The law firm of Bryan Cave lists nine factors entities should look at when considering the risk that litigation poses following a breach. They note:
Specifically, unless a plaintiff has been the victim of identity theft or has suffered some other type of concrete injury, most courts have refused to let them proceed based solely on the allegation that they are subject to an increased risk of harm as a result of the breach.
They then go on to list factors to consider in assessing risk:
- Was the quantity of records lost lower, or greater, than the average number of records involved in recent class action lawsuits?
- Were the records lost encrypted, obscured, or de-identified?
- Could the type of information lost be used to commit identity theft?
- Did patients suffer any direct monetary harm?
- Has there been any evidence of actual identity theft?
- Could the data loss hurt the reputation of a patient or cause emotional distress?
- Did you offer credit monitoring, identity theft insurance, and/or credit repair services?
- If so, what percentage of impacted consumers availed themselves of your offer?
- If filed as a class action, is the class representative’s claim of identity theft premised on unique facts?
Unfortunately, the article doesn’t indicate whether their list of factors is ranked in order of importance/predictive value or is just in random order. Looking at their list, I think 3, 4, 5, and 6 may be the most predictive of whether standing would be conferred, but I’ve written to them to ask their opinion, and will update this post if I get a response.
Their article also lists allegations plaintiffs have made that courts have not found sufficient to confer standing and allegations which some courts have found sufficient to confer standing.
Read the article here.
For another perspective on the risks of litigation with reference to specific court opinions, read No harm, no foul? Private and public litigation in cybersecurity law.