Los Angeles Lawyer
The Magazine of the Los Angeles County Bar Association
February 2012 Vol. 34, No. 11
MCLE Article: Into the Breach
Plaintiffs have been increasingly successful in gaining injunctive relief for online security breaches
By Carolyn A. Deverich, Brian R. Strange, and David A. Holop
Carolyn A. Deverich, an associate at Strange & Carpenter, specializes in class action and data breach litigation. Brian R. Strange, the founding partner of Strange & Carpenter, focuses his practice on class action and complex business litigation, with a specialty in Internet privacy and antitrust class actions. He is currently serving on the plaintiffs' steering committee in In re Sony Gaming Networks and Customer Data Security Breach Litigation. David A. Holop, an associate at Strange & Carpenter, specializes in class action litigation.
By reading this article and answering the accompanying test questions, you can earn one MCLE credit. To apply for credit, please follow the instructions on the test.
As our increasingly digital world encompasses everything from banking to birthdays, the personal information available on Web sites and stored in electronic databases continues to grow exponentially. Many of us have the intimate details of our lives stored in online databases, including our addresses, phone numbers, birth dates, Social Security numbers, credit card and bank account information, and Web site user names and passwords. All this data is vulnerable to theft, through means as simple as stealing the hardware on which the data is stored or through complex, remote cyber-theft by sophisticated hackers.
In the past few years, the frequency of data security breaches has skyrocketed. One estimate puts the number of records breached since 2005 at over 500 million.1 Some of the largest security breaches occurred at:
• TJX Company, with an exposure of 45 million customer credit and debit card account numbers.
• TD Ameritrade, involving 6 million files of customer contact information.
• The Gap, unveiling the private information of over 750,000 job applicants.
• Starbucks, revealing the private information of over 97,000 Starbucks employees.
• Citibank, involving the potential exposure of names, account numbers, and contact information for 360,000 credit card customers.
• Sony, with a potential compromise of the confidential account and financial information of 144 million Sony PlayStation, Qriocity, and Sony Online Entertainment Network users, including over 1 million unencrypted credit card numbers.2
When consumers' personal information is breached, they face an immediate and immeasurable injury involving the loss of security, increased risk of identity theft, and potential invasion of privacy. With the loss of security, consumers may suffer emotional distress worrying about lost privacy and identity risks. They may spend money and time to forestall these dangers by purchasing credit monitoring services, monitoring credit and bank accounts, and seeking to cancel current debit and credit cards. They also may lose opportunities due to unavailable credit or a decline in their credit ratings. Businesses, too, suffer enormous losses whenever sensitive and confidential company data has been breached. Damages arising from the exposure of confidential corporate financial and business information can be enormous, not to mention the potential liability that arises when confidential consumer or employee information maintained on a company's system is breached.
Courts have tried to apply traditional damage models in assessing these damages, with mixed results. A number of courts have turned to the economic loss doctrine in analyzing injuries from potential identity theft, finding that plaintiffs are barred from recovery for alleged breach of tort duties when a contractual relationship exists between the plaintiff and the defendant and the losses are purely economic. Other courts are finding that the dangers and risks associated with exposing a plaintiff's private and personal information to hackers may be cause to expand the parameters of online security breach liability. Courts appear increasingly willing to offer at-risk plaintiffs what they really seek--security.
This trend first emerged when courts analyzed the reach of Article III of the U.S. Constitution to cases involving a breach of online security. Federal courts have an independent obligation at the outset of every case to ensure the plaintiff has standing.3 Along with causation and redressability, one of the key elements of standing is injury-in-fact. A plaintiff must show that he or she "has suffered an 'injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical."4 This requirement is an important issue in data breach cases when the plaintiff alleges harm based on the increased risk of identity theft that arises from the breach.
