Posted on June 30, 2010 by David Navetta

EMI v. Comerica: Comerica's Motion for Summary Judgment

Back in February 2010, we reported on an online banking lawsuit filed by by Experi-Metal Inc. (“EMI”) against Comerica (the “EMI Lawsuit”). As you might recall this case involved a successful phishing attack that allowed the bad guys to get the EMI’s online banking login credentials and wire transfer about $560,000 from EMI’s account (the original amount was $1.9 million, but Comerica was able to recover some of that).  The bad guys were able to foil Comerica's two factor token-based authentication with a man in the middle attack. Comerica did not reimburse EMI for the loss, and this lawsuit resulted. In April 2010, Comerica filed a motion for summary judgment in order to dismiss the case. The motion has been fully briefed by both sides, and this blogpost looks at the arguments being made by the parties (you can find EMI’s response brief here and Comerica’s reply brief here).

P.S. I have linked to some of the key documents and have not included all of the supporting exhibits. I have all of the exhibits supporting all of these briefs, including relevant contracts and guides. If you want them all, please contact me at dnavetta@infolawgroup.com and we can arrange something.

Background

This matter revolves around a couple sections of Michigan’s version of the Uniform Commercial Code, in particular MCLA 440.4702(2), which provides in relevant part:

(2) If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer. The bank is not required to follow an instruction that violates a written agreement with the customer or notice of which is not received at a time and in a manner affording the bank a reasonable opportunity to act on it before the payment order is accepted. (emphasis supplied)

MCLA 440.4702(3) explains how “commercial reasonableness” is to be determined under MCLA 440.4702(2):

(3) Commercial reasonableness of a security procedure is a question of law to be determined by considering the wishes of the customer expressed to the bank, the circumstances of the customer known to the bank, including the size, type, and frequency of payment orders normally issued by the customer to the bank, alternative security procedures offered to the customer, and security procedures in general use by customers and receiving banks similarly situated. A security procedure is deemed to be commercially reasonable if (i) the security procedure was chosen by the customer after the bank offered, and the customer refused, a security procedure that was commercially reasonable for that customer, and (ii) the customer expressly agreed in writing to be bound by any payment order, whether or not authorized, issued in its name and accepted by the bank in compliance with the security procedure chosen by the customer. (emphasis supplied).

Finally, the definition of “security procedure” under MCLA 440.4701 is relevant in this context:

“Security procedure” means a procedure established by agreement of a customer and a receiving bank for the purpose of: (i) verifying that a payment order or communication amending or cancelling a payment order is that of the customer, or (ii) detecting error in the transmission of a the content of the payment order or communication. (emphasis supplied)

In short, what these laws do is assign the risk of loss with respect to payment orders that may not have been actually initiated by the customer. Even if a payment order is initiated by a criminal that payment order will be deemed effective under the law as long as the requirements of MCLA 440.4702(2) are satisfied. If those requirements are satisfied, the losses may fall on the banking customer rather than the bank (at least with respect to this particular law – there may be other theories of liability that could apply).

Comerica’s Motion for Summary Judgment

The following summarizes the main arguments put forth by Comerica in its motion for summary judgment ("MSJ").

  • Comerica’s security procedure was commercially reasonable as a matter of law.

Comerica had established two-factor authentication using RSA secure token technology for its online banking. In order to access its online banking account EMI was required to input a user ID, password and PIN number generated from the RSA token(s) posesed by EMI (the PIN is randomly generated and changed every sixty seconds). Comerica maintains that EMI agreed that this security scheme was commercially reasonable. Support for this contention is found in the NetVision Wire Transfer Agreement entered into by EMI, which provided:

Customer [EMI] agrees that the selected Security Procedures are commercially reasonable for the type of entries which Customer may transmit to Bank, and Customer shall hold Bank harmless for any action taken in reliance upon the use of the Security Procedures.

Comerica also argues that 2-factor authentication is the same security it uses for its high volume wire transfer customers (i.e suggesting that it was providing more security than would normally be afforded to a low volume customer like EMI).

