8th Circ. Sets Standing Marker With Data Breach Rulings

Carlton Fields Washington, D.C. Shareholder Kristin Shepard was quoted in the Law360 article, “8th Circ. Sets Standing Marker With Data Breach Rulings.” The Eighth Circuit decided on two class actions against Scottrade and SuperValu, both with contrasting results.

Shepard commented:

Here, the Eighth Circuit is conducting a more nuanced standing analysis that requires going plaintiff by plaintiff and finding that only plaintiffs who had actually alleged unauthorized credit card charges had standing, and that fear of future misuse of card information is not enough.

She continued:

The implication of the ruling is that it limits the class to only those who allege fraudulent charges, which is likely to mean there will be a much smaller class and smaller exposure because most customers whose information is compromised never experience fraudulent charges.

The question for all class members is going to be the same, namely: Did the breach cause fraudulent charges?" Shepard said. "But the answer is going to be different for each plaintiff because one might have gotten his information stolen from another data breach while another may have given his card to a waiter who misused it.

Shepard added that the takeaway for companies from the Scottrade standing rule is that “what's said in privacy and data security policies matters and that they should make sure they are adhering to those statements.

"If you make representations about privacy or data security of information collected in connection with a consumer contract, be prepared to deliver.”

Shepard concluded:

While the court didn't close the door on such claims entirely, it is saying that that the mere fact that a hacker was able to get your information is not enough to show a failure to comply with a privacy policy. You have to have something specific.

Read the article. (Subscription required for full access).