While many data breach lawsuits have been thrown out because the victims couldn’t show they suffered any actual harm, there have been some recent cases that were allowed to move forward.
For example, a court sided with some data breach victims in a lawsuit last year after ruling that while none of them had experienced actual identity theft, they did spend money on credit monitoring services, identity theft insurance or charges levied by their bank to replace their credit cards.
And now another court has allowed a lawsuit brought by individuals affected by a data breach to proceed.
The case was brought against Purchasing Power, which runs a program allowing client companies’ employees to buy computers and appliances through payroll deductions, after an employee improperly accessed sensitive data about employees of a client.
One of the employees whose information was breached filed a tax return, and found out that a return was already filed on his behalf. He sued Purchasing Power, arguing that due to the company’s negligence, his personal information was stolen and used to file the fraudulent return, preventing him from collecting his tax refund.
The company, on the other hand, argued that the employee should take his complaint up with the IRS and that when he does so, the financial damage may be reversed.
However, the court sided with the employee. According to the ruling, what matters is that he showed his personal information was misused and his identity was stolen. Also, the court said, it’s reasonable to believe the data breach led the identity theft, and the case was allowed to move forward (Cite: Burrows v. Purchasing Power).
Lesson: Plan your data breach response
The costs associated with a lawsuit are yet another item that can add to the staggering cost of a data breach. In addition to tightening IT security and preventing as many breaches as possible, it pays to have an effective data breach response plan in place.
Reacting to an incident quickly — including notifying affected individuals so they can take preventative action — can help protect against misuse of the information that was stolen.