Business litigation over data breach claims reinstated by Court
Georgia is home to its share of litigation over data breaches against big retailers and respected organizations. When criminal hackers penetrate the security protections of a company’s data banks, class action lawsuits and some individual business litigation actions usually follow. The plaintiffs are customers whose private information has been taken and who are facing potentially dire consequences.
When one’s Social Security number and credit card information is stolen by hackers, there is a good likelihood that the information will be used for criminal purposes. One case that was recently reviewed by a U.S. Circuit Court of Appeals. The class action filed on behalf of optometrists against the National Board of Examiners in Optometry Inc. alleged that the class had suffered injuries as a result of the breach.
However, the U.S. District Court judge dismissed the case on the basis that the damages alleged were speculative in nature. That court asserted that the injuries alleged could only occur in the future, and were not traceable to the board. The U.S. Fourth Circuit Court of Appeals reversed the dismissal, holding that the plaintiffs sufficiently established that they had suffered real damages. Numerous fraudulent credit card accounts had been opened in optometrists’ names.
The Optometry Board took the wrong strategic position by not acknowledging that it had been the subject of an attack. The three-judge appeals court reinstated the litigation because the plaintiffs proved that the perpetrators had used and attempted to use the personal information to open Chase Amazon Visa credit cards. The Court of Appeals concluded that there was no speculation and that the plaintiffs had or will suffer substantial harm.
Business litigation in the federal courts in Georgia and other states dealing with data breach claims have ruled similarly. Some courts have held that even complaints of fear are enough to establish damages, but that may be going too far. Experts believe that the standard for damages in data breach cases may have to be clearly defined by the U.S. Supreme Court in the future.