Driven by unceasing news reports, CPA firms are growing increasingly concerned that data breaches are increasing in both frequency and severity. With this deluge of information, it is no surprise that partners and shareholders are increasingly concerned with the possibility of a client bringing a lawsuit following a data breach. But is this concern justified?
Although the general assumption is that one can be sued for anything, this is not necessarily true. Before a lawsuit can proceed in a federal court—and most state courts—a plaintiff must first demonstrate standing. As stated by the Supreme Court, “The question of standing is whether the litigant is entitled to have the court decide the merits of the dispute” [Warth v. Seldin, 422 U.S. 490 (1975)].
Establishment of standing comprises three elements. First, the plaintiff must show that an injury occurred. Second, that injury must be traceable to the defendant’s (i.e., a CPA firm’s) unlawful conduct. Third, there must be a request for redressability for the unlawful act, usually in terms of a monetary award. In legal parlance, a plaintiff must demonstrate injury-in-fact, traceability, and redressability.
These elements are easily understood in common claims against CPA firms. For example, suppose a firm has undeniably miscalculated a tax deduction, costing the client an additional $1 million that is otherwise unrecoverable. Standing would be stated as follows:
- Injury-in-fact: The client suffered an injury of $1 million due to the firm’s negligence.
- Traceability: The firm’s work documented the failure to provide correct calculations, resulting in overpayment.
- Redressability: The client wants the firm to reimburse the $1 million, plus expenses.
When the same logic is applied to a data breach, however, how can these same principles be demonstrated? What injury could a client face? By now, it is almost certain that the information has been stolen somewhere else. Even if an individual client’s identity is stolen after the firm is breached, how could it be proven to be the firm’s fault? Even if all the above were true, what is the dollar value of, say, a Social Security number?
U.S. courts have not yet provided a definitive answer on what constitutes an injury-in-fact following a cyberbreach. Some courts consider standing based upon the threat of future harm, but others refute this idea [Eric C. Surette, Liability of Businesses to Governments and Consumers for Breach of Data Security for Consumers’ Information, 1 A.L.R.7th Art. 2 (2015)].
In Krottner v. Starbucks Corp. [628 F.3d 1139 (9th Cir. 2010)], a laptop was stolen containing the unencrypted names, addresses, and Social Security numbers of roughly 97,000 Starbucks employees. In response, Starbucks told the employees that there was “no indication that the private information has been misused.”
One plaintiff alleged that she “has been extra vigilant about watching her banking and 401(k) accounts” and has spent a “substantial amount of time doing so.” Another argued that he “has spent and continues to spend substantial amounts of time checking his 401(k) and bank accounts” and “has generalized anxiety and stress regarding the situation.” A third plaintiff said that someone attempted to open a bank account in his name, but the bank promptly thwarted those efforts and he was subsequently notified. Nowhere in the pleading did any plaintiff allege that identity theft had occurred. Nevertheless, this was enough to satisfy the court that the increased risk of future identity theft was enough to establish injury-in-fact. Specifically, the court stated, “Plaintiffs-Appellants, whose personal information has been stolen but not misused, have suffered an injury sufficient to confer standing.”
While pleading the mere risk of identity theft may seem to establish injury-in-fact, not all courts are so easily persuaded. Reilly v. Ceridian Corp. [664 F.3d 38 (3rd Cir. 2011)] provides a useful illustration. Here, a claim was sought by the employees of a law firm after a breach at Ceridian exposed the personal and financial data of approximately 27,000 individuals at 1,900 companies. In response to the breach, Ceridian had sent letters notifying the affected parties and offered one free year of credit monitoring. Later that same year, a lawsuit was filed alleging that the plaintiffs “1) have an increased risk of identity theft, 2) incurred costs to monitor their credit activity, and 3) suffered from emotional distress.”
In this case, the court stated, “We cannot … describe how Appellants will be injured in this case without beginning our explanation with the word “if”: if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully, only then will Appellants have suffered an injury.” In short, the court held that the possible risk of identity theft does not constitute an injury-in-fact without showing imminent or actual harm.
CPA firms should consider that establishing injury-in-fact is a nuanced exercise that depends on both the venue and unique circumstances of the claim. Controlling the circumstances of a client is impossible, and staying abreast of circuit court holdings is untenable. Therefore, it is advisable that firms start from the proposition that injury-in-fact will be established if even a single plaintiff alleges fraudulent activity following a breach.
