For established and emerging companies and corporations, the risk presented by data breaches cannot be overstated. According to an Association of Corporate Counsel Report, the vast majority of data breaches occur due to employee mistakes or malfeasance within a company. That is, the report attributes 24 percent of breaches to employee error, 15 percent of “inside jobs”, 12 percent to phishing, and nine percent to a lost unencrypted laptop or another device. As such, negligence and intentional acts account for a large majority of breaches and these reasons for a breach are rarely covered by general liability insurance.
Despite these facts, the same study reports that damage to reputation or brand is the leading concern regarding data breach. In fact according to this survey, money damages and litigation concerns are, respectively, only the third and sixth-most pressing concerns. Perhaps these attitudes derived from a sense of invulnerability from the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International U.S.A. where the court held that “allegations of future injury are not sufficient” to confer Article III standing. However, this view should perhaps be reconsidered. A recent Seventh Circuit holding in a consumer class-action, Remijas v. The Neiman Marcus Group, LLC, the matter was reinstated after dismissal because, “[T]he Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an objectively reasonable likelihood that such an injury will occur.” Remijas v. Neiman Marcus Group LLC, 794 F.3d 688 (7th Cir. 2015). While this matter is in conflict with the Third Circuit’s decision in Reilly v. Ceridian Corp., its distinct nature is illustrative as a potential direction in which the law may develop.
As the Remijas opinion alludes, beyond the standing issue is the class certification concern. Likewise, concerns regarding the development of a theory of liability and ascertainment of damages follow. These additional concerns are often linked to the class certification concern. In a class action suit regarding consumer harm stemming from a data breach, development of all of these factors can typically only be accomplished through the use of one or more consulting and testify experts. Thus, at minimum, experts will be required to develop the class certification, theories of liability, and damages.
Generalized Concerns Regarding the Vetting of Expert Witnesses
Speaking generally, attorneys cannot simply accept an expert’s credentials and personal narrative at face value. Rather they must engage in their own due diligence and vetting of the potential expert. While every vetting process will differ depending on the exact nature of the expert and goal, the following describes minimum processes and inquiries that must occur.
The attorney must look into the background of the expert including his or her credentials and the trial history of the expert witness. Is the potential expert’s experience and training relevant to the subject matter at hand? Furthermore, the attorney should ascertain the previous matters where he or she has testified as an expert. Will the expert be open to impeachment due to only testifying for plaintiffs and writing a plaintiff-friendly report? Or rather, can he or she be presented as a neutral and impartial interpreter of complex subject matter?
Given that data breach is a relatively new discipline for experts, an attorney will want to weigh a potential expert’s experience against his or her academic credentials. The two best-known certifications for experts in this area are the CISSP (Certified Information Systems Security Professional) and the CEH (Certified Ethical Hacker). Other relevant qualifications include the OSCP (Offensive Security Certified Professional) and traditional college and engineering degrees relating to computer sciences and computer engineering. It is extremely important to review a potential expert’s experience. There are many individuals who entered the industry prior to the proliferation of these certifications. While they may not have much in the way of certification, their work experience may provide the background necessary for the case at hand.
The attorney should also avoid the temptation to provide a ghost-written report. If the authorship of the report is raised – and it likely will be raised – an expert who admits that he or she did not write the report has probably just irrevocably damaged his or her reputation with the judge and jury. Furthermore, the attorney must make all reasonable efforts to understand the materials provided and work to ensure that the expert can produce a report that is intelligible for individuals who are not subject matter experts.
Use of an Expert to Develop Factors Required for Class Certification
Following issues of standing, the certification of the class is often a key threshold and hurdle. While extremely early class action matters often skated through this stage on the pleadings alone, since the early 1980s and the Falcon decision, class pleadings have been held to a “rigorous standard.” Gen. Tel. Co. of the Southwest v. Falcon, 457 U.S. 147 (1982). Furthermore in Comcast v. Behrend, the U.S. Supreme Court held that a factual analysis applies to all Rule 23 elements at the class certification stage. As stated in Rules 23(a) and 23(b),
Aside from the stated elements in Rule 23, the federal courts have also developed an implicit requirement in that of class ascertainability. The Third Circuit has held that the ascertainability requirement has two principal elements. Hayes v. Wal-Mart Stores, Inc., 725 F.3d 349, 355 (3d Cir. 2013). “First, the class must be defined with reference to objective criteria.” Id. “Second, there must be a reliable and administratively feasible mechanism for determining whether putative class members fall within the class definition.” Id. However, there is some dispute in the 3d Cir as to how far this concern goes Byrd V. Aaron’s Inc; Aspen Way Enterprises Inc. 784 F.3d 154 (3rd Cir. 2015).
In any case, an expert is typically required to prove at least the commonality and ascertainability requirements. Often this expert is an economics expert who can show commonality in harm suffered by the consumer and consistency in how the consumer came to suffer the harm. Multiple proposed classes, where some consumers suffered a harm and others did not, require an expert to develop the requisite elements for each class seeking certification.
Expert Required to Develop Theories of Liability
Beyond the class certification concerns, is the development of a theory of liability. In the data breach context, common theories of liability include breach of contract and negligence on behalf of the company or the vendor storing the data. In pursuit of either the contractual or negligence theories, it is highly likely that a subject matter expert is necessary to analyze and opine upon the practices of the company or its vendors. Common issues and common concerns a technical subject matter expert or computer forensics expert often address include whether the party allegedly responsible for the breach implemented and maintained adequate practices and systems to protect sensitive personally identifiable information. Consider the context of the early days of Twitter where all employs were granted admin-level rights granting full access to all systems. A technical subject matter expert could develop the theory of the case that practices of this type are inherently negligent since systems should have some level of insulation and further employees should only be granted the minimum level of access required to perform their job duties. In other cases, the expert may be required to develop a report regarding company password practices, network architecture, availability of a data map, and other concepts relating to a contractual, statutory, or common law duty to protect customer information.
Experts Required to Develop Theories and Extent of Economic Damages Incurred
The question of the extent and type of damages suffered is often partially encompassed within the class certification concerns, but it also an independent element of any class action suit. While many people still conceive of data breaches as smash and grab operations, the truth of the matter is that most breaches occur over the course of months or years. Malicious third-parties often work to obtain access to a network through employee mistakes or careless third-party vendors. The malicious party generally collects and harvests personal data that can be sold in various underground forums and markets.
Typically, development of these elements requires both computer and financial forensics experts. Since the theft takes place over the course of months or years, a full development of both the nature of the breach, the information that was stolen, and the time period over which the theft took place all must be developed. Likewise, the corresponding economic elements including the scope and extent of economic damages is also required. Furthermore, the future potential for additional damages due to stolen personally identifiable information and compromised identities is also an area where an expert is required to fully develop the extent of the damages for trial.
Recognizing the Need for Substantial Expert Witness Workup in Data Breach Cases
The above touches on many of the concerns and potential areas where an expert may be required to adequately develop a class action. Of course, this article merely touches on the basics and a significantly more rigorous workup is typically required. However, the concepts and areas addressed here can serve as a starting point for further inquiry into this still developing legal and technological area.