Key to its argument is the language of MCLA 440.4702(3)(i) italicized and bolded above. Comerica argues that it offered EMI the ability to require up to two users to confirm every wire transfer payment order made by an EMI employee (the evidence for this offer is an affidavit from a Comerica VP indicating that she told EMI’s online account administrator about this security option). Following the relevant language in MCLA 440.4702(3), Comerica argues that EMI was offered this security option, but refused it, and therefore the two-factor authentication that EMI used is automatically “deemed” commercially reasonable.

  • Comerica followed the security procedure EMI agreed to use and acted in good faith

Comerica argues that there is no evidence suggesting that it failed to follow its security procedures consistent with MCLA 440.4702(3)(ii), and it maintains that it acted in good faith accepting the fraudulent payment orders. Specifically, Comerica indicates it followed the two-factor authentic procedure that had been established. It also uses this argument to support its position that it acted in good faith. In addition, Comerica points to the assistance it provided EMI in recovering a large portion of the transferred funds as evidence of its good faith.

  • EMI admitted it was the source of the security breach

Comerica also argues that EMI was responsible for keeping passwords and PINs confidential, and that its actions resulted in the breach when it provided the information to the phishing attacker. To support this argument, Comerica sites a comment to UCC section 4A-203 which states:

The burden on the customer is to supervise its employees to assure compliance with the security procedure and to safeguard confidential security information and access to transmitting facilities so the security procedure cannot be breached.

EMI’s Response to Comerica’s Motion for Summary Judgment

EMI sets forth several arguments as to why it believes that summary judgment is unwarranted. As a reminder, the general rule is that motion for summary judgments should be granted only if there is no genuine issue as to any material fact (such that judgment is appropriate as a matter of law). Focusing on MCLA 440.4702(2) and the definition of “security procedure” under MCLA 440.4701, EMI sets forth four arguments contending that genuine issues of material fact do exist (making summary judgment inappropriate).

  • EMI never agreed to the RSA Token security procedures, therefore they are not “security procedures” as defined under MCLA 440.4701

MCLA 440.4702(2) only applies to “security procedures” as defined under MCLA 440.4701. EMI contends that it never agreed to the RSA token security procedures, and therefore MCLA 440.4702(2) is not applicable.

This argument rests on the allegation by EMI that Comerica switched wire transfer services, and EMI never agreed to the security procedures for the new services. EMI argues that it had entered into an agreement for NetVision Wire Transfer Services in November 2003. As mentioned in Comerica’s MSJ, EMI signed the agreement for NetVision services that included a specific agreement by EMI that Comerica was using commercially reasonable security. The authentication security for NetVision was a “digital certificate” process.

However, in May 2008 Comerica apparently changed to “TMC Web wire transfer services,” which used the RSA token security. EMI contends that it never entered into a written agreement for the new TMC Web services, never agreed to the RSA token security, and never agreed that such security was commercially reasonable. EMI also argues that it was not a signatory to various other documents referenced by Comerica, including an online banking user guide and Comerica’s Treasury Management Services Master Agreement (both of which provided more information concerning Comerica's security procedures).

Finally, EMI disputes Comerica’s contention that EMI’s use of wire transfer services constitutes acceptance of the RSA token security procedures. According to EMI, it actually never sent a wire transfer using the TMC Web wire service that utilized the RSA token security, and therefore it never accepted this security procedure. Since the RSA token security was never “agreed to” by EMI, it contends that MCLA 440.4702(2) does not apply or shift the risk of loss to EMI, and that Comerica is responsible.

  • Genuine issues of material fact exist as to whether Comerica’s RSA token security was “commercially reasonable”

EMI disputes Comerica’s contention that the RSA token security should be deemed reasonable under MCLA 440.4702(3). As summarized above, under that section if a customer refuses a security procedure that was commercially reasonable, but the customer agrees to another security procedure, the latter procedure is deemed commercially reasonable. This is basically a timing argument supported by dueling affidavits.

EMI claims that, at the time the TMC Web wire service was initiated, it was never advised that it could require approval from two authorized users prior to wire transfer, nor did Comerica offer additional security procedure options in connection with TMC Web services. This argument also rests on the prior EMI argument that it never entered into an agreement concerning the security of the TMC Web wire services in the first instance.

