Data breach litigation is an emerging area of the law, and courts are regularly struggling with how to award damages in data breach cases because the harm caused by a data breach does not always fit neatly into traditional theories of damages.
In this article, we look at the three major theories of damages applied to data breach litigation cases.
Data Breach Litigation: Benefit of the Bargain Losses (Expectation Damages)
Courts may award damages for a data breach under the benefit of the bargain theory. These damages, sometimes called expectation damages, are damages that are awarded in a breach of contract action to give the injured party the benefit of the bargain—to place him or her in the same position he or she would have been in if the breaching party had not breached.
This theory has been recognized in a number of data breach litigation cases.
In In re Adobe Systems, Inc. Privacy Litigation, the plaintiffs alleged that they spent more money on Adobe’s products than they would have had they known the security provided was not the reasonable security Adobe claimed it was providing. In re Adobe Systems, Inc. Privacy Litigation, 66 F. Supp. 3d 1197, 1224 (N.D. Cal. 2014).
In In re Anthem, Inc. Data Breach Litig., the court found cognizable damages where Anthem was unable to fulfill its privacy obligations. It did not matter that the plaintiffs were unable to set out the expected cost and value of Anthem’s privacy obligations—the plaintiffs’ claims could proceed. In re Anthem, Inc. Data Breach Litig., 2016 U.S. Dis. LEXIS 70594 (N.D. Cal. 2016).
In In re Premera Blue Cross, the plaintiffs alleged that 11 million current and former members, affiliated members, and employees of Premera were entitled to lost premiums for insurance that was intended to include data security costs under a theory of unjust enrichment. In re Premera Blue Cross Customer Data Sec. Breach Litig., 198 F.Supp.3d 1183 (D. Or. 2016).
In in re Target Corp., Target shoppers alleged that Target could be held liable under a benefit of the bargain theory because they would not have shopped at Target if they had known of its lax security practices. In re Target corp. Customer Data Sec. Breach Litig., 66 F.Supp. 3d 1154 (D. Minn. 2014).
In Svenson v. Google, Svenson alleged that he did not receive the privacy protections he contracted for after purchasing an app from Google and his information was divulged to an unaccountable third party. Svenson v. Google Inc., 2015 U.S. Dist. LEXIS 43902, *4 (N.D. Cal. Apr. 1, 2015).
Damages For Loss of Value of Personal Information
Courts may also award damages for a loss of value of personal information. This theory rests on the notion that an injured party should receive compensation for a loss in the value of his or her personal information.
This theory has also been applied on a number of data breach litigation cases.
In In re Facebook, the plaintiffs alleged that they were harmed by Facebook’s dissemination of their personal information and its associated loss in sales value of that information. Had Facebook not released the information for free, it would have been valuable. In re Facebook Privacy Litigation, 572 F. App’x 494, 494 (9th Cir. 2014). In Svenson v. Google, the court held that such “allegations of diminution in value of [plaintiff’s] information are sufficient to show contract damages [under California law]….” Svenson v. Google Inc., 2015 U.S. Dist. LEXIS 43902, *4 (N.D. Cal. Apr. 1, 2015).
In In re Anthem held that plaintiffs are not required to plead that there was a market for their personally identifiable information in order to assert damage to the value of their personally identifiable information. In re Anthem, Inc. Data Breach Litig., 2016 U.S. Dis. LEXIS 70594 (N.D. Cal. 2016).
Consequential Damages And Out of Pocket Expenses
Consequential damages can also be awarded in data breach litigation. These are damages resulting from the plaintiff’s attempts to remedy the effect of the breach and may include credit monitoring services or taking other steps to protect against the loss of personal or personally identifiable information.
In Target, the plaintiffs alleged that, if they would have known of the breach, they would have taken appropriate measures to avoid unauthorized credit card charges, change usernames, and monitor their personal accounts. In re Target corp. Customer Data Sec. Breach Litig., 66 F.Supp. 3d 1154 (D. Minn. 2014).
In Dittman v. UPMC, a class action against the University of Pittsburgh concerning a data breach at its medical center, the court allowed recovery of such mitigation damages: “I strike the balance here in favor of permitting recovery of at least mitigation damages—in the data breach context—in instances in which an employee or employees prove that the employer has violated the duty to exercise reasonable care in protecting confidential personal and financial data.” Dittman v. UPMC, 196 A.3d 1036 (Penn. 2018).
Finally, in In re Equifax, the court recognize plaintiffs’ allegations of actual injury by having to take measures to combat the risk of identity theft and by expending time and effort to monitor their credit. In re Equifax, 363 F. Supp. 3d 1295 (N.D. Ga. 2019).
Data Breach Litigation
If you are a victim of a data breach and have suffered one of these three forms of damages, contact one of our data breach lawyers today with the form on this page or call us directly at 855-473-8474.