How to Defend Yourself in an Online Data Breach Lawsuit

Responding to a Lawsuit

Read the complaint. A lawsuit is started when the plaintiff files a complaint and serves it on you (the defendant). A complaint contains the allegations against you, the relief sought, and other technical information telling the court that the lawsuit is permissible (e.g., standing). If you are served with a complaint, read it carefully and plan your next move. The complaint will likely allege that you or your company in some way acted negligently or breached some fiduciary duty you owed to the plaintiff. The complaint will allege that the negligence or breach caused data to be breached and released. The complaint will also allege that the breach caused the plaintiff some concrete harm.

Hire a lawyer. Once you have read and understand the complaint, you will need to hire a qualified lawyer to defend you throughout litigation. The type of lawyer you hire will depend on the type of suit that was filed against you. For example, if the plaintiff alleged you acted negligently, you will want to hire a lawyer familiar with tort defense. Once you know what type of lawyer you need to hire, you will want to ask around for recommendations. This is usually the best way to get a qualified and trustworthy lawyer. If you cannot get a personal recommendation, contact your state bar association's lawyer referral service. You will be asked some questions about your legal needs and will be put in contact with qualified lawyers in your area. Once you find three or four qualified lawyers, conduct initial consultations and ask each candidate about their personal background and professional experience. Be sure you ask about how the attorney charges for their services. When you find the ideal candidate, let them know you would like to hire them and be sure to get your representation agreement in writing.

Ask about potential liability. You and your lawyer will have to have a serious discussion about the possible liability you face in this type of lawsuit. The types of damages available to the plaintiff will depend on the cause of action they bring. While some courts have been hesitant to allow data breach cases to move forward without showing a cognizable injury, other courts have allowed such cases. In the cases that have moved forward, damages have been based in contract, quasi-contract, negligence, and breach of fiduciary duty. Each of these areas offer different types and amounts of damages to the plaintiff. For example, contract damages include compensatory and consequential damages. Compensatory damages help compensate the plaintiff for the economic damages caused by a broken contract. Consequential damages are damages caused indirectly as a result of the breach. In negligence suits, damages can take the form of economic, non-economic, and exemplary (punitive damages). Economic damages compensate the plaintiff for actual economic losses suffered. Non-economic damages include pain and suffering, loss of enjoyment of life, and injury to reputation. Exemplary damages may be awarded to penalize or punish you if the facts warrant it. Usually, exemplary damages are only available if you acted fraudulently or with gross negligence. In federal cases brought under the Privacy Act of 1974, actual damages can be awarded. However, the definition of actual damages is up for debate. The question is whether actual damages include only pecuniary losses or if it also includes emotional damages. These questions have not been answered as most of these cases are settled before trial.

File an answer. The first thing you and your lawyer will do is file an answer to the plaintiff's complaint. This response must be filed within a certain time period or the court may enter a default judgment against you (and you will lose the case before having a chance to explain yourself). In general you will have around 20 days to respond after the day you were served. There is no fee for filing an answer unless you make counterclaims, in which case you will be required to pay a filing fee. Your answer will first admit or deny every allegation made in the complaint. By denying allegations, you are asking the court to make the plaintiff prove those parts of the case. Second, your answer will put forward any defenses to the allegations if you have them. For example, you might assert that the statute of limitations has ran and therefore the case should be dismissed with prejudice (i.e., it cannot be refiled). In addition to the normal answer, you may also want to file counterclaims if you believe the plaintiff has done something wrong. One of the most common claims you should consider including in your answer is that the plaintiff has not suffered any concrete harm and therefore the case should be dismissed for a lack of standing. When data has been breached, it does not automatically mean the data has been used to the plaintiff's detriment. For example, a plaintiff may lack standing if their argument is that the breached data may, at some time in the future, be used for fraudulent purposes.

Serve your answer on the other party. Once you file your answer, you will have to notify the plaintiff that you have responded. You can notify the plaintiff by serving them with your answer (i.e., personally giving them a copy). Ask the court clerk about the acceptable means of delivery. In general, anyone over the age of 18 who is not involved in the case can serve the answer. For a small fee, you can ask the sheriff's office to serve the answer for you. If the plaintiff cannot be personally served (i.e., served in-person), you may be able to serve them by sending a copy of the answer to their last known address.

Take part in discovery. The discovery process allows you and the plaintiff to collect and exchange information about the case. During discovery you will collect facts, talk with witnesses, find out what the plaintiff plans on saying, and assess the strength of your case. You will achieve these things by using the following discovery tools: Informal discovery, which includes conducting interviews, gathering publicly available documents, and taking photographs. Interrogatories, which are written questions to parties and witnesses. These questions must be answered under oath and can be used in court. For example, you may want to ask the plaintiff if he or she has suffered any harm from the breach. You might ask: "Have you suffered any quantifiable damages due to the online data breach at issue in this case?" Depositions, which are in person interviews with parties and witnesses. The interviews are conducted under oath and the answers can be used in court. Requests for documents, which are written requests asking the plaintiff to furnish documents that are not publicly available. Examples include emails, text messages, or internal memos. You should ask for documents relating to the plaintiff's actions after the breach occurred. For example you might ask for bank statements showing fraudulent charges (or a lack thereof). Subpoenas, which are court order requiring someone to do something (e.g., to answer questions or hand over documents).

Submit a motion for summary judgment. As soon as discovery concludes, you and your lawyer should discuss whether to file a motion for summary judgment. This motion will ask the court to rule in your favor and end the litigation immediately. To succeed, you will need to prove there is no genuine issue of material fact and that you are entitled to judgment as a matter of law. You will submit evidence and affidavits to help make your case. Your motion will most likely focus on the plaintiff's lack of cognizable damages. You may argue that, even if all of the facts are true and data was breached, there was no damage caused and therefore the litigation should end. The plaintiff will defend against this motion by submitting their own motion claiming there are genuine disputes of important facts. The judge will make all assumptions in favor of the plaintiff at this stage.

