Standing In Data Breach Litigation: Lessons From 2014
2014 closed just as 2013 closed — with perhaps the largest cybersecurity data breach ever reported. In 2013, it was Target Corp. In 2014, it was Sony Corp. 2014 also saw a proliferation in data breach litigation. Typically, class actions allege injuries for increased risk of identity theft, fraudulent financial charges, and costs incurred from having to enroll in third-party credit-monitoring services. However, some courts have dismissed such claims for lack of standing.
Standing derives from Article III of the U.S. Constitution, which limits the powers of the federal judiciary to the resolution of “cases” and “controversies.” To maintain a lawsuit, every plaintiff must plead and ultimately prove that he or she has suffered sufficient injury to satisfy the “case or controversy” requirement. At the pleading stage, a plaintiff must allege: (1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) that the injury is fairly traceable to the challenged action of the defendant; and (3) that the injury can be remedied by a favorable ruling. If the plaintiff cannot satisfy this criteria, the claim must be dismissed.
2014 has shown that Article III standing can be a significant defense that enables retailers and other defendants to dispose of or limit security data breach claims in the relatively early stages of litigation. This article discusses some of those decisions.
Clapper v. Amnesty Int’l USA
Much of the recent standing litigation stems from the United States Supreme Court decision in Clapper v. Amnesty Int’l USA, -- U.S. --, 133 S. Ct. 1138 (2013). In Clapper, respondents, whose work required them to engage in international communications with individuals potentially targeted under the Foreign Intelligence Surveillance Act, sought to have the act declared unconstitutional and/or to obtain an injunction against the surveillance. To establish Article III standing, the respondents alleged injury from the objectively reasonable likelihood that their communications would at some point be targeted; and (2) the fact that they already had undertaken costly measures to protect the confidentiality of their international sources. The Supreme Court rejected both arguments.
The Supreme Court concluded that although it may be “objectively reasonable” that the plaintiffs’ communications could be intercepted under the Act, they had failed to show that the “threatened injury” was “certainly impending.” The court explained that a “speculative chain of possibilities ... based on potential future surveillance” was insufficient. For the second argument, the Supreme Court determined that if parties could establish Article III standing on reasonably incurred costs to avoid the risk of future harm, such a result would “water down” standing requirements: “If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”
There, although the respondents’ costs to avoid surveillance was not “fanciful, paranoid, or otherwise unreasonable,” the Supreme Court held they could not “manufacture standing merely by inflicting harm on themselves based on fears of hypothetical harm that was not ‘certainly impending.’”
Standing in Security Data Breach Litigation
A key issue in data breach cases is whether boilerplate allegations of injuries from increased risk of identity theft and costs incurred from credit-monitoring services allege concrete and particularized(and actual or imminent) injury to confer standing. In 2014, some courts held that they do not. In re Science Applications Int’l Corp. (SAIC), -- F. Supp. 2d --, (D.D.C. May 9, 2014) is a good example.
SAIC involved the break-in of an employee’s car in which the car’s GPS system and stereo were stolen, as well as data tapes containing personal and medical records of approximately 4.7 million people. The data tapes contained no financial information of the persons, and they required special hardware in order to access the data on them. Subsequent lawsuits alleged claims for increased risk of identity theft and costs incurred for credit-monitoring services. Following consolidation of the lawsuits, the court dismissed claims for increased risk of identity theft and credit-monitoring. Under Clapper, the court concluded the claims did not allege a concrete injury, let alone one that was “certainly impending.”
The court first determined that increased risk alone was insufficient to confer standing because the degree by which the risk of harm may have increased does not answer whether the harm is “certainly impending”:
Plaintiffs begin by asserting that an increased risk of harm alone constitutes an injury sufficient to confer standing to sue. Due to the data breach, they claim that they are 9.5 times more likely than the average person to become victims of identity theft. Compl., ¶ 23. That increased risk, they maintain, in and of itself confers standing. But as Clapper makes clear, that is not true. The degree by which the risk of harm has increased is irrelevant — instead, the question is whether the harm is certainly impending.
