Plaintiffs seeking to pursue negligence claims for the disclosure of their personal information in a data breach often face hurdles in pleading a sufficient injury. The claimants’ failure to plead a sufficient injury frequently is the basis for dismissal. However, in a very interesting recent decision, the Georgia Supreme Court reversed the intermediate appellate court’s affirmance of the dismissal of the plaintiffs’ data breach claims, finding that the claimants had sufficient standing to assert their claims where they alleged that the disclosure of their personal information left them at an “imminent and substantial risk of identity theft.” As discussed below, the Court’s holding arguably makes data breach claims under Georgia law less susceptible to dismissal. However, as also discussed below, there are important limitations to the Court’s holding.
Continue Reading Georgia Supreme Court: Risk of Future Identity Theft Sufficient to Support Data Breach Negligence Claim

ftc1One of the recurring issues that has arisen as claimants and regulators have pursued cybersecurity-related claims against companies that have experienced a data breach is the question of what type or quantum of claimed injury is sufficient to sustain a claim. This issue has recurred in consumer cybersecurity-related damages actions and it has also arisen in regulatory enforcement actions as well. These issues were presented in a very interesting July 29, 2016 Opinion from the Federal Trade Commission (here). The Commission overturned a prior ruling by one of its own Administrative Law Judges, and held, contrary to the ALJ, that the release of private and sensitive information in and of itself was sufficient – even in the absence of alleged economic or physical injury — to support a claim against LabMD that its failure to prevent the information’s release constitutes an “unfair” practice. The FTC’s July 29, 2016 press release about the agency’s ruling can be found here.  As the WSJ Law Blog noted in a July 29, 2016 post (here), the FTC’s ruling sets the stage for a “high stakes federal court battle” on the issue of what kind of alleged injury is sufficient to support cybersecurity-related unfair practices claim.
Continue Reading FTC Holds Private Information Disclosure In and Of Itself Sufficient Injury to Support Unfair Practices Claim