Amid the storm of cybersecurity incidents in the last year, plaintiffs still face an uphill battle convincing courts that they suffered actual--and not hypothetical--harm from data breaches. Indeed, the majority of private lawsuits brought this past year involving data breaches have been dismissed when the only harm alleged is hypothetical future harm. Several recent decisions, however, have found that plaintiffs alleging future harm had adequately pleaded Article III standing giving renewed vigor to data breach cases.
Clapper v. Amnesty International
In 2013, the Supreme Court fueled courts to dismiss cases involving data breaches for claims of future harm in Clapper v. Amnesty International. In Clapper,the Supreme Court considered whether respondents had standing to challenge a section of the Foreign Intelligence Surveillance Act based on assertions that there was an “objectively reasonable likelihood” that their communications would be intercepted at some point in the future. The Clapper court found that the plaintiffs did not have standing, because Article III standing requires the threatened injury to “be certainly impending to constitute an injury in fact,” and the plaintiffs’ “allegations of possible future injury [were] not sufficient.”
Decisions post-Clapper dismissing data breach lawsuits for lack of standing
Clapper is significant as it drove many courts across the country to dismiss data breach cases when faced with allegations solely of future harm. Thus, where plaintiffs claimed injury due to increased risk of identity theft, courts held that the harm was not “certainly impending” and the plaintiffs lacked standing to pursue those claims. Further, when plaintiffs contended that they incurred increased expenses to mitigate against potential harm from a data breach—for example, credit monitoring or cancellation of credit cards—courts have deemed that insufficient to confer standing because the harm plaintiffs were seeking to mitigate against was not “certainly impending.”
- Galeria v. Nationwide Mutual Insurance Company relied on Clapper to find that plaintiffs’ cost to mitigate increased risk, such as the purchase of credit monitoring services, was insufficient to confer standing, as were plaintiffs’ claims for loss of privacy and deprivation of the value of their personally identifiable information).
- In Strautins v. Trustwave Holdings, Inc., the ruling said,“Clapper compels rejection of [plaintiff’s] claim that an increased risk of identity theft is sufficient to satisfy the injury-in-fact requirement for standing” because the allegations were “insufficient to show that she and others face a ‘certainly impending’ risk of identity theft."
- Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation relied on Clapper to find that the “majority of Plaintiffs in this case lack standing to sue because they failed to allege any cognizable injury."
- Remijas v. Neiman Marcus Group, LLC, stated that the “overwhelming majority of the plaintiffs allege only that their data may have been stolen,” and the court was “not persuaded that the 350,000 customers at issue are at a certainly impending risk of identity theft”;
- Burton v. MAPCO Express, Inc., held that the plaintiff could not proceed with his claim unless he plausibly alleged “not only that fraudulent charges appeared on his debit account as a consequence of the MAPCO data breach but also that he incurred damages as a result”;
- Lewert v. P.F. Change’s China Bistro, Inc., found that the plaintiffs lacked standing to pursue their claims, including their claim for increased risk of identity theft in the future,
- Peters v. St. Joseph Servs. Corp., held that “heightened risk of future identity theft/fraud posed by a data security breach” does not confer “Article III standing on persons whose informatiom may have been accessed."
Post Clapper cases finding that plaintiffs had standing
Notwithstanding the above cases, Clapper has not completely sounded the death knell for data breach lawsuits when allegations of future harm are alleged. Even when plaintiffs were able to establish Article III standing, however, many of their claims were still dismissed based on their failure to plead actual damages.
In re: Sony Gaming Networks and Customer Data Security Breach Litigation (Jan. 2014), for example, a class-action arising out of “a criminal intrusion into a computer network system used to provide online gaming and Internet connectivity via an individual’s gaming console or personal computer,” only one of the 11 named plaintiffs alleged that he experienced unauthorized charges as a result of the intrusion. Relying primarily on a pre-Clapper Ninth Circuit case, Krottner v. Starbucks, which held that "the possibility of future injury may be sufficient to confer standing" where the plaintiff is "immediately in danger of sustaining some direct injury as the result of the challenged conduct," i.e., where there is a “credible threat of real and immediate harm,” the Sony court found that the plaintiffs adequately alleged Article III standing for purposes of the motion to dismiss. In reaching this conclusion, the Sony court rejected defendant’s argument that “Clapper tightened the ‘injury-in-fact’ analysis set forth by the Ninth Circuit” in Krottner. While the court did not dismiss the case for lack of standing, it dismissed many of the claims, either for failure to state a claim or because such claims were barred by plaintiffs’ failure to the economic loss doctrine (which requires plaintiffs to allege appreciable, non-speculative harm proximately caused by a breach).
Likewise, in re Adobe Sys., Inc., Privacy Litig., hackers accessed Adobe’s servers and spent several weeks undetected, removing customer names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing and e-mailing addresses. The court found that the harm threatened by the Adobe breach was sufficiently concrete and imminent to satisfy the standard as stated in both Krottner and Clapper. The court emphasized that the hackers deliberately targeted Adobe’s servers and spent several weeks collecting the plaintiffs’ personal information. As such, the danger that plaintiffs’ stolen data would be subject to misuse was, according to the court, “certainly impending.” The court reasoned that requiring plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm does not need to have already occurred or be “literally certain” to constitute injury.
Similarly, in Moyer v. Michaels Stores, Inc., the court found that the “elevated risk of identity theft stemming from the data breach at Michaels is sufficiently imminent to give plaintiffs standing.” According to the Michaels court, “Clapper applied the imminence requirement in an ‘especially rigorous’ fashion given the merits of the case would have required the Court to decide whether [a 2008 Act] was unconstitutional.” Although the Michaels court held that the plaintiffs had standing, the court ultimately dismissed the claims because the plaintiffs failed to plead actual monetary damages.
Most recently, the District of Minnesota issued a decision in re Target Corporation Customer Data Security Breach Litigation, which arose from the massive cybersecurity attack on Target in 2013. Similar to defendants in the other cases, Target claimed that the plaintiffs lacked standing because they did not establish an injury. This case is distinguishable from the other cases herein, because unlike those cases alleging only future harm, the Target court found that the allegations in the complaint included “a recitation of many of the individual named Plaintiffs’ injuries, including unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.” The Target court further held, “Should discovery fail to bear out Plaintiffs’ allegations, Target may move for summary judgment on the issue.”
The majority of data breach cases in the past year have relied on Clapper to dismiss cases on standing grounds where plaintiffs do not allege actual harm. Demonstrating that the legal landscape in this area is still unsettled, however, were a minority of cases which found Article III standing to exist in the face of allegations of future harm. Until the Supreme Court rules on this issue, the standing issue will likely remain unsettled.
If you want to comment on this post, you need to login.