Why Breach-Related Injury Is Hard For Consumers To Prove

Do hacked retailers owe consumers compensation when their credit card data is hack? Such is the question increasingly emerging as more and more customer data is going up on the block via various hacks, though thus far the answer has mostly been “no.”

Lawsuits have risen — both Target and Home Depot faced dozens from consumer stemming from their data breaches — but in almost all cases judges have dismissed the charges early because the plaintiffs involved had difficulty proving direct material harm.

But that might be changing, as judges in Illinois and California are considering letting these lawsuits proceed.

“Companies are seeing [these customer lawsuits] as an increasing threat,” said Veta Richardson, president and chief executive of the Association of Corporate Counsel, a trade group for in-house corporate lawyers. “The litigation costs can be substantial.”

About 5 percent of U.S. data breaches have led to lawsuits, but the biggest attacks against the biggest firms tend to attract the most. As of yet none of these cases have gone to trial. The vast majority were thrown out of court and those that remained were settled between parties. But even avoiding trial can be costly. Outside of their earliest stages, class action lawsuits can cost millions to defend against.

Even if they don’t go to trial, such suits can be costly. When judges allow class-action lawsuits to progress beyond their earliest stages, companies typically must turn over reams of documents and information to the plaintiffs. That process alone can cost a company millions of dollars.

And, breached firms note, dollars they shouldn’t be on the hook for since it is extremely hard to prove that being victimized in one breach is connected to identity theft that may or may not happen down the road. Moreover, retailers note, consumers are already covered against fraudulent charges by their issuers.

Judges, however, are disagreeing.

Seventh Circuit judges said victims of the luxury department store’s breach shouldn’t have to wait until a fraud occurred before being allowed to sue.

“Why else would hackers break into a store’s database and steal consumers’ private information?” wrote Judge Diane Wood. “Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”