§Why CasetextPricing

Beware the Breach: Data Breaches, Notification Duties and Legal Liability

By Kramer Levin Naftalis & Frankel LLP
Sep 1, 2012

Companies that experience a data breach may be exposed to more than merely bad publicity. A company whose data (such as customer social security numbers or credit card and bank account numbers) has been compromised may be required to comply with a complicated legal regime, often requiring notice to affected individuals. Moreover, that company may also face potential class-action litigation, against which allegations that the company was negligent in securing confidential information must be defended. While large companies like TJX Companies, Sony, LinkedIn, and most recently Yahoo!, have experienced breaches, smaller companies, too, may be targeted by hackers. The first step for a company holding any type of sensitive consumer data is consultation with security experts to effect necessary security precautions. However, if a company’s server or database is compromised, there are prudent steps that may be taken in response. This article addresses two legal issues that may confront companies that have suffered a breach: (1) the various notification requirements that may arise, and (2) the potential class action lawsuits that may follow.

Data Breaches: A Very Real Risk

Data breaches are a risk of doing business for all companies. In March 2007, TJX Companies, Inc., which includes the retail chains T.J. Maxx and Marshalls, revealed that hackers had gained access to the company’s computer system and stolen customer information over the course of 2005 and 2006, including 45.6 million credit and debit card numbers. See Jaikumar Vijayan, TJX data breach: At 45.6M card numbers, it’s the biggest ever, ComputerWorld, Mar. 29, 2007, available at https://www.computerworld.com. In April 2011, Sony, the Japanese electronics company, reported that hackers breached its PlayStation Network and stole the names, addresses and possibly credit card data belonging to 77 million user accounts. See Liana B. Baker & Jim Finkle, Sony PlayStation suffers massive data breach, Reuters, Apr. 26, 2011, available at http://www. reuters.com. Recently, in June 2012, hackers breached the social networking site LinkedIn and stole more than six million users’ passwords. See Nicole Perlroth, Lax Security at LinkedIn Is Laid Bare, N.Y. Times, June 10, 2012, available at http://www.nytimes.com. And, in July 2012, hackers breached the popular email providers Google, Yahoo!, and others’ data, exposing almost half-a-million login credentials. See Yahoo Breach Extends Beyond Yahoo to Gmail, Hotmail, AOL Users, N.Y. Times, July 12, 2012, available at http://www.nytimes.com. A 2011 study calculated that, over the 662 reported security breaches the previous year, the average data breach costs a company $2.4 million to remedy. See Cyber Liability & Data Breach Insurance Claims: A Study of Actual Payouts for Covered Data Breaches, NetDiligence (June 2011), netdiligence. com/files/CyberLiability-0711sh.pdf.

When a company does suffer a breach, the natural question is: what next? The answer may be notification.

Navigating the Notification Regime

Companies in a few specific industries must comport with the notification requirements of federal statutes. Financial firms and health care companies must adhere to the reporting requirements of, respectively, the federal Gramm-Leach Bliley Act, 15 U.S.C.A. §§ 6801-6809 (West 2010) (“GLBA”), and the Health Information Technology for Economic and Clinical Health Act, 42 U.S.C.A. § 17932 (West 2010) (“HITECH Act”), which addresses the disclosure of confidential health information and encompasses an even more complicated reporting regime, beyond the purview of this article.

The GLBA, for example, requires companies defined under the law as “financial institutions” to ensure the security of customers’ personal information. Financial institutions are defined as businesses that are engaged in certain “financial activities” such as traditional banking, lending, and insurance functions, along with other financial activities. See Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice, 70 Fed. Reg. 15736, 15738 (Mar. 29, 2005) (the “GLBA Guidelines”); 15 U.S.C.A. §§ 6805, 6809. The GLBA Guidelines state that when a financial institution becomes aware of a breach, the institution should conduct a reasonable investigation to determine if the information has been, or will likely be, misused. GLBA Guidelines at 15738- 39, 15752. If the institution determines that misuse has occurred or is reasonably possible, the institution should notify the affected customers. Id. at 15739, 15752. An institution may limit the notification if it can determine which customers’ information have been improperly accessed. Id. at 15739-40, 15743, 15752. The GLBA Guidelines also address the information to be included in any notification given to customers. Id. at 15739, 15752-53.

