Law Firm Newsletter
From the Technology and Privacy Practice
A Plaintiff’s Dream: Damages in Privacy Litigation Just Got Easier to
ALERT:
Prove.
The General Counsel, CFO and CEO of any corporation should take note: privacy
litigation is on the rise and it’s getting much easier for plaintiffs to establish damages.
You need to develop new strategies now to prepare for the growing trend.
Until recently the recovery of damages in privacy litigation (data protection violations
and data breach failures) have been difficult to establish by plaintiffs. Courts in data
protection/privacy cases have traditionally been unwilling to award damages based upon
anxiety, fear or real identity theft when plaintiffs couldn’t prove that the damages from
the identity theft occurred as a direct result of a particular data breach. Most companies
suffering data breaches have escaped material damages by providing or paying for credit
monitoring services. The good old days are over.
Two recent cases outline a plaintiff’s roadmap to substantial damages. Any company
who thinks it is immune from employing best data protection and data breach practices
has now been given a wake up call.
Case #1: Pinero v Jackson Hewitt Tax Service, No. 08-3535 (E.D. La. Jan 7, 2009)-
Customer tax returns were thrown in the dumpster outside of the office. There wasn’t any
indication of actual identity theft and therefore many of the initial claims were dismissed.
These claims included breach of contract, negligence, emotional distress, invasion of
privacy and the other claims that are usually thrown at the barn to see what sticks. What
the court didn’t throw out is why you should be re-thinking your data protection strategy.
The court didn’t throw out the claims for unfair trade practice and fraudulent inducement.
These claims were based upon the theory that the company’s privacy policy posted on the
web site did not meet the operational reality as to how it actually protected the customer
data. What does this mean to you? It means that the door has been thrown wide open for
a plaintiff to establish a clear path to damages, that punitive damages are now in play and
that class action suits are now in play.
Case #2: Department of Veterans Affairs Data Theft Litigation, No. 06-0506,
(D.D.C. January 27, 2009)- This is a case of consolidated class action suits against the
VA for a data breach in 2006 where a VA employee brought home a lap top with
personal data on about 26M veterans and then the lap top was stolen. It was later
recovered and the FBI didn’t think any personal data was accessed. That’s the good
news. The bad news is that the VA settled the consolidated suits for $20M. Payments
are a minimum of $75 per person and go up to $1500 per person. $5.5M is set aside to
pay the attorneys. Any left over money goes to veteran charities. This case is important
for two reasons: first, the size of the settlement in conjunction with the fact that there is
no proof of any actual damages; and second because the VA has actually agreed to pay

the affected individuals up to $1500 each and not slide out of the suit by paying for credit
monitoring.
How we can help: We can help in three ways:
1. This law firm works with organizations to strategically review and create
defensible data protection and data breach strategies. We offer holistic risk
mitigation services that serve to manage your potential liability in cases of
data breach.
2. In the event of data breach, we engage to assist you in your responses to
affected consumers and relevant States Attorney generals.
3. In the event of litigation we offer leading edge defense capabilities.
For more information please contact Todd B. Ruback at Truback@newjerseylaw.net or
908-757-7800 x196.