For Consumers, Injury Is Hard to Prove in Data-Breach Cases

With the spread of data breaches, the legal system must determine if companies are liable for leaked credit card numbers or personal information. While some of the big breach stories end with settlements citing negligence, most cases are thrown out due to the prosecution not being able to prove that any real damage was done. However, courts are now beginning to allow these previously dismissed cases to go through, stating that the threat of identity theft from a breach could be cause for compensation. This new perspective creates a significant potential threat to businesses. Only about five percent of breaches lead to a lawsuit, but when major companies are breached, it can spawn into multiple individual lawsuits from different parties. In addition, lawsuits are always settled early on or dismissed. Even a dismissal can cost a company because it has e to turn over large quantities of data which is time consuming and expensive to do. The most difficult part of early trials for the prosecution is providing sufficient evidence that the harm done gives enough reason for compensation, as any identity theft must first be identified as stemming from said company and nearly every bank reimburses customers in case of fraudulent claims. Plaintiffs claim that companies are paid to protect the privacy of their customers and that any breach in security is an indicator that the company may have been overpaid. One example of the expanding nature of these cases is the recent P.F. Chang’s case. The case was first dismissed when the plaintiffs claimed their injuries were that they began carefully watching their information, leading to a consumption of time and money. However, the 7^th U.S. Circuit Court of Appeals brought the case back, stating that the heightened risk of identity theft by a breach was “sufficiently imminent” to an injury. This expansion of court cases that goes past the early stages of a trial hasn’t led to increased payouts for the victims, as Target’s $10 million payout ended up between $40 and $5,000 per plaintiff.