The obligations of financial firms and health care companies who experience data breaches are not limited to reporting requirements under federal law. All companies, including these, must contend with the data breach notification statutes of 46 states, plus the District of Columbia, Puerto Rico, and the Virgin Islands. See 15 U.S.C.A. § 6807. Notably, these statutes focus on the residence of the individual whose information was compromised. Therefore, many companies, especially ones who conduct business online, may be required to comply simultaneously with the notification statutes of nearly all states.

The California Model

In 2003, California led the way in implementing the first state data breach notification statute, which then served as a model for other states, albeit with certain critical differences. See Cal. Civ. Code § 1798.82(a) (West 2012). As the model, it is helpful to examine the statute in greater detail and see how subsequent state statutes embraced or diverged from California’s example.

Generally, the California statute requires that companies notify California consumers if personal information maintained in their computerized data files has been compromised by unauthorized access. Specifically, companies that conduct business in California, even if from abroad, must notify California consumers when their names are obtained without authorization from a server or database along with other personal information such as their Social Security number, driver’s license number, account number, credit or debit card number, security code or password for accessing their financial account, medical information, or health insurance information. Id. § 1798.82(a), (h).

Under the statute, a data breach is defined as “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by the person or business.” Id.

§ 1798.82(g). In effect, California has a strict liability regime where any unauthorized acquisition requires notification, regardless of whether there is an injury to the consumer. Id. § 1798.82(b). California does, however, provide an encrypted data safe harbor, meaning that notification is not required if the compromised information was encrypted. Id. § 1798.82(a). Moreover, California does not require notification if the information illegally obtained is publically available. Id. § 1798.82(i)(1).

If a company’s consumer information has been compromised, the company must notify the affected consumers “in the most expedient time possible and without unreasonable delay.” Id. § 1798.82(a). Notice can be by mail or electronic. However, the statute provides exceptions if actual notice would be too expensive, unwieldy, or simply impossible. If the company can demonstrate that the cost of providing notice would exceed $250,000, that the number of affected individuals exceeds 500,000, or that the company does not have sufficient contact information, then the company can instead provide email notice, conspicuous posting of the notice on the company’s website, or place the notification in major statewide media. Id. § 1798.82(f), (j)(3). Importantly, California’s statute encourages, but does not explicitly require, companies that experience a data breach to conduct internal investigations. Id. § 1798.82(a), (d)(2)(E).

New York’s Notification Statute

Though New York’s data breach notification statute shares many characteristics with California’s statue, it differs in several important respects. While California enumerates what specific data constitute protected information, New York maintains an expansive, generalized definition. The statute defines “private information” broadly as “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person” in combination with the person’s social security number, driver’s license number or other identification card number, or account, credit or debit card number along with the access code or password. N.Y. Gen. Bus. Law § 899-aa(l)(a)-(b) (McKinney 2011).

New York also diverges from California in defining what constitutes a breach that requires notification. Where California has a near strict-liability regime, New York’s statute is unique in including a non-exhaustive list of factors that may be used to determine if the information has been acquired without authorization — although, in the end, the factors (and the indication that the list is non-exhaustive) may lead to the same near strict-liability result as the California statute, requiring notification of any “breach in the security of the system to any resident of New York state whose private information was, or is reasonably believed to have been, acquired by a person without valid authorization.” Id. § 899-aa(2) (emphasis added). These factors include indications that (1) the information is in the physical possession and control of an unauthorized person, such as a lost or stolen computer or other device containing information, (2) the information has been downloaded or copied, or (3) the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported. Id. § 899-aa(1)(c).