EMI then takes on the substance of "commercially reasonable security" using expert witness testimony. EMI’s expert contends that secure token technology was known to be lacking in any reasonable defense to a “man-in-the-middle” phishing attack. EMI’s expert opines that secure token technology has been unacceptable for banking logins since 2003. EMI’s expert also argues that Comerica’s particular implementation of this security was flawed based on prior practices of Comerica. In particular, with respect to the Netvision wire services that predated the TMC web wire services, Comerica allegedly regularly sent EMI unsolicited emails that lead to links requesting confidential login information. Essentially Comerica's prior practice caused EMI personnel to be off guard when the phishing attack came in.

EMI also takes issues with the warnings that Comerica sent out concerning phishing attacks. It points to Comerica’s April 28, 2008 communication in which Comerica indicated that it would never ask for confidential information in an email. EMI contends that the very next day it received an email from Comerica asking EMI to provide confidential login information.

Finally, EMI argues that the RSA token based security used by Comerica was not commercially reasonable because Comerica did not also implement security protection related to transaction verification and verifying wire transfers initiated after the initial login. In other words, EMI contends that an online banking system that allows unfettered wire transfers after a single successful login is not commercially reasonable. Had the token generated PIN been required for each wire transfer (e.g. the RSA token generates a new random number every sixty seconds), then the bad guys would have been stopped after the first fraudulent wire transfer (instead of being able to do 93 separate wire transfers for a total of $1.9 million).

  • Genuine issues of material fact exist as to whether Comerica accepted payment orders in good faith and in compliance with the security procedures

EMI first argues that Comerica failed to accept the payment orders in good faith because it allowed 47 wire transfers to happen within a few hours even though EMI had only made two wire transfers in the prior two years. Moreover, EMI argues that Comerica’s lack of good faith is evidenced because it allowed 46 wire transfers to go through after EMI notified Comerica that EMI had not initiated the transfers. EMI also maintains that the failure to implement a simple fraud scoring system or fraud monitoring program to stop these types of wire transfers was evidence of a lack of good faith.

Comerica’s Reply to EMI’s Response

Comerica also filed a reply brief to address the arguments set forth in EMI’s response to the MSJ. This section summarizes Comerica’s arguments.

  • The NetVision and TM Connect Web wire services were the same service governed by the 2003 NetVision contract

Comerica attempts to nullify EMI’s argument that it never entered into an agreement for security procedures related to TM Connect Web wire services. It contends that NetVision and TM Connect are the same systems. Comerica argues it simply changed the name of its online banking system. Comerica argues that the “Services” governed by the 2003 NetVision contract were the same and that all of EMI’s online transactions were subject to that contract. Comerica notes that the NetVision contract incorporates Comerica’s Treasury Management Services Master Agreement and a related user guide which Comerica uses to buttress its MSJ.

The NetVision contract also allows Comerica to update its security procedures, and indicates that after notice is provided by Comerica to EMI, EMI’s use of the services constitutes acceptance of the new security procedure. While EMI did not use wire transfer services until after NetVision changed its name to TM Connect Web, it had received wires from outside parties. Comerica contends that EMI’s continued receipt of wire transfers it its account constitutes use of the services and acceptance of the RSA token based security procedures for outgoing wire transfers. Of course EMI's acceptance is crucial if Comerica wants to rely on the risk-transfer mechanism set forth in MCLA 440.4702(2).

  • Under MCLA 440.4702(3) the issue of the “commercial reasonableness” of a security procedure is a question of law, not fact

On this issue, Comerica points to the explicit language of MCLA 440.4702(3) which indicates that “commercial reasonableness of a security procedure is a question of law.” As such the court can decide that issue on a motion for summary judgment. Comerica contends that EMI acknowledged that Comerica’s security procedures were commercially reasonable in the NetVision agreement, making appropriate summary judgment in Comerica's favor.

  • Comerica followed its procedures and acted in good faith

Comerica contends that it followed the procedures in place for online banking and denies that other procedures, such as requiring the initiation of wire transfers by phone call, were relevant. It attempts to counter EMI’s arguments concerning good faith by noting that it was not physically possible to stop some of the wire transfers after EMI informed Comerica that those transfers were not authorized. Moreover, Comerica argues that when it was able to stop or recall wire transfers it did so despite not being bound to do so, and ultimately decreased the loss from $1.9 million to $560,000.

