Written by Martin P.J. Kratz, QC
In today’s world of mandatory breach notification, individuals get prompt notification of an incident that may compromise their personal information. Mandatory breach notification has been part of Alberta’s private sector privacy law since 2010 and becomes part of Canada’s federal private sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), on November 1, 2018.
In Canada, we have seen that class action lawsuits are quickly filed against the companies that are victims of being hacked or subject of an incident. The pressure to file can be exacerbated by rumours, innuendos and stories that circulate on social media. It is difficult for organizations to respond to social media conversations when it is alleged that they were hacked.
A case that looked at the world of data breach litigation and the difficulty of an organization to respond to social media commentary is Hutton v. National Board of Examiners in Optometry, Inc., (“NBEO”), 17-1506/1508, 4th Circuit CA, June 12, 2018.
The defendant, NBEO, provides board-certifying exams for optometry students for which such students share certain personal information including social security numbers, names, dates of birth, addresses, and credit card information.
The story starts with a breach. Optometrists across the United States noticed that Chase Amazon Visa credit card accounts had been fraudulently opened in their names. Given the kind of information needed to open such credit card accounts, some optometrists believed their personal information had been stolen. The victims discussed the thefts among themselves in Facebook groups dedicated to optometrists, and various possible sources; ultimately some victims concluded that the source of the breach must be the NBEO.
After becoming aware of these concerns, the NBEO posted that “[a]fter a thorough investigation and extensive discussions with involved parties,” the NBEO had determined that its “information systems [had] NOT been compromised”. A revised post soon followed where the NBEO advised that it continued to investigate. Three weeks later a further post followed saying the NBEO’s internal investigation was continuing and it may take weeks to finish.
Not satisfied with the posts, some victims of the breach brought several class action lawsuits against the NBEO, which were ultimately consolidated, alleging the frustration and effort involved in clearing their credits and address the matters with Chase.
In order to succeed the plaintiffs had to show “(1) they suffered an injury-in-fact that was concrete and particularized and either actual or imminent; (2) there was a causal connection between the injury and the defendant’s conduct (i.e. traceability); and (3) the injury was likely to be redressable by a favorable judicial decision”. The district court dismissed the actions because the plaintiffs had not shown either (a) any “injury-in-fact because, even if the NBEO had confirmed an actual data breach, the Plaintiffs had “incurred no fraudulent charges” and “had not been denied credit or been required to pay a higher interest rate for credit they received”, and (b) there was no evidence that traced a breach to the NBEO. On the latter point, the district court noted that all the plaintiffs had shown were conversations on Facebook that the court found merely speculative and no basis had been provided to find NBEO’s denial not credible.
The case was appealed to the Circuit Court of Appeals that reviewed de novo the district court’s dismissal of the complaint for lack of standing to sue. The Court noted that in a standing to sue analysis, it “is established that a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face.”
The Court looked at the injury in fact and traceability elements required for the suit. They noted that “a mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft,” but in this case, without actual economic loss, the plaintiffs had shown that credit cards had been opened in their names, expenses incurred to seek credit monitoring and in some cases credit scores were adversely affected. As a result, the Circuit Court found that the plaintiffs had shown the injury in fact element.
On the traceability analysis, the Circuit Court noted that specific pleadings had identified plausible evidence, such as allegations of credit cards opened in the name of several plaintiff’s maiden names that have been given to the NBEO many years earlier, that the NBEO was a plausible source of the plaintiffs’ personal information.
Having found that the standing elements of injury-in-fact and traceability were both sufficiently alleged in the complaints, the Circuit Court found that the district court erred in dismissing the complaints for lack of standing to sue. The Court found, therefore, that such a data breach claim could survive to be assessed at trial without a claim for actual economic loss by the plaintiffs and without direct evidence that a data breach actually occurred.
A learning from the facts suggests that the manner of the NBEO in engaging with the Facebook optometrist community and the continuing posts may well have been a factor to exacerbate the plaintiffs—leading to the lawsuit. In time, we will see if there actually was a breach and if the compromise was connected in any way to the NBEO. Organizations that are the target of rumours of a data breach should consider their communications strategy carefully if they are to avoid being dragged into a lawsuit.