The courts that have addressed the standing issue are split. Some find the risk of future harm to be enough to meet the injury-in-fact test, while others do not. The Seventh Circuit first recognized standing based on this type of alleged injury in 2007 in Pisciotta v. Old National Bancorp,5 with the Ninth Circuit following suit in 2010 in Krottner v. Starbucks Corporation.6 Both the courts in Pisciotta and Krottner found that an act that harms the plaintiff only by increasing the risk of future harm to the plaintiff is enough to confer standing.
The courts reached this result by relying on a line of cases finding injury-in-fact in analogous situations in which the defendant's actions had increased the plaintiff's risk of future harm, including exposure to toxic substances,7 the use of a defective medical implant,8 environmental harms,9 and even an increase in discretion given to an ERISA plan administrator.10 The Ninth Circuit also cited to Doe v. Chao,11 in which the Supreme Court found Article III standing based on the plaintiff's allegation that he "was 'torn...all to pieces' and 'greatly concerned and worried' because of the disclosure of his Social Security number and its potentially 'devastating' consequences."12
However, the Sixth Circuit in Lambert v. Hartman13 was more skeptical of the injury from the increased risk of identity theft, calling it "somewhat 'hypothetical' and 'conjectural.'"14 Some district courts have similarly held they lack subject matter jurisdiction because plaintiffs whose data has been breached, but not yet misused, have not suffered a sufficient injury-in-fact.15 But most of these cases were decided before the trend started by the Seventh Circuit in Pisciotta, and cases decided since have typically found the increased risk of identity theft to be sufficient for standing.16 Yet even assuming the trend to find injury-in-fact continues, plaintiffs will still need to prove the merits of their claims for damages--a completely separate issue from standing.
Claims for injury due to the increased risk of identity theft have included:
• Tort claims, such as negligence and strict liability.
• Contractual claims, such as breach of express or implied contract or warranty.
• Statutory claims, such as state unfair consumer practices acts or privacy acts.
For recovery under any of these claims, plaintiffs generally must suffer actual injury or damage. When consumers have suffered actual identity theft that has led to fraudulent charges or some other present financial harm, courts have generally allowed these claims to go forward to the extent the plaintiff can show actual damage.17 The issue is less clear when plaintiffs have not suffered identity theft but rather face an increased risk of identity theft and the accompanying burden of dealing with this threat.
The classic negligence claim requires proof of harm to the plaintiff: "Negligent conduct in itself is not such an interference with the interests of the world at large that there is any right to complain of it, or to be free from it, except in the case of some individual whose interests have suffered."18 Negligence does not compensate individuals for the general nuisances of life but ordinarily requires proof of some personal injury or property damage.
Some argue that the loss of time and effort expended dealing with a potential security breach (including the need to request new credit and debit cards, monitor accounts for fraudulent charges, and convince banks and credit card companies that any fraudulent charges should be reversed) and the heightened risk of identity theft constitute a nuisance and nothing more. Indeed, some courts examining the issue of damages resulting from the exposure of private and sensitive consumer data have found that when there is no actual theft of identity, mere economic losses caused by the heightened risk of theft are not compensable.19
These courts have attributed their findings to state common law damage requirements and to the oft-misapplied economic loss doctrine.20 While state common law differs from federal law in the definition of the level of necessary harm,21 the general principle expressed by these courts is that the harm suffered by those whose personally identifiable information is compromised may be enough to meet the standing requirement, but the traditional negligence requirements of actual, present, and cognizable injury are not sufficiently present to state a claim.22
Nevertheless, this automatic bar from tort recovery seems inconsistent with other authority. The Restatement (Second) of Torts states that one "whose legally protected interests have been endangered by the tortious conduct of another is entitled to recover for expenditures reasonably made or harm suffered in a reasonable effort to avert the harm threatened."23 The Sixth Circuit has noted that "there is something to be said for...prevention, as opposed to...treatment. Waiting for a plaintiff to suffer physical injury before allowing any redress whatsoever is both overly harsh and economically inefficient."24 At least one court has held that a plaintiff who alleged "that she spent considerable time, as well as money, making long distance calls, contacting the various credit rating agencies in order to get the fraudulent accounts closed and prevent future fraudulent activity under her name" stated a claim,25 though the court did not indicate how her damages were to be calculated.
