Enter to open, tab to navigate, enter to select
Data Breach Litigation: The Standing and Injury Hurdle
Practical Law Legal Update 7-583-4587 (Approx. 4 pages)
Data Breach Litigation: The Standing and Injury Hurdle
by Practical Law Intellectual Property & Technology
| Law stated as of 14 Oct 2014 • USA (National/Federal) |
A discussion of current issues in data breach litigation, including the standing and injury requirements. It also includes a prediction of the future of data breach litigation issues, such as causation and class certification challenges.
It seems that a new data breach is reported every day, and almost inevitably a wave of class action lawsuits follows. However, few data breach class action suits have made it past the pleading stage. Still, plaintiffs continue to file these cases and test new theories to try to surmount the barriers that prevented prior cases from moving forward.
Standing and the Injury Requirement
The largest impediment to data breach class actions to date has been the failure to establish an injury-in-fact sufficient to support Article III standing in federal court. Injury-in-fact is an invasion of a legally protected interest that is both:
- Concrete and particularized.
- Actual or imminent and not conjectural or hypothetical.
Because what happens to data once it is lost or stolen is frequently unknown, plaintiffs commonly assert standing based on the risk of future injury and expenses they incur to mitigate that risk.
Most federal courts agree that the mere possibility of future harm is not enough to create an injury-in-fact sufficient to confer standing. Courts frequently disposed of early data breach cases on these grounds, a conclusion supported by the US Supreme Court's recent decision in Clapper v. Amnesty Int'l USA (133 S. Ct. 1138, 1143 (2013)). A minority of courts, however, have found facts falling short of actual financial loss to be sufficient to confer standing (see, for example, Moyer v. Michaels Stores, Inc., No. 14-561, , at *4-6 (N.D. Ill. July 14, 2014) and In re Adobe Sys. Inc. Privacy Litig., No. 13-CV-05226-LHK, (N.D. Cal. Sept. 4, 2014)).
Even where courts have found standing, however, they often dismissed the cases based on the plaintiffs' failure to allege sufficient injury to establish the elements of their claims.
Avoiding the Standing Problem
To avoid a standing challenge, plaintiffs frequently:
- Bring claims in state court.
- Allege statutory damages claims.
In addition, some plaintiffs plead several alternative theories of harm, with varying degrees of success. These theories include:
- Lost time and inconvenience. This theory is particularly relevant in payment card breach cases, where a card holder may have been reimbursed for charges, but may have spent time, for example, calling customer service lines to change stored credit card numbers. Courts typically reject this theory as ordinary inconvenience that is not legally compensable.
- Emotional distress. This theory has likewise met with little success because in many jurisdictions emotional distress damages are often recoverable only where there is a physical impact or a medically diagnosable injury.
- Decreased economic value of personal information. This novel theory is premised on the argument that personally identifiable information has economic value. While generally courts have rejected this theory, at least one court has found it sufficient to survive a motion to dismiss, while expressing doubts that the plaintiffs could actually prove any damages. (Claridge v. RockYou, Inc., 785 F. Supp. 2d 855, 861 (N.D. Cal. 2011).)
- Denied the benefit of the bargain. Plaintiffs in several data breach cases argued that they were denied the benefit of their bargain with the defendant because the defendant's security was not as safe as it was held out to be in a privacy policy, disclosure or agreement.
The success of these theories varies based on the facts of the case, the court involved and local law.
Future Issues in Data Breach Litigation
Despite these significant hurdles, consumer data breach class actions show no signs of abating, and parties can expect changes in litigation strategy as the law develops. If plaintiffs can surmount the standing and actual harm hurdle, the next battles in data breach litigation are likely be found in:
- Causation challenges. Even where a plaintiff can show a concrete injury, such as financial loss resulting from identity theft, the plaintiff has the additional burden to prove that the injury was caused by the defendant's actions.
- Class certification challenges. Because most data breach cases have either been dismissed or settled early, few cases have grappled with class certification. Data breach cases are attractive targets for class action lawsuits because they usually have one indisputably common issue: whether the defendant was at fault for the breach itself. However, the existence of that common question does not alone justify certification. Plaintiffs can expect significant challenges to alleged predominance of common issues if cases do begin to reach the certification stage.
For more discussion of these and other issues in data breach litigation, see Practice Note, Key Issues in Consumer Data Breach Litigation. For more on data breach notification, see Practice Note, Privacy and Data Security: Breach Notification and Standard Document, Data Security Breach Notice Letter.