We may be on the verge of a breakthrough in data breach litigation. A state judge in Massachusetts ruled Wednesday that the Massachusetts Attorney General can move forward with a potentially gigantic data breach case against the credit reporting firm Equifax. The AG, Maura Healey, is asking for statutory damages under Massachusetts consumer and data security law on behalf of every state resident whose private information was exposed when hackers broke into Equifax’s systems – regardless of whether the breach actually injured any consumers.
The breadth of the Massachusetts AG’s potential damages is what makes this case so important. Equifax’s lawyers at Choate, Hall & Stewart had argued (among many other things) that the AG can’t wield the state consumer protection law, which prohibits businesses from making false, deceptive or unfair claims, without showing anyone was harmed by Equifax’s supposedly false assurances about data security. But Judge Kenneth Salisbury of Suffolk County Superior Court said that argument failed. “The Attorney General, unlike a private litigant … is required only to prove that unfair or deceptive acts or practices took place in trade or commerce; she is not required to prove or quantify resulting economic injury,” the judge wrote. “She is not required to allege or prove that any individual consumer was actually harmed.”
Regulators, in other words, can impose much more pain on data breach defendants than consumers suing in private class actions. Here’s why: Several federal appellate courts (though not all of them) have ruled in recent years that consumers can sue over data breaches simply because the exposure of their confidential information heightens their risk of identity theft. But when it comes to collecting damages, consumers in private class actions have generally focused on actual economic costs, demanding repayment for the time and expense of monitoring and repairing their credit records. For the most part, data breach class actions have settled for relatively small amounts of money, even if the breaches affected millions of consumers. I’ve said before that in the long run, class actions probably aren’t the best route to redress for data breach victims, or the best way to incentivize companies to make sure data is safe.
State regulatory enforcement may be more effective. State regulators, unlike class action plaintiffs, can claim statutory penalties for every violation of state law. Under Judge Salisbury’s reasoning in the Massachusetts AG’s case, Massachusetts must only show Equifax misled consumers in order to seek damages on their behalf.
AG Healey, as my Reuters colleague Nate Raymond reported Wednesday, is so far the only state attorney general to have sued Equifax. Historically, state AGs have not been especially active in data breach litigation, according to leading lawyers on both sides, defense lawyer Douglas Meal of Ropes & Gray and plaintiffs lawyer Jay Edelson of Edelson. “A lot of regulators would fire off some letters and then promptly join a global settlement that was little more than a blip on the company’s monthly profits,” Edelson said in an email.
That is beginning to change. In addition to the Massachusetts AG’s suit, Edelson is working on a contingency basis for Illinois regulators pressing data privacy cases against Uber and Facebook and Cambridge Analytica. Edelson said by email that regulators will dig more deeply into discovery than class counsel in private cases and, when they find real misconduct, have the leverage to force companies to pay significant penalties.
“Regulators are filing cases and devoting real resources to them,” Edelson’s email said. “Overall, the resurgence of the data breach regulator suits is the most important pro consumer privacy development of the year.”
Data breach defense lawyer Meal (who, I should point out, was not involved in the Massachusetts AG’s Equifax case) wasn’t quite ready to proclaim 2018 the year of the regulatory data breach case, but he said he’s paying close attention to the Massachusetts suit and Edelson’s cases in Illinois. “Whether they’re a harbinger of a sea change or a coincidence, I’m not sure. It’s too early to say,” Meal said. “If regulators adopt the business model of retaining firms to litigate for them on a contingency basis, if that becomes a regular practice, then we would for sure see an upswing in these cases.”
Meal said Judge Salisbury’s ruling makes these cases look easier for regulators than he thinks they actually are. Broadly speaking, he said, state consumer protection laws are based on unfair or deceptive practices. For AGs or other state officials to claim consumers were deceived, they should be required to show that consumers actually read companies’ privacy notices – an impossible task since almost no one does read them. “Cases are dead on arrival under the deception theory,” he said.
Showing unfair practices, Meal said, requires regulators to prove substantial consumer injuries, according to the Federal Trade Commission regulations state laws are based on. It may be sufficient, he said, for AGs to allege that hundreds of thousands of residents spent a minimal amount of money in response to a data breach. But Meal said he thinks Judge Salisbury erred when he said the Massachusetts AG doesn’t have to show any consumer suffered an actual economic injury.
“The debate is over what constitutes substantial injury,” he said. “I don’t think it means you avoid the injury inquiry altogether.”
There’s also going to be a fight over statutory damages, Meal said. Statutory damages penalize defendants for every violation. But what constitutes a violation? Is a data breach a single violation, or is the defendant liable for separate penalties for every consumer record exposed in a breach? If it’s the latter, even nominal penalties, like Massachusetts’ $25 per violation, multiply into staggering amounts of money.
Equifax counsel Joan Lukey of Choate Hall didn’t respond to my phone and email messages, and the company declined comment to Reuters on Judge Salisbury’s decision. The Massachusetts AG still has a long way to go in her case against Equifax. But this could be the start of something big.