The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

Fighting Breach Class Action Suit, Experian Tries Legal “Gotcha!”



The company says plaintiffs, unable to say when the breach occurred, can’t prove damages.

The data broker Experian has offered a novel defense in a class action lawsuit, arguing that plaintiffs can’t prove they were damaged as a result of the breach because they don’t say when it occurred.

The company on July 14 filed a motion to dismiss a class action suit in U.S. District Court in California (PDF) that was filed in response to a 2015 data breach affecting some 15 million T-Mobile customers. Experian was hired by T-Mobile to host the company’s data. Among a string of more or less standard arguments designed to pick apart the class action suit, Experian offers a new one: plaintiffs who can’t say when a breach occurred have no standing to sue for damages that resulted from the breach.

As this blog has frequently observed, courts in the U.S. are feeling their way through this age of data breaches that we find ourselves in, with curious and sometimes conflicting rulings bubbling up in the absence of a clear, federal data breach and data protection law.

One of the most common arguments used by breached firms to knock down class action suits and other suits seeking damages is that consumers can’t prove they were harmed by a breach. For example, consumers aren't liable for fraudulent charges made with stolen credit cards. And arguments about lost work time spent responding to the incident or registering for credit protection services haven’t passed the “sniff” test with courts.

But courts have also been willing to consider that damages resulting from having your data stolen in a breach may not be immediately apparent. The U.S. Appeals Court for the Seventh Circuit reversed a lower court’s decision to dismiss a class action suit against chain restaurant P.F. Chang’s, saying that the risk of “future injuries” suffered by consumers wrapped up in the breach there were “sufficiently imminent” to give them standing in court. That same court reversed a similar lower court ruling in favor of retailer Neiman Marcus a year ago.

In its filing on July 14, Experian throws the kitchen sink at plaintiffs, T-Mobile customers from a variety of states who claim damages resulting from the breach. The company, which is headquartered in Dublin, Ireland, says that claims that the company violated the Fair Credit Reporting Act by improperly “furnishing” records to the hackers fly in the face of a string of rulings that make clear that theft does not count as “furnishing.” Experian joins companies like Wendy’s and Home Depot in pointing to the absence of provable, economic damages and cites precedent for discounting the non-economic damages such as time spent investigating the data theft and so on.

But the company may be too clever by half when it argues that plaintiffs who claim they were damaged as a result of the breach, but fail to say when the breach occurred, should have their allegations dismissed. For example, Experian attacks a plaintiff with the last name Kuklinski from Illinois who claims that, on September 13, 2015, he received “disturbing text messages from an apparent hacker stating that payment of over $3,000 was due for an account that was not his own… Yet, because he does not allege a date of breach, it is entirely possible that he received that text before the data breach even occurred (and, hence, the data breach could not have been the cause of the text message).”

Similarly, in responding to allegations by plaintiffs in Illinois, Ohio and California that there were violations of state data protection laws resulting from delayed notification of the breach, Experian points out that the plaintiffs do not “allege a date of the breach” and, therefore, cannot establish that there was a delay in notification.

Clever arguments. But also hollow. For one thing, there isn’t much dispute about the timeline of the T-Mobile breach that involved data that Experian stored. Experian in its own statement says it discovered the breach on September 15, 2015 and described it as an “isolated incident over a limited period of time,” but the company also says that customers who applied for T-Mobile financing or a credit check starting in September 2013 and extending through September 2016 were affected. Note that Experian itself doesn’t say specifically when the breach began or ended (probably because such things are hard to determine).

The company also disclosed that a wealth of T-Mobile customer data was stolen. Records containing a name, address, Social Security Number, date of birth, identification number (typically a driver’s license, military ID, or passport number) and additional information used in T-Mobile's own credit assessment were accessed, Experian said in a FAQ released at the time.

For plaintiffs like Kuklinski, then, it makes perfect sense to conclude that a scam perpetrated in September 2015 may have resulted from a breach at T-Mobile that included his data and that may have lasted for months or years prior. Experian’s pointing out that the plaintiffs neglected to specify the date of the alleged breach amounts to a game of legal “Gotcha,” using an omission about an uncertain fact to invalidate a claim that, while maybe unprovable, certainly isn’t unreasonable.

Paul Roberts

Paul Roberts

Paul Roberts is the editor in chief of The Security Ledger and founder of the Security of Things Forum. A seasoned reporter, Paul has more than a decade of experience covering the IT security space. His writing has appeared in publications including The Christian Science Monitor, MIT Technology Review and The Economist Intelligence Unit. He's appeared on news outlets including Al Jazeera America, NPR's Marketplace Tech Report and The Oprah Show.