Sign Up
Stay current with GH&R Newsletters. Click here to sign up.
E-Commerce News
DSW Avoids Civil Liability For Data Breach; Litigation Costs Don't Count Toward CFAA Damages
January 30, 2007
DSW AVOIDS CIVIL LIABILITY FOR DATA BREACHThe DSW Company, which last year settled an FTC proceeding based on a breach of its data security system, recently dodged a second bullet related to the same incident. Much to the shoe company’s relief, an Ohio federal trial court recently rejected a claim for civil damages brought by a plaintiff who sought recovery for her increased risk of identity theft posed by the breach.
The plaintiff, Tracy L. Key, originally filed the complaint in state court (DSW removed the case to federal court), alleging violations of the Ohio consumer protection statute as well as negligence, breach of contract, and other state tort claims. Key also asked the court to certify a nationwide class of all individuals whose information was accessed in the breach. The class was estimated to include more than 1.4 million individuals.
Key’s case had a “good news/bad news” element to it. The good news for Key was that it appeared that she was not actually damaged by the incident. That of course was bad news for her lawsuit, since typically courts expect a plaintiff to actually have been damaged before they can allege a claim. Of course, Key, being a clever plaintiff, was not about to let a little detail like no actual damage stand in her way. She contended instead that her damage consisted of the “increased risk” of harm.
The court, however, was unimpressed. It cited to cases from other jurisdictions that had ruled that a heightened risk of harm was not actionable.
Undaunted, Key argued that even if she could not show damages, there were others in the purported class that might be able to. But the court noted that in class action litigation, the initial focus must always be on the named plaintiff and her allegations of damages.
DSW had previously felt the wrath of the Federal Trade Commission as a result of the data breach. The good news here was that the other shoe never dropped. Sorry.
LITIGATION COSTS DON'T COUNT TOWARD CFAA DAMAGES
A federal court in Rhode Island recently rejected a plaintiff’s effort to satisfy the jurisdictional damage threshold under the Computer Fraud and Abuse Act (“CFAA”) by counting litigation costs in the damage total.
The case arose when local police searched a public library’s computers to determine if plaintiffs engaged in the improper use of city property for an election campaign. The plaintiffs could not show that the alleged intrusion caused them any economic harm. Because the CFAA contains a requirement of damages totaling at least $5,000, absent some other damage showing, the plaintiffs would be unable to proceed with a CFAA action. In an effort to satisfy the minimum, the plaintiffs asserted the costs of the litigation.
The court was unmoved. "[T]heir ability to conduct their business was not affected or impaired. No remedial measures were required to repair their computer capabilities. Plaintiffs' litigation expenses are not directly attributable to Defendants' computer browsing, and are not economic damages in excess of $5,000 as required by the statute," the court noted.
Like the plaintiff in the DSW case above, it is a fundamental concept that a lawsuit requires damages. That’s true in cyberspace too.
This Newsletter is a periodic publication of Graydon Head & Ritchey LLP and should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and you are urged to consult your own advisor concerning your situation and any specific legal question you may have.