Like California’s, New York’s statute permits electronic notice. Id. § 899-aa(5). New York’s statute also explicitly allows telephone notice. Id. New York’s statute, too, has an encrypted data safe harbor and exempts publically available information. Id. § 899-aa(1)(b). The timing of a company’s disclosure of a breach may take into account “measures necessary to determine the scope of the breach and restore the reasonable integrity of the system,” thereby encouraging, but not mandating, companies that experience a data breach to conduct investigations. Id. § 899-aa(2).

Penalties for Violations of Notification Statutes

A company may face penalties if it fails to comply with the applicable notification statutes. These penalties, too, differ among the states. Several states, including California, have an express private right of action under their respective statutes. Cal. Civ. Code § 1798.84 (West 2012). Others, like New York’s, enable the Attorney General to seek actual damages and injunctive relief, but not to the exclusion of “any other lawful remedy available” – implying, if not explicitly allowing, a private right of action. N.Y. Gen. Bus. Law § 899-aa(6)(a)-(b). Some states increase the penalty if the violation was knowing or reckless. For example, if a court determines that a company violated New York’s notification statute knowingly or recklessly, the company may be liable for the greater of either $5,000 or up to $10 per failed notification, so long as the latter does not exceed $150,000. Id. § 899-aa(6).

Divergences among the States over Notification

A perusal of the other notification statutes reveals that, while the states modeled their respective statutes after California’s, the statutes, like New York’s, contain differences, some nuanced and some distinct. See, e.g., Iowa Code Ann. § 715C.1(11)(e) (West 2012) (does not limit the statute’s scope only to computerized or digital information, but also applies to biometric data like fingerprint or retina images); Neb. Rev. Stat. § 87-802(5) (e) (2010) (same); Kan. Stat. Ann. § 50-7a02(a) (West 2012) (rejecting California’s strict liability regime and defining breach in reference to the risk of harm to the affected consumers).

Indeed, there are many nuanced distinctions across the multiple state, commonwealth, and territories’ notification statutes, and it is prudent for a company that has experienced a breach (or would like to set up protocols in advance of a data breach) to consult with legal counsel and security experts to determine the precise requirements of notification in the jurisdictions reached or serviced by its business.

Negligence Claims in the Wake of Data Breaches

Even if a company fully complies with the applicable state notification statutes after suffering a breach, a class action lawsuit on behalf of those individuals affected may be brought, alleging that the company was negligent in securing its confidential information. However, nearly all the class action suits that have been brought against companies in the wake of data breaches have failed. Typically, plaintiffs have had difficulty establishing standing and/or that the breaches caused actual injuries. With few exceptions, even where plaintiffs have established standing, courts have dismissed such suits because the alleged damages were too speculative.

For example, in Pisciotta v. Old National Bancorp, the Seventh Circuit upheld the district court’s dismissal of the plaintiffs’ negligence claim in a data breach case. 499 F.3d 629, 635 (7th Cir. 2007). Old National Bancorp operated a marketing website on which individuals seeking banking services could fill out online applications for accounts, loans, and other banking services. The online application required customers to disclose personal information. The bank’s website was subsequently hacked, compromising the customers’ names, addresses, Social Security numbers, driver’s license numbers, dates of birth, and other financial information. Bancorp’s customers who had used the website sued, alleging that the bank was negligent in securing their personal information. Though the court found the plaintiffs’ allegations sufficient to confer standing in federal court, the court ultimately dismissed the suit for failure to state a claim, finding that, without more tangible harm, he plaintiffs’ allegations of increased risk of future identity theft were not compensable damages under applicable state law. Id. at 639-40.

