Line Dubé, 'Autopsy of a Data Breach: The Target Case', Harvard Business School Case Study (March 2016) and Suraj Srinivasan, Lynn Paine and Neeraj Goyal, 'Cyber Breach at Target', Harvard Business School Case Study 117-027 (July 2016) for digestible, detailed and well researched analysis of the Target cyber breach. Both articles are available through the Harvard Business Review website.
- In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-MD-2522 (PAM) (United States District Court, District of Minnesota).
- Vindu Goel and Nicole Perlroth, 'Hacked Yahoo data is for sale on dark web', Australian Financial Review (16 December 2016).
- Class Action Complaint for Violation of the Federal Securities Laws, In re Yahoo! Inc. Securities Litigation, No. 5:17-CV-00373-LHK (United States District Court, Northern District of California), filed 24 January 2017.
- Stipulation and Agreement of Settlement, In re Yahoo! Inc. Securities Litigation, No. 5:17-CV-00373-LHK (United States District Court, Northern District of California), filed 2 March 2018.
- Note that not all groups have brought the same claims. For example, only small business users have made a claim of fraudulent inducement.
- Order Granting in Part and Denying in Part Motion to Dismiss, In re Yahoo! Inc. Securities Litigation, No. 5:17-CV-00373-LHK (United States District Court, Northern District of California), filed 9 March 2018.
- Munsif Vengattil, 'Altaba settles cases related to 2014 Yahoo breach for $47 million', Reuters (17 September 2018).
- Amanda Bronstad, 'Yahoo Settles Series of Data Breach Consumer Class Actions', The Recorder (21 September 2018).
- Lozanski v The Home Depot Inc., 2016 ONSC 5447 (Ontario Superior Court of Justice, 29 August 2016).
- The Wendy's Company, 'Updates Related to Investigation of Unusual Payment Card Activity at Wendy's' (Press Release, 9 June 2016).
- Verified Shareholder Derivative Complaint, In re: the Wendy’s Company Shareholder Derivative Action, No. 1:16-cv-01153-TSB (United States District Court, Southern District of Ohio), filed 16 December 2016.
- Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012).
- Fourth Consolidated Amended Class Action Complaint, In Re Anthem, Inc. Data Breach Litigation, Case No. 15-MD-02617-LHK (United States District Court, Northern District of California), filed 24 February 2017.
- Orders Granting Plaintiffs' Motion for Final Approval of Class Action Settlement, In Re Anthem, Inc. Data Breach Litigation, Case No. 15-MD-02617-LHK (United States District Court, Northern District of California), filed 15 August 2018.
Other articles in this issue
- Dealing in data: cybersecurity in an M&A context
- Where are all the data breach class actions in Australia?
- Data breaches in the healthcare sector: the reality, the costs and how to prevent them
- Yahoo continues to pay the price for its 2014 data breach
- The hack back: the legality of retaliatory hacking
- Gavin SmithPartner, Sector Leader, Technology, Media & Telecommunications,
Ph: +61 2 9230 4891
- Valeska BlochPartner,
Ph: +61 2 9230 4030
- Jenny CampbellPartner,
Ph: +61 2 9230 4868
- Michael ParkPartner,
Ph: +61 3 9613 8331
- Michael MorrisPartner,
Ph: +61 7 3334 3279
- Ian McGillPartner,
Ph: +61 2 9230 4893
- Phil O'SullivanManaging Associate,
Ph: +61 2 9230 4393
- Elyse AdamsManaging Associate,
Ph: +61 3 9613 8534
- David RountreeManaging Associate,
Ph: +61 2 9230 4773
- Emily CraviganSenior Associate,
Ph: +61 7 3334 3409
- Jamie GriffinSenior Associate,
Ph: +61 3 9613 8631
- Jessica SelbyManaging Associate,
Ph: +61 2 9230 4587
- Dominic AndersonSenior Associate,
Ph: +61 2 9230 4099
- William CooteSenior Associate,
Ph: +61 2 9230 4061
- Samantha Naylor BrownAssociate,
Ph: +61 2 9230 4458
- Phoebe BoyleLawyer,
Ph: +61 2 92305131
You can leave a comment on this publication below. Please note, we are not able to provide specific legal advice in this forum. If you would like advice relating to this topic, contact one of the authors directly. Please do not include links to websites or your comment may not be published.