Protecting a company from data breach lawsuits may get substantially harder.
Once hit by a data breach, companies face suit from consumers and employees who have had personally identifiable information compromised. A relatively new line of cases has made life very difficult for these plaintiffs by holding that increased risk of identity theft is not sufficient grounds for a lawsuit. However, some holdout courts may just have it right.
Understanding this requires a deep dive into the world of standing to sue.
To establish Article III standing to sue, a plaintiff must show that they were actually injured. That is, they must show that their injury is “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013).
Most plaintiffs in a data breach case have not yet been injured by the loss of the data (nor will they be); rather, they fear such injury and are seeking standing on the basis of the potential future injury. Accordingly, the key question is: when is there enough of a probability of a future harm so as to confer standing on a plaintiff?
The Supreme Court appeared to set a very high bar for answering that probabilistic question: the “threatened injury must be certainly impending to constitute injury in fact,” and that “allegations of possible future injury” are not sufficient. Clapper, 133 S. Ct. at 1147 (emphasis supplied). In short, it is not enough to show a probable injury — nothing short of near certainty of a future injury confer standing.
Not quite so fast. In Susan B. Anthony List v. Driehaus the Court clarified that Clapper’s “certainly impending” standard did not supplant the line of cases holding that a “substantial risk” that a harm will occur can confer standing. 134 S. Ct. 2334 (June 16, 2014). Specifically, Justice Thomas wrote for a unanimous Court:
An allegation of future injury may suffice if the threatened injury is “certainly impending,” or there is a “‘substantial risk’ that the harm will occur.
What of all this?
A surprising number of data breach cases have been dismissed on standing grounds under Clapper’s “certainly impending” standard.
For instance, in Galaria v. Nationwide Mut. Ins. Co (a case in which PII was stolen from an insurer), the district court found
In this case, an increased risk of identity theft, identity fraud, medical fraud or phishing is not itself an injury-in-fact because Named Plaintiffs did not allege—or offer facts to make plausible—an allegation that such harm is “certainly impending.” Even though Plaintiffs alleged they are 9.5 times more likely than the general public to become victims of theft or fraud, that factual allegation sheds no light as to whether theft or fraud meets the “certainly impending” standard. That is, a factual allegation as to how much more likely they are to become victims than the general public is not the same as a factual allegation showing how likely they are to become victims.
Other allegations in the Complaint show such harm is not certainly impending. For example, Named Plaintiffs state that consumers who receive a data breach notification had a fraud incidence rate of 19% in 2011. … An injury can hardly be said to be “certainly impending” if there is less than a 20% chance of it occurring….
That speculative nature of the injury is further evidenced by the fact that its occurrence will depend on the decisions of independent actors … If they do nothing, there will be no injury…. See 998 F. Supp. 2d 646, 654-655 (S.D. Ohio 2014)
Several cases follow suit. I won’t bore you with a string cite, but you may look here if you would like one.
These cases uniformly reject standing for fTa breach victims who can show no other injury. However uniform those cases may be there are some courts not toeing the line.
First, a red herring. Some have pointed to the litigation arising out of the Target credit card breach as an exception to the Clapper cases. It isn’t an outlier; it is irrelevant. Standing was found because of actual injury as pled on a motion to dismiss. The court didn’t need to reach Clapper because the complaint was carefully drafted and alleged actual injury:
Indeed, many of the 114 named Plaintiffs allege that they actually incurred unauthorized charges; lost access to their accounts; and/or were forced to pay sums such as late fees, card-replacement fees, and credit monitoring costs because the hackers misused their personal financial information. In re Target Corp. Customer Data Sec. Breach Litig., D. Minn. Dec. 18, 2014).
The only thing interesting the Target court did was to push data breach standing litigation to summary judgment.
Turning to the real outliers, let’s first turn our attention to In Re Adobe Privacy Litigation, (N.D. Cal. Sept. 4, 2014), where the court relied on Ninth Circuit precedent and held that plaintiffs could suffer a cognizable injury in fact because there was “substantial risk” of harm. The court declined to apply Clapper (as overruling the precedent) because it thought that the harm in the Clapper case was significantly different and more attenuated — and that Clapper didn’t appear to explicitly try to fundamentally re-order the doctrine of standing. Likewise in Moyer v Michaels Stores, (ND Ill. July 14, 2014), the Northern District of Illinois found standing in a credit card-related data breach because, like Adobe, it distinguished Clapper from the data breach context and found that “risk of identity theft stemming from the data breach at Michaels is sufficiently imminent to give Plaintiffs standing.” See also See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., (S.D. Cal. Jan. 21, 2014).
So, there are three camps:
- Clapper: Data breach litigants must show actual or impeding harm for standing.
- Adobe: Data breach litigants must show a substantial risk of harm
- Target: Good pleadings can defeat a standing-based motion to dismiss; the real burden of showing injury can take place at summary judgment.
Which camp is right?
I suspect Adobe is. While the Clapper-data cases present an intriguing line of reasoning, it appears that the news of Susan B. Anthony List has not yet made it to this area of litigation. Susan B. Anthony List makes it clear that Clapper wasn’t supplanting the substantial risk of harm test. That breathes new life into Plaintiffs’ claims.
In short, probabilistic standing lives on to fight another day.