The fact that a plaintiff has suffered a breach of his or her data security but has not experienced actual identity theft should not bar recovery. Courts have long held that the risk of injury is compensable when there is an adequate remedy for the risk.26 For example, the Southern District of Ohio found in Day v. NLO that when the plaintiffs had been exposed to excessive radiation due to the defendants' negligence, the plaintiffs were entitled to medical monitoring--even though the plaintiffs had not shown any physical harm but were merely at risk from the exposure.27 The court explained:
From a certain perspective this remedy seems to violate the courts['] traditional reluctance to allow recovery for "risk of injury." However, the courts['] concerns over damages which are uncertain, speculative, or conjectural are overcome by the reasonableness of compensation for diagnostic tests in cases where liability has been established. The safeguard against speculative recovery is the reasonableness of the procedures ordered in light of the tortious act.28
Other courts, including some in California, have held the same: At-risk plaintiffs who have been exposed to harm but have not yet exhibited injury may recover the costs of monitoring the potential injury to ensure that if the injury does occur, it will be properly treated.29
This principle fits perfectly within the circumstances of security breaches. Plaintiffs are not exposed to harm in the form of physical injury but instead to harm in the risk to the injury of their personal identities. The relief for this risk of injury is analogous too. Instead of medical monitoring, the remedy for the risk is credit monitoring to ensure the customer's economic health.
The Ninth Circuit has considered this type of monitoring relief.30 In Stollenwork v. Tri-West Health Care Alliance, the plaintiffs alleged that the defendant failed to secure their personal information when burglars broke into the defendant's headquarters and stole equipment and hardware, including computers on which the plaintiffs' personal information was stored.31 The court noted that "one [might] appl[y] a similar [medical monitoring] standard to determine the availability of damages for the cost of credit monitoring in instances of exposure of personal information."32 However, under the particular facts of that case--the only proof of personal data exposure was the burglary, which involved "a range of hardware...not just the servers containing customers' personal information," and there was "no evidence the thieves had any interest in their personal information, rather than just the hardware"--the court held that "the risk [of identity theft]...was low," so the plaintiffs could not recover.33
In contrast, a number of the more recent security breaches involve intrusion directly into the databases containing users' personal data, so the risk of identity theft or other misuse is high. Credit monitoring is the ideal relief in these situations.
Contract-based claims have faced a similar dilemma. Like the requirements for tort claims, some courts have held that plaintiffs must prove actual damages resulting from the alleged breach.34 Contract damages are typically even more limited than tort damages. The usual relief is to give the aggrieved party the benefit of his or her bargain. Emotional distress damages are generally not available in contract cases even when actual harm is proved.35 Some courts analyzing contract claims have found that, as with negligence claims, the increased risk of identity theft does not give rise to compensable damages.36
Nevertheless, contract claims have not been completely barred in security breach cases. In a suit against AOL for the disclosure of users' search histories, a federal district court upheld a number of California statutory claims on a motion for judgment on the pleadings.37 The court found that the plaintiff's purchase of AOL's services, coupled with AOL's failure to provide what was bargained for--keeping the plaintiffs' information private--proved sufficient to sustain the claims.38 In another case involving UniCare Life and Health Insurance's breach of its customers' private information, numerous claims, including breach of implied contract, survived a motion to dismiss.39 The plaintiffs' injuries involving severe emotional distress, increased risk of future harm, credit monitoring, and harm to their possessory interest in their personal health information met the federal pleading standard.40
Last year, U.S. District Court Judge Phyllis J. Hamilton in the Northern District of California allowed claims for breach of contract and negligence based on the potential for identity theft to proceed in Claridge v. RockYou, Inc.41 Defendant RockYou, a developer of online services, allegedly failed to secure and protect its users' sensitive personally identifiable information, including e-mail addresses, passwords, and login credentials. The plaintiffs brought a number of claims. The state statutory claims were struck down, but the breach of contract, breach of implied contract, and negligence claims were not. Specifically, the court held that the "plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his [personally identifiable information] has caused him to lose some ascertainable but unidentified 'value' and/or property right inherent in the [personal information]."42 Judge Hamilton's decision opens the door for other judges to follow suit.
