A Q&A with John Yanchunis of Morgan & Morgan
The legal landscape around data loss is rapidly evolving, and with major events such as the Anthem breach changing the game on a daily basis, it can be a challenge to keep up with the courts’ current thinking. I spoke with plaintiff attorney John Yanchunis of Morgan & Morgan about some of the most recent developments he’s observed.
Do you think there will be more traction in the courts for plaintiffs to be able to prove injury for standing and injury for class certification?
Yes, on both fronts. I see a shift in the courts’ recognition of the value of privacy and that standing does not always have to occur with actual damages. If a company undergoes a breach and customers’ financial data is lost, it can be sold on the black market and used any number of ways though that sometimes takes years to percolate and be discovered. Many cases have recognized the threat of future injury when information has been taken. In terms of class certification, it depends on the type of relief offered. Obviously people are entitled to have their information secure and when it’s not, it’s an easy case to certify. There are some challenges with respect to damages but they can be managed depending on the type of certification.
How have the Anthem, Target and Home Depot breaches changed the landscape for plaintiff litigation?
Obviously, all of these cases have brought more interest from consumer class action lawyers. The number of separate class action cases brought against Home Depot (approximately 25) was a drop from the number of cases against Target (approximately 100), but it’s beginning to spike again with Anthem. Consumers are realizing that privacy is extremely important. They may like to share information with friends on Facebook but they don’t want to share everything. Given this heightened level of concern, it will be up to companies to better protect information or they will be faced with the type of litigation these other companies in high-profile cases have seen.
Can we expect to see new areas of plaintiff litigation brought by banks, credit unions and employees and will they be successful?
Yes. Again, I think lawyers have increased the awareness in courts of certain issues and there are always new territories and new claims. One theory we have seen gaining a lot of traction is that there is a “breach of fiduciary duty” depending on the relationship between the bank, credit union, health insurer or hospital and the consumer.
Are there new causes of action where “actual injury” is not necessary for recovery, such as statutory damage claims?
There are states that already have those claims and there’s a current movement in Congress for a national law. We have found as consumer lawyers that passing bills or laws that have statutory damages ensures compliance. An example is the Drivers Protection Privacy Act that came out many years ago to protect driver license and motor vehicle information that provided for statutory damage and up to $2500 per violation. I brought a number of class actions under that law and I was successful in every single one and now the violations of the law have virtually disappeared. If this happened on a state or federal level with banks and credit unions we’d see a tremendous increase in money spent to protect consumers.
Are there any new developments in areas of data loss that don’t involve traditional PII elements but may involve reputationally damaging items such as nude photos or salary information?
We saw something to this effect in the Sony case where the revelation of data from emails could affect the reputation of individuals and it led to the departure of the president of the company. Really, any potentially damaging information that could be stored electronically or on paper can be the basis for a class litigation suit and you’re going to find a sympathetic jury wondering how such information could have been lost.
any potentially damaging information that could be stored electronically or on paper can be the basis for a class litigation suit
A recent case involved a Chinese-owned computer company that was using a certain kind of adware placed on the hard drive of computers. The adware caused some functionality issues and it was also gathering information on the individuals using it. It has since been pulled. In California, lawyers and a psychiatrist sued Google for drawing professionally privileged data from email exchanges. Facebook is engaging in a similar practice. People are going to realize they don’t want that level intrusion in their privacy. There’s not a lot of litigation in that regard to date but we expect to see more. Courts are also becoming much more enlightened about these issues .
What impact might individual data breach class actions coordinated nationally in a multidistrict litigation (MDL) have on such cases?
The greatest effect is that it brings a tremendous amount of talent together, creating an army of lawyers advocating together to advance the interest of their clients. There are instances in which a large number of cases are filed and where it is necessary to consolidate them. I’m in favor of consolidation in those situations. In terms of the effect on defendants, an MDL increases the leverage on the defendant but it can also lessen the cost for the defendant when they only have to fight one case as opposed to multiple cases.
What can companies that have undergone a data breach or loss do differently to avoid or minimize their risk of an extensive breach class action case?
Companies should adopt the best methods of data protection available, including encryption and properly training staff which handles the information, as well as closely monitoring data access internally and externally. When there has been an attempt at a breach, the company should notify consumers immediately—and not wait to do damage control through publicity. If you look at companies such as Target and Home Depot and even Anthem, they have kept people in the dark when they were made aware of a breach and people got angry and turned to plaintiff lawyers to seek redress. The company cannot blame a consumer that files suit when they are not being told what’s going on.
Are there any new court decisions in the data breach area that you regard as significant?
In Canada, the Ontario Court of Appeal recognized the violation of a privacy tort related to medical records—that has not fully gained traction in this country but we are keeping an eye on it. I was involved in the Neiman Marcus data breach and the panel was receptive to reversing the judge’s opinion—they fully understood that the concept of “actual damage” needed to be expanded. Since the Clapper v. Amnesty International decision more courts have expanded their view of damage as well. In Florida I have filed a number of state court data privacy cases, some of which were nationalized when we settled but I had no problem convincing judges of this enlightened view of “actual injury.”
John Yanchunis provides insights from one of the top plaintiffs data breach litigators on the current strategies being used to gain recoveries for victims of a data breach or privacy violation. With the onset of recent larger breaches plaintiffs firms join forces in multi-district litigations and Mr. Yanchunis discusses new ways plaintiffs are gaining traction in courts to prove claims that can survive motions to dismiss and class certification.