WASHINGTON, D.C. (Legal Newsline) – Federal and state regulators, along with plaintiffs attorneys, are focusing more and more on the data security practices of companies, a new report says.
The report, authored by attorneys at Winston & Strawn and prepared for the U.S. Chamber Institute for Legal Reform, was the subject of a discussion at the ILR’s 16th annual Legal Reform Summit on Tuesday.
It says the Federal Trade Commission has brought more than 50 enforcement actions in the past 13 years. Companies also face lawsuits brought by state attorneys general, other federal agencies and private class action lawyers.
“I feel like everyday new lawsuits come across my desk,” said Liisa Thomas, one of the report’s authors.
“They keep coming and keep coming and don’t stop.”
Former Maryland Attorney General Doug Gansler, now a partner at BuckleySandler, said state attorneys general have taken the lead.
“They are much much more interested because they are the guardians of the consumer,” he said, adding that there is “less bureaucracy” for the state AGs to deal with.
Other agencies getting involved include the Federal Communications Commission, which recently used its authority under the Communications Act against AT&T following three data breaches that affected 280,000 customers.
The FCC required a $25 million settlement plan from the company.
Private class actions have had mixed success, Thomas said. They face a substantial legal hurdle.
“Having to show actual damages,” Gansler said.
A plaintiff needs to show he or she has suffered actual harm in the wake of a data breach. If the person’s information was not used, that can be difficult, Thomas said.
The report points to a 2013 U.S. Supreme Court decision in which the justices held an allegation of future harm will only constitute standing if the harm is “certainly impending” or there is a “substantial risk” the harm will occur.
But in July, the U.S. Court of Appeals for the Seventh Circuit reinstated a data breach case against Neiman Marcus, finding the risk of harm was enough to establish standing.
The 350,000 affected customers “should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing,” the court ruled.
Legal Newsline is owned by the ILR.
From Legal Newsline: Reach editor John O’Brien at email@example.com.