Statutory-based claims generally require lost money or property damages or some other tangible form of injury.43 However, many statutes do not require a showing of actual damages.44 No state has yet passed a statute giving rise to statutory damages based specifically on the increased risk of identity theft from a data breach, but this type of law may be enacted in the future.
Legislation is beginning to play a role in the area of damages for data breaches. Many states have passed laws that create a civil cause of action for failure to secure data. The first law of this kind, which served as a model for many other state laws, was California's Security Breach Information Act (California SBIA). Passed in 2003, the California SBIA imposes on businesses a duty of notification to those who suffer an unauthorized intrusion into their personal data.45 At last count, there are 46 states--as well as Washington, D.C.; Puerto Rico; the U.S. Virgin Islands; and New York City--that impose a duty of notification when a security breach has occurred. The California SBIA also contains a data protection obligation and expressly authorizes the maintenance of a suit for damages for breach of that duty46--another trend followed by other states in their laws. However, these laws provide no guidance on what damages are available. Moreover, other states with notification statutes do not provide for private causes of action,47 while others only assess civil penalties.48
At least one state, Illinois, allows for recovery of economic losses in data security cases by expressly providing that a violation of the state's data breach statute is deemed to also be a violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.49 The Illinois Deceptive Trade Practices Act permits a "person who suffers actual damage...[to recover] actual economic damages or any other relief which the court deems proper," including "reasonable attorney's fees and costs."50 This still requires actual damages but allows for recovery upon merely a showing of economic loss.
No state to date has passed a law providing for statutory damages without a showing of actual damages from identity theft. Early in 2011 Hawaii considered a bill that would authorize "any person who is affected by a security breach that creates a risk of harm of identity theft" to sue for actual or statutory damages.51 Nevertheless, its future is unclear. A bill was passed in 2011 in California that requires restitution payments from criminal defendants to their identify theft victims, including credit report monitoring and credit repair costs.52 These bills may indicate a trend toward potential statutory relief for victims of the increased risk of identity theft.
Federal security breach laws are not far behind. The American Recovery and Reinvestment Act of 2009 includes a nationwide data breach notification law as part of its Health Information Technology for Economic and Clinical Health Act (the HITECH Act).53 The HITECH Act requires entities covered by the statute to immediately notify individuals whose "protected health information," including medical records and other individually identifiable health information, has been breached.54 Both the Department of Health and Human Services and the Federal Trade Commission have issued rules or regulations designed to implement the notification requirements of HITECH.55
The Veterans Benefits, Health Care, and Information Technology Act of 2006 requires the Department of Veterans Affairs to provide notice to veterans of a breach of their personal data. Moreover, the department also must 1) notify law enforcement and certain congressional committees when a data breach occurs, 2) perform a risk analysis if unauthorized access to sensitive personal information occurs, and 3) notify and provide free credit monitoring to those affected if there is a "reasonable risk" for misuse of the information.56
A number of other bills have been introduced in Congress that would require companies to safeguard sensitive personal data and notify consumers about data security breaches.57 Consistent federal legislation providing statutory relief for victims of increased risk of identity theft may be following soon.