Attempt to settle. If your motion for summary judgment is not successful, you may want to consider settling with the plaintiff. Before you take this step, analyze the strength of your case and the plaintiff's case. The stronger your case is and the weaker the plaintiff's case is, the less obligated you should feel to take a settlement that will cost you a substantial amount of money. Settlement discussions will usually start in the judge's chambers during a settlement conference. Here, both parties will sit with the judge and discuss acceptable settlement terms. If no settlement is reached, you may have to take part in other alternative dispute resolution tools. For example: You might take part in mediation, which involves hiring a neutral third party to help you come up with novel and new ways to find common ground. Ask the court clerk for a list of available mediators or hire one using the American Arbitration Association website. When you and the plaintiff meet with the mediator, they will try to help both parties engage in meaningful settlement discussions. The mediator will not inject their own opinions and they will not make any legal conclusions. If mediation doesn't work, you may agree to arbitration. During arbitration, a neutral third party will act as a judge and will assess evidence and make conclusions. Each party will submit evidence to the arbitrator who will then analyze the information they receive. After analyzing the evidence, the arbitrator will draft an opinion that will make legal conclusions and tell each party who they think should win the case.

File pretrial motions. Right before trial starts, your lawyer should be busy filing pretrial motions in an attempt to resolve certain outstanding legal issues. Pretrial motions ask the judge to make decisions in order to avoid having to deal with them during trial. Common motions include: Motions to dismiss, which ask the court to dismiss the case for certain reasons. Examples might be a lack of evidence or that the facts to not amount to the claims made. Motions to suppress, which ask the court to not allow certain pieces of evidence to be admitted during trial because they do not comply with the rules of evidence.

Defending Yourself in Court

Arrive for trial early. On the day your trial begins (and for every day of trial thereafter), you should arrive early and give yourself enough time to find parking and get through security. In addition, make sure you turn off all electronics so you do not interrupt the court. Do not bring any food or drinks into the courtroom and be sure you act appropriately at all times in front of the judge.

Make your opening statement. The plaintiff will have the first opportunity to make a statement to the judge or jury. After the plaintiff makes their opening statement, your lawyer will have their opportunity to do the same. The opening statement is an opportunity to talk with the court about the case and how you see it going. It should give a brief outline of the case and concrete reasons why you should not be found liable. For example, your opening statement may outline how the online data breach was not caused by negligence and how you took every precaution possible to make sure it didn't happen. In addition, you may tell the court that the plaintiff will be unable to prove any damages.

Cross-examine the plaintiff's witnesses. The plaintiff will present their case first. When the plaintiff presents their case, they will call witnesses to the stand to testify. After the plaintiff questions each witness, you will have an opportunity to cross-examine them. During cross-examination you should try to discredit, dismiss, or disprove the witnesses statements. For example, if a plaintiff witness took the stand and made a statement that is inconsistent with a statement they made during a deposition, you would want to bring up the prior inconsistent statement and ask the witness about it.

Present your case. When the plaintiff rests, you will have an opportunity to present your case and call your own witnesses to the stand. You and your lawyer will have already discussed what witnesses to call and what defenses to mount. Your witnesses will include anyone in your IT department responsible for network and information security. These individuals should be able to testify to your security procedures meant to protect personal information. The plaintiff will have an opportunity to cross-examine your witnesses. Anticipate this and try to defend against problems by only calling the best witnesses you have.

Offer a closing argument. When both you and the plaintiff rest, each party will have an opportunity to make a closing argument. When your time comes, you should summarize your legal position and remind the jurors or the judge about the relevant facts presented during trial. Try to make these closing arguments dramatic so they stick with the jurors before they leave to deliberate. This statement should make it clear that the plaintiff has not proved his or her case by a preponderance of the evidence. You should reiterate important points in the trial, for example when your witnesses took the stand and made compelling statements.

Get the verdict. Once the trial is over, the jury or the judge will take time to deliberate and make a decision. This may take hours, days, or even weeks. If there is a jury, the jury will come back to court and present their verdict to the judge. Once the judge receives the decision, he or she can choose to concur and enter final judgment or require some other action depending on what the jury found (e.g., a new trial if the jury couldn't come to a conclusion). If you win and the case is dismissed, you will not have to pay the damages you are alleged to have owed. However, if you lose, you may be able to file an appeal to have the case heard by a higher court.

Avoiding Future Problems

Research applicable laws and regulations. State and federal laws, as well as administrative rules, dictate how data must be protected and how breaches must be handled. If you are responsible for protecting data, you need to understand the laws surrounding that duty. For example, almost every state has a law requiring that certain parties notify individuals of security breaches involving personal information. These laws usually identify who must comply, provide definitions of personal information, define what a breach is, and the requirements for notice. Make sure you understand all of the applicable laws and how to implement their requirements into your business.

Rewrite policies and procedures. One great way to implement legal requirements into your everyday practice is to write (or rewrite) your company policies and procedures. Your policies and procedures should lay out how the training of employees will take place, how breaches will be managed, and what your response plan is.

Hire a qualified data security firm. Online data protection can be a complicated and complex endeavor. It usually involves creating computer programs and firewalls that can help keep unwanted people out of your data. If you do not know how to do this, or cannot keep updated on all of the changes occurring, you should consider hiring a third party to help you. Data security firms can either help you create and maintain systems to protect your data, or they can store the data on their own servers for a fee. Whichever option you choose, getting help will ensure you never have to defend yourself in court for a data breach again.