Last year, there were a number of high profile breaches—earning 2014 the “Year of the Breach” tag. This year is seeing the fallout, as many of these breaches have resulted in significant litigation.
For example, the Home Depot breach in April of 2014—one of the largest breaches in history at that time—is now the subject of litigation brought by consumers and banks in the District Court for the Northern District of Georgia. Specifically, hackers accessed Home Depot’s payment data systems and installed malware allowing consumers’ data to be compromised. While there was no question that the consumers’ data was compromised, Home Depot argues the consumers are merely speculating that their information was used by hackers.
On June 1, 2015 Home Depot filed its Motion to Dismiss the claims of the consumers. In the first line of its brief in support the motion, Home Depot wastes no time and asserts the consumers’ case is fatally defective because there are no allegations that consumers suffered any “actual or imminent injury.” This argument, based on the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA, has been successfully used by a number of data breach defendants.
An interesting aspect of the Motion to Dismiss is Home Depot’s reliance on the “majority position” in In re Target Corp. Customer Data Security Breach Litig., among a number of other recent data breach cases. Litigants are beginning to rely on a significant body of law concerning data breaches as well as insurance coverage for data breaches and cyber security. The significant body of law available to Home Depot to cite in support of its Motion to Dismiss serves as a reminder of how quickly this area of the law has developed.
Just in the last month we have seen a significant data breach decision involving coverage under a CGL policy, Sony and Zurich settled a significant data breach case involving a CGL policy, and a District Court in Utah issued one of the first decisions concerning coverage under a cyber policy. Also, another declaratory judgment action involving CNA’s denial of a claim under a cyber policy was recently filed and is pending in California.
It is clear that while 2014 may be referred to as the “Year of the Breach,” 2015 is shaping up to be the “Year of Data Breach Litigation.”