Presuming that courts and statutory law continue to move toward remedying injured data breach victims, what is the proper form of relief? When plaintiffs' private information has been exposed, putting them at risk of identity theft, the primary relief that plaintiffs seek is security. In the handful of data breach settlements approved by courts over the past few years, the parties and the courts (in approving the settlements) have consistently found that the best way to remedy the risk of identity theft is to provide injunctive relief. This involves free credit monitoring services to at-risk parties along with identity theft insurance or funds to reimburse identity theft losses and related expenses that stem from the security breach. These remedies rectify immediate damages to plaintiffs who have already suffered identity theft from the breach as well as provide protection to plaintiffs who are at risk for identity theft. In some cases, the relief also will cover future damages to plaintiffs who experience identity theft after the settlement.58
For example, in the Countrywide breach litigation settlement, class members were offered two years of credit monitoring and identity theft insurance, as well as reimbursements of out-of-pocket expenses resulting from the theft of their private information (such as costs for replacement checks, driver's licenses, and the like) and reimbursement for losses from identity theft. This relief was contingent on the loss being actual and not already reimbursed and more likely than not a result of the alleged theft of private information through Countrywide's breach.59 The court approved this settlement, noting that it "offers a reasonable resolution that properly addresses the tricky issues presented by data breaches."60
The court approved similar relief in the TJX breach case.61 In the TD Ameritrade litigation, the court rejected two settlements but has approved a third settlement that sets up a fund to pay for identity theft claims.62 Courts in these settled cases have viewed the provision of credit monitoring services and funds for payment of future losses to be adequate forms of security to ensure that the harmed plaintiffs can recover for their losses. These settlements illustrate the type of injunctive relief judges should consider in security breach cases moving forward.
Plaintiffs seeking to recover money damages based solely on the increased threat of future identity theft and their accompanying expenses incurred in increased monitoring have faced a tough battle in the courts. The damage requirements of tort and contract law, as well as many statutes, have prevented a number of claims from proceeding. At the same time, no clear consensus and no authoritative decision preclude these cases, and some courts have shown a willingness to move away from traditional damage models to remedy untraditional security breach injuries.
The RockYou holding may be the beginning of a move toward an expanded understanding of damages in these cases. In addition, the security monitoring injunctive relief approved by multiple courts in settlements suggests that the threat of identity theft is a remediable injury with concrete available relief. This is a burgeoning area of law that will play out in courtrooms and legislatures in the years to come.
1 See Privacy Rights Clearinghouse, http://www .privacyrights.org/data-breach#CP (last visited Dec. 30, 2011) (542,967,619 records exposed from 2,835 data breaches in the United States since 2005).
2 Id.; In re Sony Gaming Networks & Customer Data Sec. Breach Litig., MDL No. 11-2258 (S.D. Cal. 2011); Krottner v. Starbucks Corp., 628 F. 3d 1139, 1140 (9th Cir. 2009).
3 Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 95 (1998); Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992).
4 Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180–81 (2000).
5 Pisciotta v. Old Nat'l Bancorp, 499 F. 3d 629, 633-34 (7th Cir. 2007).
6 Krottner v. Starbucks Corp., 628 F. 3d 1139, 1141-43 (9th Cir. 2010); see also Ruiz v. Gap, Inc., 380 Fed. Appx. 689, 690-91 (9th Cir. 2010) (unpublished).
7 See Denney v. Deutsche Bank AG, 443 F. 3d 253, 264–65 (2d Cir. 2006).
8 Sutton v. St. Jude Med. S.C., Inc., 419 F. 3d 568, 570–75 (6th Cir. 2005).
9 Central Delta Water Agency v. United States, 306 F. 3d 938, 947–48 (9th Cir. 2002); Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F. 3d 149, 160 (4th Cir. 2000) (en banc).
10 Johnson v. Allsteel, Inc., 259 F. 3d 885, 887-88 (7th Cir. 2001).
11 Doe v. Chao, 540 U.S. 614 (2004).
12 Id. at 617–18, 624–25.
13 Lambert v. Hartman, 517 F. 3d 433, 437 (6th Cir. 2008).
15 See, e.g., Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1, 6-8 (D. D.C. 2007); Bell v. Acxiom Corp., No. 4:06CV00485-WRW, 2006 WL 2850042, at *2 (E.D. Ark. Oct. 3, 2006) (unpublished); Key v. DSW, Inc., 454 F. Supp. 2d 684, 689-91 (S.D. Ohio 2006); Giordano v. Wachovia Sec., LLC, Civil No. 06-476 (JBS), 2006 WL 2177036, at *2-5 (D. N.J. July 31, 2006) (unpublished); Hammond v. The Bank of New York Mellon Corp., No. 08 Civ. 6060 (RMB)(RLE), 2010 WL 2643307, at *1-2 (S.D. N.Y. June 25, 2010) (unpublished); Allison v. Aetna, Inc., Civil Action No. 09-2560, 2010 WL 3719243, at *4-6 (E.D. Pa. Mar. 9, 2010).