Similarly, in Krottner v. Starbucks Corp., the Ninth Circuit upheld the district court’s dismissal of the plaintiffs’ negligence claim in the wake of a data breach. 406 Fed. Appx. 129 (9th Cir. 2010). The plaintiffs were former Starbucks employees whose names, addresses, and Social Security numbers were stored on a laptop that was stolen from Starbucks. The plaintiffs alleged that the breach increased their risk of future harm, which the court held was insufficient to plead damages under the controlling Washington statute and dismissed the complaint. Id. at 131 (Washington law required “[a]ctual loss or damage . . . mere danger of future harm, unaccompanied by present damage, will not support a negligence action” (citation omitted)).

An identical outcome was reached in Caudle v. Towers, Perrin, Forster & Crosby, Inc., a Southern District of New York litigation. 580 F. Supp. 2d 273 (S.D.N.Y. 2008). The named and putative class plaintiffs sought recovery from defendant, a pension and benefit consultant to their employer, for costs incurred for multi-year credit monitoring and identity theft insurance after notification that laptops containing personal information, including social security numbers, of thousands of employees had been stolen from the defendant’s offices. Id. at 275. The laptops had been password protected. Id. Although the court held plaintiff had established standing, the allegations of possible future harm were deemed insufficient to state a claim. New York “[c]ourts have uniformly ruled that the time and expense of credit monitoring to combat an increased risk of future identity theft is not, in itself, an injury that the law is prepared to remedy.” Id. at 284 (citation omitted). See also Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (where hacker breached the company’s payroll system and gained access to the confidential information of 27,000 employees at 1,900 of the company’s clients, including their names, birthdates, Social Security numbers, and bank account numbers, court found the plaintiffs’ allegations of injuries were too speculative to confer standing, because the complaint did not allege that the hacker (1) read, copied, and understood the information, (2) intended to illegally misuse the information, or (3) was able to make unauthorized transactions in the affected individuals’ names).

First Circuit Allows Claim to Proceed: A Revolution or an Aberration?

Last year, in Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011), the First Circuit seemed to upend this consensus. However, the facts of this case are unique enough that the court’s decision may prove to have narrow application. In Anderson, hackers stole millions of credit and debit card numbers, expiration dates, and security codes from the consumers of Hannaford, a national grocery store chain. The plaintiffs alleged that thousands of unauthorized charges were made to their accounts as a result of the breach, and that Hannaford was aware of this fraud. Id. at 164. The First Circuit, in reversing the district court’s dismissal, found that, under Maine law, the plaintiffs may recover costs incurred during reasonable efforts to mitigate damages caused by another’s negligence. Id. at 162. The First Circuit emphasized that, in this particular case, actual fraud occurred and thus found it reasonable that the affected individuals would purchase credit insurance or obtain new credit cards and pay the associated fees. Therefore, the court concluded that the plaintiffs’ claims for the costs of the identity theft insurance and replacement card fees involved actual financial losses that were foreseeable by the company and therefore might be recoverable as mitigation damages. Id. at 166.

The facts of Anderson, however, differ from those of Pisciotta, Krottner, and Reilly. In Anderson, the plaintiffs established that (1) actual fraud occurred and (2) the hackers “used that data to ring up thousands of charges to customer accounts, including the accounts of many of the plaintiffs.” Id. at 165. In Pisciotta, Krottner, and Caudle, by contrast, the plaintiffs did not plead that any actual fraud resulted from the data breaches.

The Costs of Settlement

To avoid protracted and expensive discovery along with ongoing negative publicity, some companies have entered into costly settlements. For example, after hackers stole customer information from TJX Companies in 2007, the company quickly entered into a settlement agreement with the affected consumers. In the settlement, TJX Companies agreed to provide a certain number of affected consumers with three years of credit monitoring, compensate affected consumers who could show actual losses resulting from the breach, and pay $6.5 million in attorney fees. In approving the settlement, a court estimated that the terms would cost the company $200 million. See In re TJX Cos. Retail Sec. Breach Litig., 584 F. Supp. 2d 395, 401 (D. Mass. 2008). Additionally, in order for the company to protect itself from further liability, TJX Companies and a group of 41 state attorneys general preemptively agreed to settle all civil claims that might arise from the breach. TJX Companies agreed to pay $9.75 million to the states, which was directed towards the implementation of a multi-state comprehensive information security program. See Jaikumar Vijayan, TJX reaches $9.75 million breach settlement with 41 states, ComputerWorld, June 24, 2009, available at http://www.computerworld.com.

Although courts have, on balance, tended to dismiss consumer claims against companies arising from data breaches, companies should not underestimate the seriousness of these claims outright. The First Circuit’s recent decision in Anderson potentially opens the door for other courts to expand the scope of liability in data breach cases, or at the very least provides plaintiffs with potential guidance on drafting a pleading and framing damages in a way that could survive a motion to dismiss. Furthermore, even where a claim is ultimately meritless, plaintiffs still have considerable leverage given the costs and disruption of discovery.

A New Avenue for E-Discovery Cost Recovery

E-discovery is often a substantial expense of litigation. For prevailing parties – that is, parties in whose favor judgment was rendered – there are limited ways to recoup e-discovery costs. In recent years, some prevailing parties have found a successful avenue for e-discovery cost recovery in federal court: a provision of the United States Code that provides for the reimbursement (known as “taxing”) of costs – 28 U.S.C. § 1920(4). However, the case law implementing section 1920(4) is unsettled and inconsistent. A recent decision by the Court of Appeals for the Third Circuit,Race Tires Am., Inc. v. Hoosier Racing Tire Corp., 674 F.3d 158 (3d Cir. 2012) (“Race Tires II”), strictly limited the range of e-discovery costs to which section 1920(4) applies. Nevertheless, several federal courts outside of the Third Circuit have allowed for broader cost recovery, and a federal court in California has twice explicitly declined to follow the Third Circuit on this issue. Further, no federal court in New York has directly addressed the scope of section 1920(4) with respect to e-discovery costs. Thus, prevailing federal litigants in New York may have available a new avenue for substantial e-discovery cost recovery.

A Brief History of Section 1920(4)

Federal Rule of Civil Procedure 54(d) states that “[u]nless a federal statute, these rules, or court order provides otherwise, costs—other than attorney’s fees— should be allowed to the prevailing party.” 28 U.S.C. § 1920(4) enumerates the litigation expenses that qualify as taxable costs. However, it does not expressly refer to e-discovery costs; it simply allows for prevailing parties to recover costs for “[f]ees for exemplification and the costs of making copies of any materials where the copies are necessarily obtained for use in the case.” Historically, courts construed this text to encompass only the copying of physical documents. Indeed, until an amendment in 2008, the statute referred to “copies of papers” rather than “copies of any materials.” The Committee on Court Administration and Case Management, in recommending the 2008 amendment, aimed “to permit taxing the costs associated with copying materials[,] whether or not they are in paper form.” See Judicial Conference of the U.S., Report of the Proceedings of the Judicial Conference of the United States 10 (Mar. 18, 2003). Even before the amendment’s enactment, several federal courts, including the Court of Appeals for the Sixth Circuit, had read Section 1920(4) to permit the recovery of costs related to e-discovery services.See BDT Products, Inc. v. Lexmark Int’l, Inc., 405 F.3d 415, 420 (6th Cir. 2005).

In recent years, federal courts have taken differing views on the meaning of Section 1920(4) and considered various factors in deciding whether to award e-discovery costs under the section. While some courts have allowed for the recovery of a broad range of e-discovery costs, others have awarded only limited recovery, and still others have denied e-discovery cost recovery altogether.

The Race Tires Decisions

Federal courts have analyzed various arguments in favor of, and in opposition to, awarding a broad range of e-discovery costs under section 1920(4). Many of these arguments are reflected in the divergent opinions of the District Court for the Western District of Pennsylvania and the Court of Appeals for the Third Circuit inRace Tires.

The district court’s opinion inRace Tires Am., Inc. v. Hoosier Racing Tire Corp. (“Race Tires I”), 2011 WL 1748620 (W.D. Pa. May 6, 2011) appeared to open the door to wide-ranging e-discovery cost recovery. The case stemmed from a 2007 antitrust lawsuit filed by Race Tires America against a rival tire producer and a motor sports sanctioning body. The defendants prevailed on summary judgment, and the court considered whether the prevailing defendants’ e-discovery costs could be taxed under section 1920(4). Much of the costs were attributable to the services of third-party vendors who had created litigation databases. This involved collecting and imaging hard drives, scanning documents, processing and indexing data, extracting metadata, making documents searchable, and converting documents into .tif format. In awarding these costs to the prevailing defendants, the court stressed that the plaintiff had aggressively pursued e-discovery.Id.at *9. Hiring expensive third-party vendors to retrieve and prepare e-documents was thus an “indispensable part of the discovery process” for the defendants and was not used “merely for the convenience of the parties.”Id. Further, the court noted that the creation of an e-discovery database is “highly technical” and “not the type of services that attorneys or paralegals are trained for or are capable of providing.” Id. The court awarded over $367,000 in e-discovery costs to the prevailing defendants.

On appeal, the Third Circuit issued a lengthy opinion strictly limiting the prevailing defendants’ e-discovery cost recovery under section 1920(4) to the conversion of native files to .tif format, the scanning of documents, and the transferring of VHS recordings to DVD format.Race Tires II, 674 F.3d at 165-70. The court reasoned that these services were equivalent to making copies of materials. Although the district court inRace Tires Iand several other federal courts had upheld broader taxation based on the indispensability and cost-effectiveness of a prevailing party’s use of complex e-discovery services, the Third Circuit concluded that section 1920(4) “does not authorize taxation merely because today’s technology requires technical expertise not ordinarily possessed by the typical legal professional” and “does not say that activities that encourage cost savings may be taxed.”Race Tires II,674 F.3d at 169. Instead, the Third Circuit adopted a literal reading: “Section 1920(4) authorizes awarding only the cost of making copies”; thus, activities “leading up to the actual production” of documents would not be taxable.Id. The court cited several federal courts that had followed this principle and quoted the Court of Appeals for the Ninth Circuit inRomero v. City of Pomona, which, in considering whether fees paid to experts who assembled and prepared trial exhibits were taxable, suggested that “fees are permitted only for the physical preparation and duplication of documents, not the intellectual effort involved in their production.”Race Tires II, 674 F.3d at 169 (citing 883 F.2d 1418, 1428 (9th Cir. 1989)). Thus, the Third Circuit denied costs for various e-discovery services performed prior to actually converting, scanning, or transferring documents and data, reducing the defendants’ e-discovery cost award from $367,000 to slightly over $30,000.Id. at 171-72.

While perhaps influential, outside of its jurisdiction the Third Circuit’s opinion is not the final word on recovering e-discovery costs under section 1920(4). The District Court for the Northern District of California has already explicitly rejected the Race Tires II holding in two cases.See Petroliam Nasional Berhad v. GoDaddy.com, Inc., 2012 WL 1610979, at *4 (N.D. Cal. May 8, 2012) (taking note of Race Tires II “but conclude[ing] that in the absence of directly analogous Ninth Circuit authority, broad construction of § 1920 with respect to electronic discovery costs – under the facts of this case – [was] appropriate”);In re OnlineDVD Rental Antitrust Litig., 2012 WL 1414111, at *1 (N.D. Cal. Apr. 20, 2012) (holding that court had ability to broadly construe section 1920 “with respect to electronic discovery production costs” and, given the specific facts of the case, awarded to plaintiffs over $700,000 in costs, including, among other things, .tif conversions and professional fees).

There is a range of divergent precedent on this issue in other federal courts outside of the Third Circuit, with courts awarding or denying cost recovery relating to various aspects of the e-discovery process.

Diverging Opinions: Conversion and Scanning Costs

Many other federal courts, in addition to the Third Circuit, have awarded conversion and scanning e-discovery costs under section 1920(4). These costs might be viewed as the most basic type of cost that could be taxed upon the application of section 1920(4) to electronic discovery. Indeed, even prior to the 2008 amendment, the Court of Appeals for the Sixth Circuit stated that “electronic scanning and imaging could be interpreted as ‘exemplification and copies of papers’” and approved of cost recovery for those services.BDT Products, 405 F.3d at 420. The Court of Appeals for the Seventh Circuit has also affirmed that conversion costs are taxable under section 1920(4).See Hecker v. Deere & Co., 556 F.3d 575 (7th Cir. 2009). Numerous federal district courts have allowed for the taxation of scanning and/or conversion in e-discovery.See, e.g., Farrar & Farrar Dairy, Inc. v. Miller-St. Nazianz, Inc., 2012 WL 776945 (E.D.N.C. Mar. 8, 2012);Jardin v. DATAllegro, Inc., 2011 WL 4835742 (S.D. Cal. Oct. 12, 2011);Mann v. Heckler & Koch Def., Inc., 2011 WL 1599580 (E.D. Va. Apr. 28, 2011). Several of these courts, along with the Third Circuit inRace Tires II, have stated that “electronic scanning of documents is the modern-day equivalent of ‘exemplification and copies of paper.’”Brown v. The McGraw Hill Cos., Inc., 526 F. Supp. 2d. 950, 959 (N.D. Iowa 2007).

Nevertheless, some courts, for various reasons, have refused to award even scanning or conversion costs under section 1920(4).See, e.g., Little Rock Cardiology Clinic, P.A. v. Baptist Health, 2009 WL 763556, at *4 (E.D. Ark. Mar. 19, 2009) (“it has been the practice in this district to limit costs recoverable under § 1920(4) to the costs of copying items used in presenting the case at trial or prepared for that purpose. This Court historically has not awarded as costs under Section 1920(4) the expense of copying documents during discovery.”);Roehrs v. Conesys, Inc., 2008 WL 755187, at *3 (N.D.Tex. Mar. 21, 2008) (denying conversion costs because digital versions of the documents “were merely more convenient for counsel to search and examine” and not “necessary”);Fells v. Virginia Dep’t of Transp., 605 F. Supp. 2d 740, 743 (E.D. Va. 2009) (conversion costs are not recoverable because the conversion process “served tocreatesearchable documents, rather than merelyreproducepaper documents in electronic form” (emphasis in original)).

Recovery Beyond Conversion and Scanning

As demonstrated above, there is considerable disagreement in the courts regarding the taxation of e-discovery costs, even concerning basic tasks like conversion and scanning. Beyond those tasks, various courts have stressed different factors in deciding whether to award costs for compiling electronic databases, extracting data, and completing various other e-discovery services.

Several courts have distinguished the physical production of documents from work “leading up” to the production of documents, holding that “gathering, preserving, processing, searching, culling, and extracting ESI simply do not amount to ‘making copies.’”Race Tires II,674 F.3d at 170.See also In re Scientific-Atlanta, Inc. Sec. Litig., 2011 WL 2671296, at *1 (N.D. Ga. July 6, 2011) (cost of keyword searching analogous to cost of reviewing paper documents, which is not recoverable);Windy City Innovations, LLC v. Am.Online, Inc., 2006 WL 2224057, at *3 (N.D. Ill. July 31, 2006) (denying costs for keyword searching, optical character recognition, and coding services). Some courts have stressed the distinction between “physical production” and “intellectual effort” as set out by the Ninth Circuit inRomero. 883 F.2d at 1428. The District Court for the Southern District of California wrote inJardinthat “costs associated with physically replicating or producing documents or data are recoverable under § 1920(4), while costs arising out of discovery-related activities tied to strategic, confidentiality, or other types of concerns typically entrusted to lawyers involve intellectual effort and are not recoverable.” 2011 WL 4835742, at *8. InJardin, the court found that the cost of hiring an e-discovery project manager who merely oversaw the conversion process and “did not review documents or contribute to any strategic decision-making” was recoverable.Id. at *9.

Several courts have focused on the “necessarily obtained for use in the case” language of section 1920(4) and weighed the purported necessity of e-discovery costs that a prevailing party seeks to recover. These courts have highlighted the distinction between “necessity” and “convenience.”See, e.g., Tibble v. Edison Int’l,2011 WL 3759927, at *7 (C.D. Cal. Aug. 22, 2011) (costs for hiring e-discovery experts to provide data “were not accrued merely for the convenience of counsel, but were necessarily incurred in responding to Plaintiffs’ discovery requests”);Parrish v. Manatt, Phelps & Phillips, LLP, 2011 WL 1362112, at *2 (N.D. Cal. Apr. 11, 2011) (“[t]he reproduction costs defendants incurred in collecting, reviewing, and preparing client documents for production were necessary expenditures made for the purpose of advancing the investigation and discovery phases of the action”);In re Aspartame Antitrust Litig., 817 F. Supp. 2d 608, 616 (E.D. Pa. 2011) (awarding costs for various services but denying costs for an “undoubtedly helpful” but non-essential document mapping program). Some courts have stressed efficiency as a factor in awarding costs. For example, although the Third Circuit explicitly rejected this rationale, other courts have held that, in some cases, the substantial cost savings achieved from using e-discovery make the services “necessary.”See, e.g., Lockheed Martin Idaho Techs. Co. v. Lockheed Martin Advanced Envtl. Sys., Inc., 2006 WL 2095876, at *2 (D. Idaho July 27, 2006) (cost of creating litigation database was “necessary” and thus recoverable “due to the extreme complexity of this case and the millions of documents that had to be organized”).

There is no consistent approach among these cases, either for the taxation of basic scanning and conversion costs, or for costs relating to more complex or tangential parts of the process. This suggests that courts faced with the issue have flexibility to award a variety of costs to prevailing parties, based on the specific circumstances of the case.

Looking Forward

No district court in New York has directly examined the extent to which e-discovery costs are taxable by the prevailing party under section 1920(4). It remains to be seen how broadly these courts, and the Court of Appeals for the Second Circuit, might read the statute. Despite the Third Circuit’s decision inRace Tires II, there is considerable precedent for allowing extensive e-discovery cost recovery under section 1920(4), including the two recent Northern District of California cases that explicitly declined to follow the Third Circuit.

At this juncture, prevailing parties may want to consider the potential benefit of moving for e-discovery costs under section 1920(4), especially in cases involving extensive e-discovery. Similarly, non-prevailing parties should anticipate the possibility that an adversary may seek substantial e-discovery cost recovery.

Conclusion

The internet is a tremendous resource for companies to grow their businesses and reach new markets; however, it also provides opportunities for hackers to subvert companies’ security systems and steal consumer, client, and/or employee information. This is a reason, in itself, to secure data through encryption and other safeguards. A security breach calls for a prompt response, often including an investigation to ascertain the source and scope of the breach and consultation with counsel to determine potential responsive actions. Depending on the results of the investigation and applicable state laws, a company may need to notify certain affected consumers. Data breach response is a complicated and cumbersome process in which the manner of notification is both a legal and business decision. And while courts have largely dismissed consumer class actions for failure to plead compensable damages, recent case law from the First Circuit is cause for further analysis and caution. Thus, it would be prudent to consult with counsel in advance of a data breach – but most certainly in the event of one.