Where Do Plaintiffs Stand on Data Breach Litigation?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.thelegalintelligencer.com/latest-news/id=1202729812795/Where-Do-Plaintiffs-Stand-on-Data-Breach-Litigation?mcode=1395262324557&c

Article III standing has been a data breach plaintiff's worst enemy (and,
thus, a defendant's best friend). Courts have routinely dismissed data
breach cases because plaintiffs cannot demonstrate that they have standing
to bring claims against a company that suffered a data breach. Simply put,
courts across many jurisdictions have subscribed to the proposition of "no
harm, no foul." Despite this formidable obstacle, plaintiffs continue to
pursue these types of claims.

Plaintiffs typically allege that, as a result of a data breach, they
suffered injuries including an increased risk of identity theft or fraud,
time and expenses incurred in efforts to mitigate the risk associated with
identity theft or fraud, improper disclosure of their personal information
and loss of privacy. Generally, to establish standing under Article III, a
plaintiff must allege: (1) an injury in fact that is concrete and
particularized, as well as actual and imminent; (2) that injury is fairly
traceable to the challenged action of the defendant; and (3) that it is
likely (not merely speculative) that injury will be redressed by a
favorable decision. Historically, courts have found that data breach
plaintiffs failed to meet this standard because the "possibility" of future
harm was speculative.

In February 2013, the U.S. Supreme Court issued its decision in Clapper v.
Amnesty International USA, 133 S. Ct. 1138 (2013). Although Clapper did not
involve a data breach, it quickly became data breach defendants' most
powerful argument in support of a motion to dismiss. In Clapper, the
plaintiffs argued that because their work required them to communicate with
individuals outside the United States, they suffered injury because there
was an "objectively reasonable likelihood" that their communications would
be acquired under the Foreign Intelligence Surveillance Act, and that they
took costly steps to protect the confidentiality of their communications.
The Supreme Court concluded that the plaintiffs' fears were "highly
speculative" and based on a "highly attenuated" chain of possibilities that
did not result in a "certainly impending" injury. The court further held
that the plaintiffs could not "manufacture" standing based upon money spent
to protect against hypothetical future harm.

Seizing upon this reasoning, defendants in courts all across the country
began to analogize the situation in Clapper to a data breach. For example,
in In re Barnes & Noble Pin Pad Litigation, Case No. 12-cv-8617 (N.D. Ill.
Sept. 3, 2013), relying on Clapper, the U.S. District Court for the
Northern District of Illinois granted Barnes & Noble's motion to dismiss
and found that the plaintiffs lacked standing to bring an action against
Barnes & Noble. The court held that the plaintiffs failed to allege an
injury in fact that was "certainly impending" and that speculation of
future harm does not constitute actual injury. The court found that an
increased risk of identity theft does not constitute actual harm for
purposes of standing. In addition, the court held that the "only cognizable
potential injury" alleged by plaintiffs was a fraudulent charge on one of
the plaintiff's credit cards. The court stated that, even if the fraudulent
charge was due to Barnes & Noble's actions or inactions, the plaintiff
alleged only that she was without the use of her credit card for an
unspecified period of time until she received her replacement card. The
court found this insufficient to establish standing because the plaintiff
did not have an unreimbursed charge on her credit card and, thus, failed to
allege an actual injury.

Since Clapper, the majority of courts have dismissed data breach claims
based upon lack of standing. In fact, there are only a handful of cases
that go against the trend. In 2014, the Northern District of California
found that plaintiffs' allegations satisfied the standard articulated by
the court in Clapper, in In re Adobe Systems Privacy Litigation, Civ. A.
No. 13-05226 (N.D. Cal. Sept. 4, 2014). The plaintiffs argued that they had
standing because they suffered three types of injuries: (1) increased risk
of future harm; (2) costs to mitigate risk of future harm; and (3) loss of
the value of their Adobe products. The court found that because certain of
the data appeared on the Internet, the potential for misuse of that data
was "certainly impending" and that the costs for credit monitoring were an
injury in fact that conferred standing.

Initially, the Adobe case signaled that data breach plaintiffs might be
gaining ground. Then, less than two weeks after the decision in Adobe,
based upon a similar set of facts, the Northern District of Illinois found
that data breach plaintiffs lacked Article III standing, in Remijas v.
Neiman Marcus, Civ. A. No. 14-1735 (N.D. Ill. Sept. 16, 2014). Despite the
fact that more than 9,000 card holders had unauthorized charges on their
credit cards, the court held that the plaintiffs failed to allege
"concrete" injuries because they did not allege that they would be held
financially responsible for those charges. In addition, the court found
that plaintiffs failed to allege "precise" costs for mitigating future risk
of fraudulent charges and, thus, these costs were not a cognizable injury
for purposes of standing. The Neiman Marcus case is pending before the U.S.
Court of Appeals for the Seventh Circuit.

Perhaps recognizing the difficulty in overcoming the standing hurdle (and
that the Adobe ruling was not as widely accepted as plaintiffs had hoped),
data breach plaintiffs have started to assert statutory claims under, among
others, the Fair Credit Reporting Act, Stored Communications Act, Telephone
Consumer Privacy Act and Video Privacy Protection Act. Under these
statutes, a plaintiff may be able to establish standing even without
suffering any actual injury.

In Robins v. Spokeo, 742 F.3d 409 (9th Cir. 2014), the Ninth Circuit
affirmed the trial court's decision finding that the plaintiff had standing
to sue Spokeo under the Fair Credit Reporting Act for allegedly reporting
inaccurate information on its website about the plaintiff's income and
education. Even though the plaintiff did not suffer any concrete injury,
the court held that he had standing based purely upon the fact that
Spokeo's acts violated the Fair Credit Reporting Act. Certain appellate
courts have agreed with the decision in Spokeo, while others have held
that, without some sort of actual injury, a plaintiff cannot establish
standing based solely upon a statutory violation. Although it denied
certiorari on this same issue a few years ago, early this year, the U.S.
Supreme Court granted certiorari review of Spokeo. If the Supreme Court
affirms the Ninth Circuit's decision, then, even without showing any actual
injuries, plaintiffs will likely be able to rely upon statutory violations
to advance their data breach claims.

At the moment, in the absence of any concrete injury, defendants in data
breach cases continue to have the upper hand. However, the data breach
litigation landscape is constantly changing and, like any other area of
litigation, defendants must be prepared to refine their arguments in
response to case law and plaintiffs' evolving theories of liability.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!