The alleged injury suffered by the plaintiffs must also be reasonably traceable to the breach suffered by the firm. While this sounds simple, the vast anonymity of the Internet provides a seemingly impossible hurdle to establishing traceability. Once again, however, the law is much more nuanced.
In Resnick v. AvMed Inc. [693 F.3d 1317 (11th Cir. 2012)], two laptops containing the personal information of roughly 1.2 million individuals were stolen and subsequently sold to a person known to deal in stolen property. Of note, two of the plaintiffs showed that prior to this incident, they had never previously been the victims of identity theft, but became such directly following the breach.
The question before the court was whether these facts could be reasonably linked to the breach suffered by AvMed. As held by the court, “A showing that an injury is ‘fairly traceable’ requires less than a showing of ‘proximate cause.’ Plaintiffs became the victims of identity theft after the unencrypted laptops containing their sensitive information were stolen.” The judge reasoned that even though there was not incontestable proof that the identity theft resulted from the breach, there was enough of a rationally discernable link to satisfy the requirement of traceability.
Therefore, CPA firms should note that an assumption of deniability should not be considered a defense against traceability. Even an indirect link to injuries sustained by the plaintiffs may fulfill this requirement.
Other common retorts to the impracticality of data breach claims are the related ideas that either personal information has no value or its value cannot be quantified. While these ideas may hold sway in casual conversation, they have no basis in the legal environment. As shown in multiple cases, the barrier to establishing standing often rests upon establishing the two prior mentioned elements, injury-in-fact and traceability.
When it comes to redressability, plaintiffs must show that a resolution in their favor will duly compensate their injuries [Friends of the Earth Inc. v. Laidlaw Environmental Services, Inc., 528 U.S. 167 (2000)]. As is well known to those that have experienced a professional liability claim, plaintiffs often seek redress in terms of monetary damages. This area is no different.
Until a definitive national standard is formed, the ability of plaintiffs to establish standing in a data breach–related case will continue to rest upon circumstances unique to the case, which are well outside the bounds of a CPA firm’s control. While this sounds bleak, there is an additional factor that could provide relief: the economics of such claims.
Data Breach Claims
Most states have specifically excluded any private right of action in their laws relating to data breaches (BakerHostetler, Data Breach Charts, July 2018, http://bit.ly/2GJZRyL). Those that have included such an action often limit the action to questions concerning the notification of, and not the alleged damages from, the breach. This effectively limits the potential award to the point where litigation may not be economically feasible (Paul G. Karlsgodt, “Key Issues in Consumer Data Breach Litigation,” Practical Law, October/November 2014, http://bit.ly/2GVYBrr). In contrast, class-action claims are the preferred method of litigation following a data breach. Many breaches involve residents of multiple states, and class action cases tend to focus more directly on whether a company was at fault for the data breach (Karlsgodt). This broader question allows attorneys to be more creative and expansive with the potential damages they seek.
A survey conducted by the author of 38 known class-action claims resulting from data breaches is encouraging for most CPA firms; the results of this survey are available with the online version of this article at http://www.cpajournal.com. For claims where greater than 200,000 records were exposed, one anomalous defendant had $30 million in revenue, and the rest generated multibillion-dollar annual revenues. In cases where it was alleged that fewer than 200,000 records were exposed, each company—excepting one nonprofit medical organization and one government entity—had annual revenues exceeding $600 million.Brunsman Exhibit for Online
At present, the authors were unable to find a single case on file where the clients of a CPA firm have brought a claim following a data breach. Even the recent high-profile breach at Deloitte in September 2017 does not appear to have led to any legal action by the clients affected. Deloitte noted in its statement on the incident that “only very few clients were impacted” (Sept. 25, 2017, http://bit.ly/2TaoxWB). Though the exact number of affected clients remains unknown, it was apparently small enough to make a class-action data breach claim unpalatable to those involved. This further supports the idea that a business must have sizeable annual revenues and lose control over vast quantities of records to face a data breach–related class-action claim.
This is not to say that smaller firms will forever be immune to class-action data breach claims. It does, however, point to the current reluctance of plaintiffs’ attorneys to be involved in pursuing legal action against entities if relatively few records have been exposed. Even if plaintiffs’ attorneys are confident in their ability to establish standing, overcome significant legal hurdles, and win the case, the comparatively minor per capita awards make smaller class actions economically unappealing.
In short, the largest CPA firms should consider data breach claims a possibility, remote and difficult as they may be to end successfully for the plaintiff. For the time being, however, smaller and midsized firms that do not possess vast quantities of personal information can rest a little easier.