16 See Amburgy v. Express Scripts, Inc., 671 F. Supp. 2d 1046, 1051 (E.D. Mo. 2009); see also McLoughlin v. People's United Bank, Inc., No. 3:08-cv-00944 (VLB), 2009 WL 2843269, at *4 (D. Conn. Aug. 31, 2009) (unpublished) (citing cases).
17 See, e.g., In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 613 F. Supp. 2d 108, 133 (D. Me. 2009), rev'd in part, Anderson v. Hannaford Bros. Co., 659 F. 3d 151 (1st Cir. 2011).
18 W. Page Keeton et al., Prosser & Keeton on the Law of Torts §30, at 165 (5th ed. 1984).
19 See, e.g., In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A. 3d 492, 496 (Me. 2010).
20 See, e.g., Banknorth N.A. v. BJ's Wholesale Club, Inc., 442 F. Supp. 2d 206, 211-14 (M.D. Pa. 2006); In re TJX Cos. Retail Sec. Breach Litig., 524 F. Supp. 2d 83, 90-91 (D. Mass. 2007), aff'd, 564 F. 3d 489, 498 (1st Cir. 2009); Pennsylvania State Employees Credit Union v. Fifth Third Bank, 398 F. Supp. 2d 317, 326-30 (M.D. Pa. 2005).
21 For example, in California the damages element of negligence requires "appreciable, nonspeculative, present injury." Aas v. Superior Court, 24 Cal. 4th 627, 646 (2000).
22 See, e.g., Pisciotta v. Old Nat'l Bancorp, 499 F. 3d 629, 639-40 (7th Cir. 2007).
23 Restatement (Second) of Torts §919 (1979) (emphasis added).
24 Sutton v. St. Jude Medical S.C., Inc., 419 F. 3d 568, 575 (6th Cir. 2005).
25 Kuhn v. Capital One Fin. Corp., No. 05-P-810, 2006 WL 3007931, at *3 (Mass. App. Ct. Oct. 23, 2006) (unpublished).
26 Edward J. Imwinkelried, Redress for Loss of Private E-Data, Trial, Feb. 2009, at 48, 51.
27 Day v. NLO, 851 F. Supp. 869, 880 (S.D. Ohio 1994).
29 See Potter v. Firestone Tire & Rubber Co., 6 Cal. 4th 965, 1005-10 (1993); Miranda v. Shell Oil Co., 17 Cal. App. 4th 1651, 1657 (1993); Duncan v. Northwest Airlines, Inc., 203 F.R.D. 601, 607 (W.D. Wash. 2001); Laxton v. Orkin Extermination Co., 639 S.W. 2d 431, 434 (Tenn. 1982); Merry v. Westinghouse Elec. Corp., 684 F. Supp. 847, 852 (M.D. Pa. 1988).
30 Stollenwork v. Tri-West Health Care Alliance, 254 Fed. Appx. 664 (9th Cir. 2007) (unpublished).
31 Id. at 665.
32 Id. at 666.
34 See, e.g., Ruiz v. Gap, Inc., 622 F. Supp. 2d 908, 917-18 (N.D. Cal. 2009), aff'd, 380 Fed. Appx. 689, 690-91 (9th Cir. 2010) (unpublished).
