Data Breach Litigation Waivers: Be Careful What You Wish For

Companies with data breach litigation waivers may find those waivers used against them by savvy law firms

In her 1969 book, “On Death and Dying,” Elisabeth Kübler-Ross described the five stages of grief and loss:

  1. Denial and isolation
  2. Anger
  3. Bargaining
  4. Depression
  5. Acceptance

They’re not too different from the stages of data breach response. First, deny that you have had a breach and isolate your network. Then, find someone else to blame for the breach. Next, bargaining—with insurance companies, merchant banks, regulators, the FTC, class action lawyers, shareholders, etc. Then, depression—usually of stock price. Finally, acceptance: You have a brand-spanking-new data security policy, pen test, assessment, endpoint management, encryption … cool. You’re good to go.

One of the (almost) inevitable stages of a data breach has been litigation via a class action lawsuit. Consumers, vendors, shareholders or others sue the company for failure to adequately protect their data and for exposing them to some potential or actual harm as a result of inadequate security. For large data breaches, class action lawyers may file multiple lawsuits purporting to represent various classes of data breach victims—often asking for millions or tens of millions of dollars in damages. Even when there is a settlement, the members of the class may get little financial benefit, but much of the benefit goes to the lawyers representing the class and/or the named members of the class. That’s neither good nor bad; it’s just a function of how class action lawsuits work.

In recent years, companies have attempted to avoid class action liability through mandatory arbitration provisions embedded in website terms of service, in software end user license agreements, in privacy policies and in other forms of browsewrap or clickwrap. The U.S. Supreme Court has held that these arbitration clauses are generally enforceable, which means consumers and employees can no longer go to court to get a determination of their rights but must rely on arbitration. While there are advantages to arbitration generally—it’s faster, somewhat cheaper and, unlike the courts, it’s open—there are significant disadvantages to consumers for compelled arbitration as well. First, the consumer may be required to pay all or a portion of the costs of arbitration even if they win. The arbitrator, unlike a judge, is paid by the litigants. When you are arbitrating a claim that the phone company ripped you off for $35, the prospect of having to pay a few grand for arbitration is daunting. Second, arbitration is generally “off the record” and not binding on any other arbitrator. Thus, if 1,000 other arbitrators have read a clause in a contract one way, the 1,001st is free to read it any way they like. Third, there is limited discovery in arbitration; in other words, as a plaintiff, you may not be able to learn of the internal “screw the consumer” memo sent by the company VP in charge of, well, screwing the consumer.

Finally, to get paid, arbitrators have to get selected through a process that involves both plaintiff and defendant. An arbitrator who consistently rules against company defendants (even if they deserve to be ruled against) is unlikely to get a lot of work in the future.

One other feature of mandatory arbitration is the class action and class arbitration waiver. So not only do you give up the right to sue for your damages, but you also give up the right to file a single class action representing all of the parties injured—or to file an arbitration on behalf of all people similarly situated.

Which brings us to the case of the Chegg data breach. Online learning website Chegg suffered a massive data breach that exposed user IDs, passwords and other data for users of the site, including those from George Washington University. (Disclaimer: I teach at the GWU law school, but was not a user of the website.) The data of about 40 million users was reportedly exposed. For each individual user, the demonstrable “harm” was likely minimal, making the prospect of individual lawsuits unlikely. Even if the “damages” were in the area of thousands of dollars, the cost of litigation for each case independently outweighed the benefits to any individual victim. As Judge Richard Posner once noted about such lawsuits, it’s not the difference between one class action lawsuit and tens of thousands of individual suits, it’s the difference between one class action lawsuit and no individual lawsuits. The same basic rule applies to arbitrations as well.

Without the possibility of litigation through a class action lawsuit or arbitration, lawyers in Baltimore representing the “class” came up with a novel but occasionally used strategy: Since the arbitration provisions in the clickwrap agreement provided that the company would pay the costs of arbitration for those less than $75,000 (the jurisdictional limit for federal lawsuits), the lawyers decided to file thousands of individual demands for arbitration. In fact, the law firm, Z Law, filed more than 15,107 individual arbitration demands on behalf of individual data breach victims. If permitted to go forward, Chegg would have to hire counsel to represent themselves in each arbitration, engage in hearings in each case, present evidence in each case and pay the arbitration costs in each case. In fact, just paying the $300 arbitration filing fee in each of the cases would cost the company about $4.7 million. These types of “mass arbitration” cases are, in a sense, made possible by the internet, which would permit plaintiffs’ firms to gather names of victims and get them to sign up to arbitrate. Unlike litigation, wherein a lawyer would have to be admitted to practice law in each jurisdiction in which the lawsuit is filed (or find local counsel), a single law firm could represent a diverse set of victims in multiple jurisdictions as long as there is some connection to the jurisdiction in which they are admitted to practice law.

As a result, a data breach involving a large number of “victims” each suffering a small amount of damages—the kind of case that the waiver of class action and class arbitration was intended to deter—has now become a huge logistical, practical and financial nightmare for the company suffering the breach and for the insurance company with a duty to defend that company in litigation or arbitrations resulting from the breach. So, be careful what you wish for; you might just get it.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 176 posts and counting.See all posts by mark