The Cyber-Lawsuit that Works: Company v. Company
Posted on 02/26/2020 at 03:42 PM by John Lande
Consumer lawsuits against companies for data breaches are increasingly common, but the results for the plaintiffs have been mixed. Many times, consumer lawsuits against companies for exposing personally identifiable information fail because consumers have difficulty identifying harm they suffered as a result of a specific breach. As the number of breaches continues to grow, the task of proving that any one breach caused a consumer harm will only become more difficult. New state laws may start to shift the balance in favor of consumers, but for now consumers claims are challenging.
There is one type of cybersecurity lawsuit, however, that has been much more successful for plaintiffs. Companies that file suit against other companies for costs associated with a cybersecurity incident can have an easier time recovering. Companies tend to have an easier time proving damages, because they may have statutorily or contractually defined costs they must incur after a cybersecurity incident.
Financial institutions, for example, have been successful bringing lawsuits against companies that expose consumer payment card details to fraudsters. We previously covered a ruling by the federal district court in Minnesota that allowed a class of banks to pursue claims against Target after Target’s payment card breach in 2013.
A recent decision from the federal district court in Maryland is another example of financial institutions succeeding against companies for payment card breaches. Bank of Louisiana (“BoL”), among others, sued Marriott International, Inc. (“Marriott”) for damages arising from a four-year long data breach that Marriott discovered in 2018. The breach exposed hundreds of millions of customer credit and debit card numbers to fraudsters.
BoL, like many financial institutions, faced a dilemma in the wake of the incident. Under federal law, BoL is generally liable to consumers for fraudulent charges on debit and credit cards. To minimize its risk of loss, BoL could cancel and re-issue debit and credit cards to the affected consumers, or it could not re-issue and try to closely monitor accounts for fraud. BoL decided to re-issue cards, and then sued Marriott for damages for the costs of re-issuance and fraud losses.
Marriott filed a motion to dismiss BoL’s lawsuit, and argued BoL had not suffered an injury that was traceable to Marriott and that the economic loss rule barred BoL’s claims against Marriott. The district court rejected both of Marriott’s arguments, and instead allowed BoL’s claims to proceed. The district court concluded that BoL suffered an injury in the form of fraud losses and card re-issuance costs, and these losses were traceable to Marriott’s breach. Furthermore, the district court ruled that under Louisiana law the economic loss rule did not bar BoL’s claims.
This decision adds to the growing body of case law that allows financial institutions to pursue claims for data breaches that expose payment card information. Unlike consumers, financial institutions suffer real losses when fraud increases after a data breach.
This case also highlights the growing risks companies face from cybersecurity incidents. As more states enact laws that provide consumers protections for their personal information, the obligations on companies to safeguard that data will only increase. Right now, there are approximately a dozen states considering laws that would increase consumer rights to protect their data. This increases the likelihood of companies incurring obligations to other companies if they expose customer information.
Companies of all kinds need to make sure they have strong contractual rights to protect themselves from the costs associated with cybersecurity incidents. When a cybersecurity incident does occur, companies need to make sure they engage with knowledgeable professionals to determine whether another entity should bear at least some of the costs associated with cleaning up an incident.
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Bradshaw is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Bradshaw blog postings does NOT create an attorney-client relationship between you and Dickinson, Bradshaw, Fowler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.