As the number of data breaches grows, without exaggeration, by the hour, an important question remains: Who can recover damages in Court after a data breach?
The U.S. Supreme Court is currently considering a petition for certiorari in Spokeo Inc. v. Robins and may decide whether Congress can confer standing upon plaintiffs who have not suffered any actual harm and, accordingly, would not otherwise have standing, by authorizing a private right of action based on a bare violation of a federal statute without resulting injury. This question of Article III standing potentially impacts a wide variety of lawsuits referred to as “no-injury” class actions. The Supreme Court has already heard from the business community as (at my last count) 10 amicus briefs in support of the Court considering this issue have been filed.
Courts have been on both sides with respect to what type of injury of plaintiff must assert in data breach case to have standing – usually in cases where personal information has been compromised but the individual has not been actually harmed.
THIS QUESTION OF ARTICLE III STANDING POTENTIALLY IMPACTS A WIDE VARIETY OF LAWSUITS REFERRED TO AS “NO-INJURY” CLASS ACTIONS
On one side, the First and Third Circuits have rejected standing based on the threat of future harm as too speculative. See Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012); Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011).
On the other, the Seventh and Ninth Circuit allowed data breach class actions based on the threat of future harm, without any actual loss, to proceed. See Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010); Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007).
However, the SCOTUS decision in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013) may provide insight into the direction the current Court is leaning. In Clapper, human rights organizations and media groups challenged the legitimacy of the Foreign Intelligence Surveillance Act (FISA), which eased government proscriptions on obtaining wiretaps on intelligence targets outside of the United States. The plaintiffs, all U.S. citizens, asserted standing because their future communications could be intercepted.
In a 5-4 decision, the Supreme Court held that the plaintiffs were unable to establish Article III standing because absent speculation, imminent injury that was “fairly traceable” to the FISA amendment could not be established. The Court acknowledged the elasticity of what "imminent" means, but were clear that the concept cannot be “stretched beyond its purpose” so an “alleged injury is not too speculative for Article III purposes.”
Critically for a liability analysis in data breach cases, the Court determined that while plaintiffs' concerns were not “fanciful, paranoid, or otherwise unreasonable,” the harm sought to be avoided was not “certainly impending.” And standing cannot be created “merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending...If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”
Federal courts in Illinois, New Jersey, Ohio, and the District of Columbia have used Clapper to dismiss data breach lawsuits where actual injuries have not been established. See In re Science Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., MDL No. 2360, 2014 WL 1858458 (D.D.C. May 9, 2014); Strautins v. Trustwave Holdings, Inc., No. 12 C 09115, 2014 WL 960816 (N.D. Ill. Mar. 12, 2014); Galaria v. Nationwide Mut. Ins. Co., Nos. 2:13-CV-118, -257, 2014 WL 689703 (S.D. Ohio Feb. 10, 2014); Polanco v. Omnicell, Inc., No. 13-1417 (NLH/KMW), 2013 WL 6823265 (D.N.J. Dec. 26, 2013); In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013).
One California district court did find standing even in the face of Clapper. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., MDL No. 11MD2258 AJB (MDD), 2014 WL 223677 (S.D. Cal. Jan. 21, 2014).
If you've had a data breach incident – hopefully after you've deployed your previously established mitigation and response plans – you should immediately consider what your exposure is and who you might owe. As data breaches exponentially increase, the pool of potential plaintiffs in data breach matters are exploding. Couple this with the impending increase of state and federal data breach legislation, the question of who can recover based upon a data breach incident must be addressed... and the sooner the better.