Pub. 12 2022-2023 Issue 1

Class action plaintiffs have plenty of ammunition when pointing a finger at a company holding consumer data. An attack occurs, typically because of a security vulnerability and/or a novel method, and plaintiffs have a somewhat easy avenue to establish causation. For that reason, many companies and banks understandably focus their efforts on beefing up their information security policies and procedures. Pro-active banks and other companies wisely engage cybersecurity forensic consultants, procure quality cyber liability insurance, and ramp up their response plans to help establish reasonable precautions that can help counter causation arguments. However, with the rising number of data breaches in recent years exposing millions of consumer data records to potential identity thieves, the supply of consumer information – Social Security numbers, account numbers and other personal information – on the black market has exploded. That makes damages difficult to prove in data breach cases because of the high likelihood that the individual's personal data is out there somewhere. It was only a matter of time before creative damages theories would arise in these cases. In a recent decision, a federal district court certified a class in a case based upon a data breach in which a massive amount of personal identifiable information (PII) was stolen over the course of several years. One notable element of this class certification order is that it is founded, at least in part, on a novel theory of damages. This theory is based on the premise that the amounts charged by the Continued on page 16 July • August 2022 15

RkJQdWJsaXNoZXIy MTU2Mjk4Mw==