Data Breach Litigation: Theories of Damages in Data Breach Cases featured image

Data Breach Litigation: Theories of Damages in Data Breach Cases

by John DiGiacomo

Partner

Data Breach

Data breach litigation is an emerging area of the law, and courts are regularly struggling with how to award damages in data breach cases because the harm caused by a data breach does not always fit neatly into traditional theories of damages.

In this article, we look at the three major theories of damages applied to data breach litigation cases.

Data Breach Litigation: Benefit of the Bargain Losses (Expectation Damages)

Courts may award damages for a data breach under the benefit of the bargain theory. These damages, sometimes called expectation damages, are damages that are awarded in a breach of contract action to give the injured party the benefit of the bargain—to place him or her in the same position he or she would have been in if the breaching party had not breached.

This theory has been recognized in a number of data breach litigation cases.

In In re Adobe Systems, Inc. Privacy Litigation, the plaintiffs alleged that they spent more money on Adobe’s products than they would have had they known the security provided was not the reasonable security Adobe claimed it was providing. In re Adobe Systems, Inc. Privacy Litigation, 66 F. Supp. 3d 1197, 1224 (N.D. Cal. 2014).

In In re Anthem, Inc. Data Breach Litig., the court found cognizable damages where Anthem was unable to fulfill its privacy obligations. It did not matter that the plaintiffs were unable to set out the expected cost and value of Anthem’s privacy obligations—the plaintiffs’ claims could proceed. In re Anthem, Inc. Data Breach Litig., 2016 U.S. Dis. LEXIS 70594 (N.D. Cal. 2016).

In In re Premera Blue Cross, the plaintiffs alleged that 11 million current and former members, affiliated members, and employees of Premera were entitled to lost premiums for insurance that was intended to include data security costs under a theory of unjust enrichment. In re Premera Blue Cross Customer Data Sec. Breach Litig., 198 F.Supp.3d 1183 (D. Or. 2016).

In in re Target Corp., Target shoppers alleged that Target could be held liable under a benefit of the bargain theory because they would not have shopped at Target if they had known of its lax security practices. In re Target corp. Customer Data Sec. Breach Litig., 66 F.Supp. 3d 1154 (D. Minn. 2014).

In Svenson v. Google, Svenson alleged that he did not receive the privacy protections he contracted for after purchasing an app from Google and his information was divulged to an unaccountable third party. Svenson v. Google Inc., 2015 U.S. Dist. LEXIS 43902, *4 (N.D. Cal. Apr. 1, 2015).

Damages For Loss of Value of Personal Information

Courts may also award damages for a loss of value of personal information. This theory rests on the notion that an injured party should receive compensation for a loss in the value of his or her personal information.

This theory has also been applied on a number of data breach litigation cases.

In In re Facebook, the plaintiffs alleged that they were harmed by Facebook’s dissemination of their personal information and its associated loss in sales value of that information. Had Facebook not released the information for free, it would have been valuable. In re Facebook Privacy Litigation, 572 F. App’x 494, 494 (9th Cir. 2014). In Svenson v. Google, the court held that such “allegations of diminution in value of [plaintiff’s] information are sufficient to show contract damages [under California law]….” Svenson v. Google Inc., 2015 U.S. Dist. LEXIS 43902, *4 (N.D. Cal. Apr. 1, 2015).

In In re Anthem held that plaintiffs are not required to plead that there was a market for their personally identifiable information in order to assert damage to the value of their personally identifiable information. In re Anthem, Inc. Data Breach Litig., 2016 U.S. Dis. LEXIS 70594 (N.D. Cal. 2016).

Consequential Damages And Out of Pocket Expenses

Consequential damages can also be awarded in data breach litigation. These are damages resulting from the plaintiff’s attempts to remedy the effect of the breach and may include credit monitoring services or taking other steps to protect against the loss of personal or personally identifiable information.

In Target, the plaintiffs alleged that, if they would have known of the breach, they would have taken appropriate measures to avoid unauthorized credit card charges, change usernames, and monitor their personal accounts. In re Target corp. Customer Data Sec. Breach Litig., 66 F.Supp. 3d 1154 (D. Minn. 2014).

In Dittman v. UPMC, a class action against the University of Pittsburgh concerning a data breach at its medical center, the court allowed recovery of such mitigation damages: “I strike the balance here in favor of permitting recovery of at least mitigation damages—in the data breach context—in instances in which an employee or employees prove that the employer has violated the duty to exercise reasonable care in protecting confidential personal and financial data.” Dittman v. UPMC, 196 A.3d 1036 (Penn. 2018).

Finally, in In re Equifax, the court recognize plaintiffs’ allegations of actual injury by having to take measures to combat the risk of identity theft and by expending time and effort to monitor their credit. In re Equifax, 363 F. Supp. 3d 1295 (N.D. Ga. 2019).

Data Breach Litigation

If you are a victim of a data breach and have suffered one of these three forms of damages, contact one of our data breach lawyers today with the form on this page or call us directly at 855-473-8474.

Extra, Extra!
Recent Posts

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

Internet Law

Almost half of the States in the U.S. have enacted some version of an online personal or consumer data privacy statute. The statutes all use a similar framework that requires data collectors and processors to provide notices, obtain consent, and comply with mandates and prohibitions. For example, all of the online data privacy statutes require […]

Read more about Online Personal Data Privacy: Fight Over Universal Opt-Out Mechanisms

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Internet Law

The Ninth Circuit Court of Appeals — located in San Francisco — partially struck down California’s Age-Appropriate Design Code Act (“CAADCA”). See Cal. Civ. Code §§ 1798.99.28 et seq. The CAADCA was passed in 2022 by the California State Assembly. The CAADCA was enacted to protect the online privacy of children — persons under the […]

Read more about 9th Circuit Partially Invalidates California’s Age-Appropriate Design Code Act

Put Revision Legal on your side