The recent decision in Blue Book Serv., Inc. v. Amerihua Produce, Inc., 2018 WL 4181482 (Aug. 31, 2018) sheds light on how damages may be calculated in data breach cases.  After analyzing whether an accounting expert was qualified to offer his opinion on damages, the District Court for the Northern District of Illinois addressed accounting methods used by the expert to calculate damages related to a data breach. While courts have weighed expert witness credibility and methods in numerous cases before, this decision is the most thorough analysis of expert testimony in the context of a data breach case.

The plaintiff in Blue Book provided a subscription service offering proprietary information related to the produce industry. At some point, Blue Book’s proprietary information was posted on another website without its authorization.  After sending a cease and desist letter to the website displaying Blue Book’s information, Blue Book determined, the defendant, Amerihua was the source of the data breach. After following up on its investigation, Blue Book determined that Amerihua’s CEO provided his log-in credentials to three Amerihua employees without Blue Book’s authorization.  Amerihua denied it was behind the breach of Blue Book’s proprietary information. Blue Book filed suit seeking damages based on its claim that Amerihua breached its membership agreement with Blue Book and that it suffered damages related to the breach.

First, the District Court found there was sufficient evidence concerning the breach of the subscription agreement to leave the question of how the agreement should be enforced to the jury.

Next, the District Court addressed the question of whether Blue Book presented some evidence of damages, and, in particular, whether Blue Book’s expert was qualified to testify as an expert.  Amerihau asserted Blue Book’s expert, C. Kenneth White, calculated damages in a manner that “runs afoul of Daubert [v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579, 589 (1983)] and must be excluded under Federal Rule of Evidence 702.”  (“Federal Rule of Evidence 702 appoints district courts as gatekeepers of expert testimony based on scientific, technical, and other specialized knowledge.” Kumho Tire Co., Ltd. v. Carmichael, 526 U.S. 137, 147 (1999)).

After conducting a Daubert analysis to weigh Mr. White’s credentials, the District Court found Mr. White was qualified on the following basis:

In order to win a damages award for the distribution’s impact on the company (as distinct from investigation costs) Blue Book will need to prove the damages to a reasonable certainty. Oakleaf, 527 N.E.2d at 295. It purports to do this through the expert report of White. Amerihua first challenges that White is not qualified to testify as an expert in this case, arguing that he does not meet any of the purported “Gold Standards” for expert testimony set forth by their own rebuttal expert, Stan Smith. Def. Br. at 14.12 The argument goes that because White does not have a doctorate degree, has never taught a college course, and has not authored a university textbook, he is not a witness “qualified as an expert by knowledge, skill, experience, training, or education.” Def. Br. at 14; Fed. R. Civ. P. 702. But the list of factors picked by Amerihua are not conclusive and are most definitely not required by Daubert and Kumho Tire. And as the Seventh Circuit has explained, “[t]he notion that [Daubert] requires particular credentials for an expert witness is radically unsound.” Tuf Racing Prod., Inc. v. Am. Suzuki Motor Corp., 223 F.3d 585, 591 (7th Cir. 2000). Experts can take many forms, and Amerihua’s definition would essentially foreclose a wide swath of experts qualified by “skill, experience, [and] training.” Fed. R. Civ. P. 702. White has been an independent financial consultant since 2003, and before that, he held senior positions at Ernst & Young as a certified public accountant. R. 54, DSOF Sealed Exhibits Exh. V, White Report (sealed) at 36. More importantly, he has over 40 years of professional experience with specialization in valuation and damage analyses. Id. He has a bachelor’s degree in accounting and a master’s degree in business administration, on top of passing the CPA examination. Id. He has similarly served as an expert in myriad cases. Id. Just because White has focused his career on applying his skills to concrete cases rather than teaching courses or publishing articles does not disqualify him from expert analysis—nor does Rule 702 suggest as much. See Kumho Tire, 526 U.S. at 148-49; Tuf Racing, 223 F.3d at 591.

After finding White qualified to offer his expert opinion, the District Court next found White’s method used to calculate damages was sufficient to submit to the jury.  White used an “income approach” to calculate damages which “entails determining the present value of a business by discounting its future cash flows based on the costs of capital and underlying future risks entailed in continuing the company.”  The District Court also analyzed White’s use of an accounting principle referred to as “company-specific risk premium” in the following manner:

White’s use of a “company-specific risk premium,” Def. Br. at 16, which White used to determine Blue Book’s Weighted Average Cost of Capital (the discount rate) calculation both before and after the unauthorized download of data. White Report (sealed) at 21. So the company-specific risk premium (call it CSRP for short) purports to account for the difference in the pre- and post-unauthorized download discount rate calculations measuring Blue Book’s worth. Id. at 23. Put another way, it is meant to account for the incremental risks associated with Blue Book after the supposed breach. Id.

Amerihua claimed that White’s findings based on the “company-specific risk premium” method was unreliable because it relied on subjective factors that included: “operating history, barriers to entry, legal risk from a breach, product risk, brand name recognition, and costs of debt.”  Based on these factors, White concluded Blue Book sustained an increased company-specific risk premium between 1.25% and 2.5%.  Finally, White estimated Amerihua sustained damages in the range of $790,000 to $1,475,000.

While the District Court agreed to some extent with Amerihua that White’s factors were subjective, it further opined that “[t]here is no mathematical formula that another expert could plug data into to test the result (or generate a different one based on different data).”  Therefore, the District Court continues, “there is no simple (or even complex) equation that applies to all scenarios for valuing a company.”  Ultimately, the District Court concludes “[a]t some point, expertise has to be applied, and that expertise is based on training and expertise rather than invocation of a formula.  And, other courts have approved of this valuation method and allowed experts to rely on company-specific risk premiums in their calculations.”  White’s analysis was also based on valuations used in data breaches at other companies, “financial projections used by Blue Book, interviewed its management to discuss the company’s operation, analyzed publicly available data for Securities and Exchange Commission filings, and read deposition transcripts.”  Based on this reasoning, the District Court found “although a jury could reject the valuation method’s reliability, the method is reliable enough for the jury to consider.”

While this decision provides insight on the accounting behind a data breach, it should be cautioned that the District Court for the Northern District of Illinois finds “there is no one grand mathematical equation that generates a precise damages number in these situations” and “it might even be more suspicious if an expert purported to be able to pin down an exact damages figure for a data breach.”  We can expect this decision to be the first of many cases to address how damages should be calculated in data breach cases.