Update (April 13, 2018): Following up on the putative Uber data breach class action, discussed below in an earlier post, here is the plaintiffs’ argument for why the Court should disregard the arbitration clause in Uber’s Terms & Conditions:
Defendants do not seek to compel arbitration on a bad ride, an over-charge, or the like, which would fall under the [Uber] Terms and for that reason might be arbitrable. Instead, Defendants seek to compel arbitration concerning the manner in which Uber collects, uses, and shares Plaintiff’s personal information (which, again, falls under the Privacy Policy, which does not contain an arbitration agreement).
Minnesota Litigator will not predict the outcome of this motion, tempting though it may be. It is all the more tempting because, according to the plaintiffs’ lawyers, there’s a significant likelihood that the Court will never have the opportunity to decide the motion because of proceedings going on in a related case: In re: Uber Data Breach Litigation, MDL No. 2826, pending in the Northern District of California. So maybe we could never be proved wrong?
Original post (March 16, 2018): We started the week discussing the unsuccessful class action claims against SuperValu for data breaches which, apparently, caused no provable actual financial losses to anyone.
We end the week noting that the Uber data breach proposed class action may be even weaker because, on top of the challenge of showing actual financial losses from the breach, which seems to be a challenge, there is the pesky arbitration clause that we’ve all apparently signed onto (that is, all of us who have ever “ubered”).
Those sympathetic to the plaintiffs in these case will point out the fix plaintiffs are in.
First, when one’s credit card data is stolen and one’s card is misused, most often in some far-flung place and not immediately following a data breach, the thieves will not send a thank-you note, informing the crime victim as to where they obtained the stolen PII (personal identifying information). Tracing identity theft to a particular data breach is nearly impossible.
Second, while credit card companies often cover the fraud loss (supposedly resulting in “no financial loss” to card-holder victims), the card companies “cover” the loss by raising card costs. So, one does suffer a financial injury but only indirect.
Third, the credit card companies and the law don’t seem to acknowledge or compensate for victims’ their lost time, the inconvenience of card replacement, and many other ancillary costs. At least, they don’t always.
In some cases, they have. In the Target data breach class action, under the settlement agreement:
All Settlement Class Members who had their personal or financial information compromised [were able to] get reimbursed for losses caused by the data breach of up to $10,000. These losses could be related to:
Unauthorized, unreimbursed charges on your credit or debit card;
Time spent addressing unauthorized charges on your credit or debit card;
Costs to hire someone to help correct your credit report;
Higher interest rate on an account or higher interest fees that you paid;
Loss of access or restricted access to funds;
Fees paid on your accounts (such as late fees, declined payment fees, overdrafts, returned checks,customer service, or card cancellation or replacement);
Credit-related costs (such as buying credit reports, credit monitoring or identity theft protection, or costs to place a freeze or alert on your credit report);
Costs to replace your driver’s license, state identification card, social security number, or phonenumber; or
Other costs or unreimbursed expenses as a result of the Target Data Breach.