35 See McAfee v. Wright, 651 A. 2d 371, 372-73 (Me. 1994).
36 See, e.g., Hendricks v. DSW Shoe Warehouse, Inc., 444 F. Supp. 2d 775, 779-80 (W.D. Mich. 2006).
37 Doe 1 v. AOL LLC, 719 F. Supp. 2d 1102, 1109-14 (N.D. Cal. 2010).
38 Id. at 1111-12.
39 Rowe v. UniCare Life & Health Ins. Co., No. 09 C 2286, 2010 WL 86391 (N.D. Ill. Jan. 5, 2010) (unpublished).
40 Id. at *4-9.
41 Claridge v. RockYou, Inc., 785 F. Supp. 2d 855 (N.D. Cal. 2011).
42 Id. at 865.
43 See, e.g., Hall v. Time Inc., 158 Cal. App. 4th 847, 849 (2008); Bus. & Prof. Code §17204.
44 See, e.g., Arcilla v. Adidas Promotional Retail Operations, Inc., 488 F. Supp. 2d 965, 972-74 (C.D. Cal. 2007).
45 See Civ. Code §§1798.80 et seq.
46 Civ. Code §§1798.81.5, 1798.84(b).
47 See, e.g., Colo. Rev. Stat. §6-1-716 (2011).
48 See, e.g., Fla. Stat. §817.5681 (2011).
49 815 Ill. Comp. Stat. 505/1 et seq. (2011).
50 815 Ill. Comp. Stat. 505/10a (2011).
51 S.B. 728, 2011 Sen., Reg. Sess. (Haw. 2011), available at http://www.capitol.hawaii.gov/session2011/bills/SB728_.pdf.
52 Penal Code §1202.4(f)(3)(L).
53 HITECH Act of 2009, Pub. L. No. 111-5, §§13001-421, 123 Stat. 115, 226-79, 42 U.S.C. §17932.
54 Id. at §13402, 123 Stat. at 260-63.
55 74 Fed. Reg. 42,740 at 743 (to be codified at 45 C.F.R. pts. 160, 164) (Aug. 24, 2009); 74 Fed. Reg. 42,962 (to be codified at 16 C.F.R. pt. 318) (Aug. 25, 2009).
56 Pub. L. No. 109-461, §902, 120 Stat. 3403, 3450-60, 38 U.S.C. §§5721-28.
57 See, e.g., S. 1326, 109th Cong. (2005); S. 1408, 109th Cong. (2005); S. 1789, 109th Cong. (2005); H.R. 4127, 109th Cong. (2005); H.R. 3997, 109th Cong. (2005); H.R. 5318, 109th Cong. (2006); S. 1408, 112th Cong. (2011); S. 1535, 112th Cong. (2011).
58 See, e.g., In re Heartland Payment Sys., Inc. Customer Data Sec. Breach Litig., No. 4:09-MD-2046, Settlement Agreement, at 13 (S.D. Tex. Dec. 18, 2009) (providing for identity theft losses up to August 1, 2011--two and a half years after the announcement of the breach, and one and a half years after settlement). Potential plaintiffs who opt out of the settlement have the right to pursue individual claims for damages arising before or after the settlement agreement.
59 In re Countrywide Fin. Corp. Customer Data Sec. Breach Litig., No. 3:08-MD-01998, 2009 WL 5184352, at *8 (W.D. Ky. Dec. 22, 2009) (unpublished).
60 Id. at *5-6.
61 In re TJX Cos. Retail Sec. Breach Litig., No. 07-10162, Motion for Settlement, at 4 (D. Mass. Dec. 20, 2007). See also In re TJX Cos. Retail Sec. Breach Litig., No. 07-10162, slip op., at 7 (D. Mass. Sept. 2, 2008) (calling the relief "fair, adequate, reasonable, proper, and in the best [interests] of the Settlement Class").
62 In re TD Ameritrade Accountholder Litig., No. C 07-2852 VRW, 2011 WL 4079226 (N.D. Cal. Sept. 13, 2011).
EARN MCLE CREDIT
By reading this article and answering the accompanying test questions, you can earn one MCLE credit.
Copyright 2012, Los Angeles Lawyer magazine. All Rights Reserved.