As a data security company, we review our newsfeed for interesting and notable stories involving information security. Among the topic we visit often is the cost of a data breach. We have seen many ways of calculating the financial losses of a data breach when a company is hacked, or if laptop encryption and mobile security software were not used on lost or stolen digital devices.
It’s not uncommon to factor in postage, outside consultants, 24-hour toll-free lines, lost employee productivity, legal expenses, damaged reputation, and more. You can add a new element: minimum hourly wage.
According to databreaches.net, a family-run grocery store based in St. Louis, Schnuck Markets Inc., has calculated the potential fallout from a credit card and debit card hack at $80 million dollars: 500,000 people affected, minimum-wage at $7.25/hour, and an assumption that each person spent an average of 2 hours dealing the with the effects of the breach (calling up banks because of their credit cards and whatnot).
This actually comes out to “only” $7.25 million. However, take into consideration that “the Illinois Supreme Court has in the past approved a ratio of punitive to compensatory damages of about 11 to 1” (saukvalley.com) and you get a cool $79.75 million.
I’m not sure if that ratio is a maximum or an average of all compensatory damages or what, but all of this appears to have the objective of inflating that final figure.
Schnucks sought to remove a case from Illinois’ St. Clair County Court to a federal civil court in the Southern District of Illinois. Such courts have jurisdiction when the potential class action includes residents of another state, the amount involved exceeds $5 million, and the class has more than 100 people. [saukvalley.com]
In other words, Schnucks needs some amount that is over $5 million; otherwise, the case remains in county court.
I don’t know how it might be advantageous to have a trial in county court vs. federal court (more on this further below, actually), but it looks like Schnucks really wants a change in venue. (Otherwise, why quote $80 million when $7.25 million handily meets the legal requirement?)
The problem, as databreaches.net noted, is that no American court has ever considered the time spent rectifying one’s credit as a reason for winning a lawsuit. Indeed, such cases tend to be “summarily dismissed,” which is legalese for “not even seeing its day in court because there isn’t a case there at all.”
Yet, it remains to be seen whether the courts do accept the above math as satisfying the threshold for the condition that the “amount involved exceeds $5 million.” If the courts rule that it does, then… well, I don’t have to be a lawyer to see that it could be a watershed moment. If this passes muster, then every single lawsuit involving a data breach would reference it; it would be a great setback to businesses and other organizations that have an enjoyed a great amount of protection from the courts.
(Although, truth be told, the tide is turning on that front as well.)
An Expert Weighs In on Venue Change
According to a lawyer quoted in a computerworld.com article, Schnucks is playing a very delicate game. He also gives possible explanations on why the company is looking to have its case tried in federal court:
- Schnucks may think it has a fair chance at the federal level because their courts “are generally better equipped and more experienced at handling large class-action data breach lawsuits.”
- Data breach lawsuits don’t tend “to fare well in federal courts,” something that I can attest to based on my 5+ years of covering such issues.
The downside, though:
Schnucks’ effort to get the case to federal court is that it is in a sense admitting that potential damages against it could be tens of millions of dollars, he said. Any company that admits that it faces more than $5 million in potential damages from a lawsuit will later have a hard time backing away from that number if the case goes against it.
I’ve said before, I’ll say it again: using proper solutions to protect one-self from data breaches, such as BYOD security programs and laptop encryption software, is much easier than trying to fix things after the fact.
It’s not the fact that such solutions are infallible. Rather, it’s the fact that most states and courts tend to view the presence and use of such solutions as (1) a company that wasn’t being neglectful when it comes to data security and (2) many laws and regulations provide safe harbor if they are used.
Plus, there’s the undeniable fact that their use – for example, disk encryption on a laptop full of sensitive data – really does protect the data in the event something goes wrong.
Related Articles and Sites: