The Weekly Breach Breakdown Podcast by ITRC - Case Dismissed - S6E4

Show Transcript

Welcome back to the Identity Theft Resource Center’s Weekly Breach Breakdown, supported by Sentilink. I’m James E. Lee, the ITRC’s President. This is the episode for February 7, 2025. Anyone who has ever watched an episode of Law & Order, Suits or Court TV is familiar with what happens when a defendant proves a criminal charge or a civil lawsuit is without merit. A very serious-looking judge bangs their gavel and declares: Case dismissed! It makes for a fitting title of our podcast on the Samsung data breach lawsuit.  

Today, we will discuss why so many data breach lawsuits are dismissed. To illustrate this point, we will examine the lawsuit related to a 2022 data breach at Samsung Electronics America – a subsidiary of the giant South Korea-based Samsung Electronics. 

Following a data breach, 17 lawsuits were filed across the country, eventually being combined into a single action before U.S. District Court Judge Christin O’Hearn in New Jersey. The plaintiffs claimed their data was disclosed because of lax security practices that allowed a professional cybercrime group to steal the personal information of 41 plaintiffs and other Samsung customers.  

According to Judge O'Hearn, to sustain a lawsuit, a plaintiff must show that they have suffered an injury that is “concrete, particularized and actual or imminent.” The injury must be caused by the defendant, and the injury would likely be addressed by a court. 

How does this apply to this particular Samsung data breach lawsuit case? Judge O’Hearn agreed that there was the risk of imminent harm because the attack was carried out by known cybercriminals. The Judge also ruled that only four of the 41 plaintiffs claimed they were notified that their personal data was on the dark web. However, those four did not prove that the specific information on the Dark Web was a result of this particular data breach as opposed to any other data breach.  

That was not the deciding factor for Judge O’Hearn to allow the Samsung data breach lawsuit to continue or end because the plaintiffs did not meet the minimum standard to file a claim. In fact, Judge O’Hearn dismissed the lawsuit, saying that not all data is created equal, and the information stolen in this case is "too mundane" or readily available online to increase an individual's risk of identity theft significantly.  

Quoting from the judge's order: "Put simply, the information the parties now agree was accessed in the data breach—names, addresses, other contact and demographic information, and device information—is not the type of [personal identifying information] that subjects an individual to a heightened risk of identity theft or fraud in any way despite plaintiffs’ repeated attempts to suggest otherwise. Courts routinely have dismissed claims for lack of jurisdiction when the information accessed is similar, or in some cases, even more sensitive to that which plaintiffs allege here because the risk of future harm is far too attenuated or speculative." 

The judge continued: "In fact, given the current frequency of data breaches, there is a surplus of caselaw involving non-sensitive information, such as here, that have been repeatedly dismissed as a matter of course," O'Hearn found.  

In other words, only breaches of the most sensitive information that can be directly linked to specific, actual harm and a specific data breach are likely to be accepted as grounds for a lawsuit. That is very difficult to prove, given the number of data breaches and the volume of information available to criminals today. 

If you want to learn how to secure your personal or business information to make it less valuable to criminals or have questions about the Samsung data breach lawsuit, speak with an expert ITRC advisor on the phone, chat live on the web, or exchange emails during our normal business hours (6 a.m.-5 p.m. PT). Just visit www.idtheftcenter.org to get started.  

Thanks again to Sentilink for supporting this podcast and the ITRC. Please hit the like button for this episode and subscribe wherever you listen to podcasts. If you want to learn more about the data breaches and their impact, visit www.idtheftcenter.org/reports or click here. Until next week, thanks for listening.