Damages in Data Breach Litigation

Interesting post on the Cooley LLP’s cyber/data/privacy insights blog about recent litigation surrounding the huge Carefirst data breach (Attias.) The post talks about the court’s rejection of the argument that the plantiff’s suffered an “Injury-in-fact” and thus had standing to sue. They note;

“… there is a split between the courts on this issue. The courts disagree about whether the theft of personal information that exposes an individual to a heightened risk of identity theft is an “injury-in-fact” sufficient to confer standing under Article III. Some courts – the D.C., Third, Sixth, Seventh, Ninth, and Eleventh Circuits – believe (at a high level) that alleging only a heightened risk of future injury is enough to show an “injury-in-fact.” By contrast, other courts – the Second, Fourth, and Eighth Circuits – believe that plaintiffs must allege that the stolen personal data has been actually misused.”

Liability for data breaches is a hot topic these days (highlighted by the recent $230 million GDPR/data breach related fine of British Airways) and one that could have a large effect on Company valuations and transaction risks going forward.

Cheval M&A, Inc.

Author: Hillary Stiff is President of Cheval M&A. She has been an investment banker and CFO, completing M&A transactions and arranging financing for a number of companies including NTT/Verio, The Endurance International Group and Web.Com among many others. She has helped complete over 480 successful web hosting, ISP and related transactions and distributes a list of hosting and related companies that are for sale.