CD: Reflecting on the last 18 months or so, how would you describe recent litigation trends arising from data protection and cyber security issues?

Kopp: As data breaches and the exposure of sensitive consumer information continue to dominate the news cycle, it is clear that companies must seriously examine their own exposure to liability in the unfortunate event of a ‘hack’ or other cyber intrusion. In the last year and a half, we have seen affected companies, already under extreme pressure to mitigate damage to business operations, become the targets of multiple legal proceedings. Not only are companies now on clear notice that they may expect action by federal and state regulators, consumer class action suits, and shareholder derivative suits brought against directors and officers, but companies must also be prepared to defend against these potentially conflicting proceedings simultaneously. A comprehensive legal approach that includes both pre-and post-breach strategies is essential.

Burton: If it were the weather, I would describe the trend as rainy with a small chance of sunshine. Historically, the vast majority of data breach cases have been dismissed because of the plaintiff’s inability to establish legally cognisable harm. While appearing in several forms, the courts’ early reluctance was principally based on the fact that unauthorised access and acquisition of personally identifiable information (PII) does not always result in the misuse of that PII. Plaintiffs have had an extremely difficult time establishing actual use and resultant adverse consequences. Early defences to these suits were based on an asserted failure to state cognisable claims under applicable state laws. Such defences were largely successful. However, recent defences have been premised on attacking plaintiffs lack of standing because of the absence of existing redressable harm. These defences have also been successful, but several courts have been more supportive of these kinds of suit and have developed legal theories which find actionable harm even without evidence of actual identity theft, or other misuse of the PII.

Oct-Dec 2015 issue

Bracewell & Giuliani LLP

Duane Morris LLP

Epstein Becker & Green, P.C.

Herbert Smith Freehills LLP