Finally Comerica addressed EMI arguments concerning prior Comerica requests for confidential information via email. It argues that those emails did not send the user back to a Comerica website, but rather to a website hosted by their security vendor, Verisign. Secondly, the information that was requested was not online banking login credentials, but rather an ID/PIN sent each year for the sole purpose of renewing EMI’s digital certificate. As such, Comerica’s warning that it would never ask for online banking credentials via email was not untrue as EMI suggested.

Conclusion

These cases always get interesting when a little discovery ensues and the litigants begin digging into the relevant documents and contracts. As you can see, there is a lot going on here that has little do with actual security, and more to do with procedural issues around security acceptance, contracting and the UCC. Nonetheless, on some level the issue of commercially reasonable security will have to be addressed (either by the court on this motion for summary judgment) or later in proceedings by the ultimate trier of fact.

What can be gathered from this case and this MSJ is the importance of contracts in this context, and apparently the importance of contract timing issues and clear indications of “accepting” security procedures related to online banking. While there is a paper trail here with some favorable contract language, the record does look muddied, and this can make it more difficult to win at this stage of litigation.  Had the bank thought it through in more detail it probably could have created a more solid record to back its arguments. For instance, while contracts incorporating other documents that are constantly changing may be efficient, they may lack the same degree of acceptance as compared to requiring a new contract or other document certifying acceptance. Based on the dueling arguments, it is difficult to determine exactly where the court will come down on this motion for summary judgment. I believe that oral arguments are scheduled and thereafter we will get a written opinion from the court. Until then, have fun breaking these documents down and feel free to ask any questions you may have in the comments.
Tags: , , , , , , , , ,
Posted on January 14, 2010 by David Navetta

Online Banking and "Reasonable Security" Under the Law: Breaking New Ground?

With the report of another data security-related lawsuit involving online banking (another 2009 lawsuit referenced here involved an alleged loss of over $500,000), and a recent victory for a plaintiff on a summary judgment motion in a similar online banking data security breach case, the question arises whether online banking breaches will yield some substantive case law on the issue of “reasonable” security procedures as a matter of law. Ironically, this question may be answered by reference to a 20 year old model code (UCC 4A) originally drafted to address technological advances from that era. This post explores two complaints recently filed against banks for online banking  (Patco Construction Co. v. People’s United Bank ("PATCO”) and JM Test Systems, Inc. v. Capital One Bank ("JMT")) and a court’s ruling on a motion for summary judgment in similar lawsuit (Shames-Yeakel v. Citizens Bank Memo and Memo Order on Motion for Summary Judgment – “Shames-Yeakel” case).  In short, since the Shames-Yeakel case proceeded past the "damages" pleading phase, it (and possibly these other online breach suits) reveals how some courts view security "standards" and approach the question of whether a company has achieved "reasonable security."  I also believe they demonstrate the difficulty defendants face if they have to defend their security measures in a litigation context after a security breach.

Plaintiffs’ Allegations

In general, these matters involve a fairly consistent general set of allegations: 

  • the bank allowed a small business to utilize online banking, including ACH transfers;
  • nefarious third parties somehow gained access to the plaintiffs’ online banking account (e.g. login credentials such as username, password, “secret question”, etc.), which allowed them to use the online banking system to transfer (a.k.a. steal) funds out of the plaintiffs' bank account;
  • the bank failed to provide notice to the plaintiffs of unusual or suspicious activity; and
  • the bank’s security measures did not prevent the fraudulent transfers and were not commercially reasonable.

In addition, the following facts were alleged in one or more of the three cases:

  • the bank failed to block a transfer request from an IP address that was previously unused by the plaintiff (e.g. an IP address was different than typically used by the plaintiff);
  • the bank did not utilize multifactor-factor authentication (e.g. “token-based” authentication or fax confirmation);
  • the allowable daily transfer limit vastly exceeded the plaintiffs’ average/maximum daily transfers (e.g. in PATCO, the daily maximum limit was $750k, but the most PATCO ever needed to transfer was $36.6k);
  • the funds were transferred to individual accounts to which the plaintiffs had never transferred funds before; and
  • despite having been informed of unauthorized transactions by the plaintiff, the bank did not close the account in order to prevent more fraudulent transactions (JMT case only).

