(Reuters) - My parents have four dogs who cannot resist pie. Last Thanksgiving, I made the mistake of leaving a baked-from-scratch pumpkin pie in the middle of the kitchen table while the family ate dinner in the dining room. When we went to fetch dessert from the kitchen, the pie was gone. All of the dogs had access. All of them have criminal intent when it comes to pumpkin pie. Obviously, at least one of them (and probably more than one) stole it. But we couldn’t yell at any of the dogs for pie-snatching because we couldn’t know for sure which of them was responsible. That’s just common sense, right? You can’t hold a dog responsible for wrongdoing unless you’re sure the dog has, in fact, caused harm.
What works for pie-thieving dogs does not, however, work for data breach defendants. On Monday, U.S. District Judge Thomas Thrash of Atlanta became the latest judge to reject defense arguments that Americans’ personal information has been exposed in so many different data breaches that it’s impossible to hold any particular corporation responsible for harm to any particular plaintiff. Thrash, who is overseeing multidistrict litigation against Equifax for the 2017 infiltration in which hackers stole the personal information of nearly 148 million (!) Americans, denied the company’s motion to dismiss a class action by consumers who claim to have been victimized.
Equifax’s lawyers at King & Spalding actually based their argument on statistics included in a complaint by a separate class of financial institutions suing the credit reporting company over the 2017 breach. The banks’ complaint, citing a 2017 report by the Identity Theft Resource Center, said there were a record-setting 1,579 data breaches in 2017, exposing more than 178.93 billion records. The banks cited the stat to argue that Equifax should have been more careful to protect confidential data, given the prevalence of hacks and identity theft. Equifax’s lawyers attempted to turn the information to their advantage, claiming that consumers in the class action can’t prove their confidential data wasn’t compromised in some other data hack.
“Certainly, no individual plaintiff has alleged (or could allege) facts tying any actual harm to the Equifax breach,” the dismissal motion said. “Importantly, no plaintiff alleges that her (personal identifying information) was not stolen in other data breaches. Given how often data breaches occur, plaintiffs’ attempt to blame Equifax is guesswork at best.” Without tying specific harms to the theft of information from Equifax, the company argued, consumers can’t claim negligence because they can’t establish proximate cause.
Judge Thrash was having none of it. He held it’s enough for plaintiffs to allege, at this stage of the case, that their personal information was exposed in the Equifax hack and that they’ve suffered some form of identity theft or identity fraud. “The plaintiffs need not explicitly state that other breaches did not cause these alleged injuries, since their allegations that this data breach did cause their injuries implies such an allegation,” the judge wrote.
More broadly, he said, it’s just misguided to conclude that no defendant can be liable because others have committed the same alleged wrongdoing. “Allowing the defendants to rely on other data breaches to defeat a causal connection would ‘create a perverse incentive for companies: So long as enough data breaches take place, individual companies will never be found liable,’” Thrash wrote. “The court declines to create such a perverse incentive.”
Judge Thrash’s opinion cited two rulings by U.S. District Judge Lucy Koh of San Jose in previous data breach class actions against Yahoo and Anthem. In both cases, defense lawyers argued that consumers didn’t have standing to sue because they couldn’t trace their alleged injuries back to specific hacks. Judge Koh had no more patience for those arguments than Judge Thrash. Her most extensive discussion was in the Anthem class action (2016 WL 3029783), in which she coined the “perverse incentive” phrase. Judge Koh pointed out that the 7th U.S. Circuit Court of Appeals considered – and dismissed – a similar “you can’t blame anyone when everyone could be liable” argument in its landmark 2015 ruling in Remijas v. Neiman Marcus (794 F.3d 688), the first decision to hold that hacking victims have standing because of the mere threat of identity theft. The 7th Circuit, Judge Koh said, said that under the common law of torts, defendants claiming someone else could be responsible for their alleged negligence bear the burden of proving it. “No court,” Judge Koh said in her Anthem opinion, “has ever accepted the Anthem defendants’ argument in the data breach context.”
When Yahoo’s lawyers nevertheless tried the same play, Judge Koh smacked them down: “Again, the court is not persuaded by defendants’ arguments,” she wrote in a 2017 opinion (2017 WL 3727318). “Plaintiffs have plausibly alleged that plaintiffs had accounts with Yahoo, that plaintiffs’ account information was accessed in the data breaches, and that hackers used plaintiffs’ account information to gain access to plaintiffs’ Yahoo email accounts … the existence of other potential data breaches or causes for plaintiffs’ injuries does not defeat plaintiffs’ standing to sue defendants.”
I suppose Equifax could try to revive its proximate cause arguments later in the case, in a summary judgment motion or in opposition to class certification. But at the dismissal stage, it’s becoming clear that judges are not willing to let specific defendants off the hook because others have been just as allegedly negligent.
The views expressed in this article are not those of Reuters News.