Alleged Legal Theories

Based on these facts the plaintiffs asserted various causes of action against the banks relating to security practices. In both PATCO and JMT, the plaintiffs referenced the bank’s failure to comply with section 4A-202 (ISSUE AND ACCEPTANCE OF PAYMENT ORDER) of the Uniform Commercial Code (in PATCO the plaintiffs cited MRSA 4-1202 and in JMT they cited RS 10:4A-202). Under 4A-202, as long as the bank and its customer have agreed that the customer will be verified pursuant to a “security procedure”, a payment order received from the customer will be considered an effective order by the customer, whether it was actually authorized by the customer, but only if the security procedure was “commercially reasonable” and followed by the bank.   In PATCO, for example, the plaintiffs alleged that 4A-202 had been violated for the following reasons:

  • failure to offer/use multi-factor authentication to authenticate the plaintiffs’ identity for online transactions;
  • use of an unreasonably low trigger for “challenge question” authentication;
  • failure to provide and IP address block that would block orders originating from unapproved IP addresses;
  • failure to detect fraud because the amounts of the payments were the largest ever made under the account, were sent to accounts to which funds had never been transferred, originated from an IP address that had never previously been used and occurred on days that the plaintiff normally did not may payments;
  • failure to offer a dual control option requiring two people to log on in order to complete a payment transaction;
  • allowing a transfer limit that exceeded the needs of the plaintiff;
  • failure to manually review ACH payment batches prior to submission for payment; and
  • failure to provide email alerts concerning unusual transactions.

In addition to a UCC violation, all of the cases included allegations of negligent security and breach of contract. In Shames-Yeakel, the plaintiffs alleged that the bank’s failure to implement multi-factor authentication did not comply with a document put out by the Federal Financial Institutions Examination Council (“FFIEC”) entitled “Authentication in an Internet Banking Environment” (the FFIEC Report), and therefore presented questions of fact as to negligence. The JMT plaintiff, in support of its negligence claim, alleged a failure to meet the security standards of “similarly situated” national banks,  a failure to implement security procedures that were “commercially reasonable,” and a failure of the bank to comply with its own existing security procedures.

The Judgment on the Shames-Yeakel Motion for Summary Judgment

While the PATCO and JMT complaints have not yet been tested on motion, the Shames-Yeakel plaintiffs have survived a summary judgment motion. In addition to other statutory claims that were particular to the fact pattern at hand, and relevant to this blogpost, the plaintiffs alleged that the bank was negligent in failing to protect the plaintiffs’ online account, and in particular breached its duty to sufficiently secure its online banking system. 

As such, the threshold question the court addressed was whether a duty to “sufficiently secure” its online banking existed for the Bank.   On that point, the court extrapolated a duty to secure based on a bank’s general duty to refrain from disclosing its customer’s information:

A number of courts have recognized that fiduciary institutions have a common law duty to protect their members’ or customers’ confidential information against identity theft. Although this court could not find an Indiana case addressing the matter, Indiana courts have held that a bank “has a duty not to disclose information concerning one of its customers unless it is to someone who has a legitimate public interest.” If this duty not to disclose customer information is to have any weight in the age of online banking, then banks must certainly employ sufficient security measures to protect their customers’ online accounts.

(citations omitted; emphasis added). Apparently, according to the court, the bank-defendant did not dispute the existence of a duty to protect the plaintiffs’ account from fraudulent access. However the bank did contest the plaintiffs’ allegations that the bank breached its duty and that the breach caused harm to the plaintiffs.

On that issue, the court focused on the FFIEC Report. According to the court, the FFIEC  Report indicated that single-factor identification was “inadequate” for securing online transactions of financial institutions. Moreover, a vice president of the bank admitted that the bank did not implement additional security measures beyond single factor identification until after the breach at issue. Thus, the court held that a reasonable finder of fact could potentially conclude that the bank breached its duty. Moreover, since the bank had not reimbursed the plaintiffs for their economic loss, the court ruled that a jury could find that the bank’s failure to secure caused such economic loss (as well as mental and emotional anguish).

Analysis

The Shames-Yeakel case (as well as potentially the PATCO and JMT down the line) is very interesting from a data security breach liability perspective. First, most data breach cases (typically involving suits by consumers or banks issuing credit cards) are dismissed early on for lack of damages or based on the economic loss doctrine. With online banking the damage component is clear (e.g. lost money) and since the main loss of money arguably constitutes “direct damages” (rather than purely economic damages), the economic loss doctrine may not bar an action. As such the court must rule on substantive issues such as the existence a duty to provide “reasonable security” and whether that duty was breached and caused damages. This is what happened in Shames-Yeakel.

The approach taken by Shames-Yeakel was also very interesting. In essence, the Court took a non-binding, completely voluntary “guidance” document and allowed it to serve as the standard of care for “reasonable security” in this context. This FFIEC Report was not an official “standard” and did not reflect any statutory requirements (for purposes of establishing a negligence per se theory). I am sure that the FFIEC and other bodies have put out a lot of papers (formal and informal) on various security and privacy issues, and if other courts are willing to accept these guidance documents as establishing standards (or better stated creating a question of fact for juries) then defendants of data breach cases may  face some significant liability in the future. While this particular FFIEC Report may be the appropriate benchmark in this case, I would have liked to see the court explain its rationale in more detail for converting this guidance document into the standard of care (e.g. Why this particular document? What other kinds of documents reports may establish the standard? If it was a report from a non-governmental body would it have the same weight? Must the standard reflect some sort of consensus? What opposing guidance or opinions exist, how much weight are they given in determining or discarding a particular alleged standard?, etc.)

Beyond the court’s decision to arguably elevate the importance of the FFIEC Report, it is not even clear that the report stands for the very broad proposition that single-factor authentication for online banking is inadequate. The following excerpt from the FFIEC Report summarizes the authors' views on the inadequacy of single-factor identification:

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

Note that the FFIC Report indicates that single-factor authentication may be inadequate if it is the only control mechanism or where a risk assessment indicates that the use of single-factor authentication is inadequate. The FFEIC Report then lists layered security or multi-factor authentication as potentially compensating for single-factor authentication (while I will let my security friends weigh in on this issue, as well as identify other potential compensating controls). In short, the FFEIC Report on its face seems to indicate that it is possible to utilize single-factor authentication with other controls such that risk is adequately mitigated. In contrast, the court in Shames-Yeakel stated the following: 

In [the FFEIC Report] the Council described single-factor identification (username/password) as “inadequate” to secure the online transactions of financial institutions. 

Despite overstating the conclusion of the FFIEC report, however, overall the court’s decision to deny the motion for summary judgment may be okay. It is likely that both parties have contradictory expert testimony on the issue of reasonable security. Second, some testimony existed from the bank's vice president hat appears to establish that only single-factor authentication was used by the bank (although this seems contradicted by the banks’ expert testimony that the bank employed reasonable security measures). Moreover, in general, whether single-factor authentication plus additional security adequately reduced the risk appears to be a factual question. I think the court could have come out with the same ruling without overstating the conclusions of the FFIEC report simply by accurately citing the FFIEC report, the vice president’s testimony, and indicating that both sides had contradictory opinions on the overall issue of whether the bank’s security was reasonable. 

Conclusion

The Shames-Yeakel ruling highlights potential significant difficulties for defendants if plaintiffs are able to proceed past the motion to dismiss phase in a data breach lawsuit. Despite the court’s inaccurate description of the FFIEC Report, when the question of whether security controls were adequate to reduce risk to an appropriate level is posed, it will be difficult for defendants to win on summary judgment. Like many other types of lawsuits, it will come down to a “battle of the experts”, and for these cases a “battle of the standards” (e.g. which standards should the defendant have complied with and did they comply with them). As such, for data breach defendants the pleadings phase will be where the street brawl will take place. Defendants will want to (and should) aggressively attack the early “questions of law” (e.g. does a duty exist at all, did the plaintiff suffer legally cognizable harm). If plaintiffs can get past this phase, it seems that it will be a challenge for defendants to win a motion for summary judgment and avoid the prospect of a jury trial (I think, for many data breaches, causation will be the most likely candidate for a defendant victory on summary judgment).
Tags: , , , , , , , , , ,