The court then concluded that claims for increased risk of identity theft were too speculative because they depended upon too many contingencies, including whether the thief realized that the stolen tapes contained data, and had access to machinery to extract and decrypt the data. Although the fear of identity theft was reasonable, fear was not enough:
[I]t is reasonable to fear the worst in the wake of such a [data] theft, and it is understandably frustrating to know that the safety of your most personal information could be in danger. The Supreme Court, however, has held that an “objectively reasonable likelihood” of harm is not enough to create standing, even if it is enough to engender some anxiety. [Citation omitted.] Plaintiffs thus do not have standing based on risk alone, even if their fears are rational.
The court also concluded that costs incurred from enrolling in credit-monitoring services were insufficient to confer standing, even if enrolling in such services was “sensible.”
Nor is the cost involved in preventing future harm enough to confer standing, even when such efforts are sensible. ... the Supreme Court has determined that proactive measures based on “fears of ... future harm that is not certainly impending” do not create an injury in fact, even where such fears are not unfounded.
In Galaria, an Ohio district court reached a similar conclusion. There, the court determined that claims for increased risk of identity theft did not satisfy Article III standing requirements in the absence of facts showing that “such harm is ‘certainly impending.’” According to the court, the defendant’s offer to pay for credit monitoring services as a result of the data breach into its system further minimized the likelihood of an impending injury.
More recently, an Illinois district court in Remijas v. The Nieman Marcus Group LLC (N.D. Ill. Sept. 16, 2014) reached similar holdings. The case involved the December 2013 Nieman Marcus security data breach in which credit card information for approximately 350,000 customers was stolen. At the time of the litigation, and unlike in SAIC and Galaria, approximately 9,200 cards holders already had incurred fraudulent charges on their credit cards. The fraudulent charges, according to the court, allowed the court to infer that the 3,200 cardholders did have their data stolen, and that the remaining cardholders were at a “certainly impending” risk of seeing similar fraudulent charges on their cards. However, the allegations did not show a concrete injury from identity theft to permit standing because the fraudulent charges had been reimbursed or forgiven. The court explained:
I am satisfied that the potential future fraudulent charges are sufficiently “imminent” for purposes of standing. But of course, even having conceded imminence, both injuries (present and future) must still be concrete. Here, as common experience might lead one to expect, Plaintiffs have not alleged that any of the fraudulent charges were unreimbursed. On these pleadings, I am not persuaded that unauthorized credit card charges for which none of the plaintiffs are financially responsible qualify as “concrete” injuries.
Nor did the Niemen Marcus court believe that there was an imminent, “certainly impending” risk of identity theft to confer standing:
And again, I accept the inference from this that additional customers are at a “certainly impending” risk of future fraudulent charges on their credit cards. But to assert on this basis that either set of customers is also at a certainly impending risk of identity theft is, in my view, a leap too far. The complaint does not adequately allege standing on the basis of increased risk of future identity theft.
Costs incurred from credit-monitoring services also did not confer standing because the risk of identity theft did not constitute a cognizable injury for purposes of standing: “The cost of guarding against a risk is an injury sufficient to confer standing only if the underlying harm the plaintiff is seeking to avoid is itself a cognizable Article III injury.”
However, not every federal court has concluded that allegations of increased risk of identity theft does not confer standing. A critical issue appears to be whether the stolen personal data was specifically targeted by the data thieves. In re Adobe Sys. Inc. Privacy Litig., (N.D. Cal. Sept. 4, 2014), is instructive.
Adobe involved the August 2013 cyber data breach suffered by Adobe that resulted in the theft of software source code and the personal information of approximately 38 million customers, including names, passwords, credit/debit card information, and addresses. Auditors later concluded that Adobe’s security protocols were flawed and did not conform with industry standards. Subsequent class actions alleging violation of California’s Customer Records Act were filed and consolidated. Adobe moved to dismiss the CRA claim for lack of standing.
Plaintiffs alleged they suffered cognizable injuries-in-fact through an increased risk of identity theft and costs incurred from purchasing credit monitoring services. The Adobe court agreed. Because the plaintiffs’ personal data had been targeted by the hackers, and that the hackers had used Adobe’s systems to decrypt the plaintiffs’ credit card information, the court determined that risk that the data would be misused was “immediate and very real.”
Not only did the hackers deliberately target Adobe's servers, but Plaintiffs allege that the hackers used Adobe's own systems to decrypt customer credit card numbers. ... Indeed, the threatened injury here could be more imminent only if Plaintiffs could allege that their stolen personal information had already been misused. However, to require Plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be “literally certain” in order to constitute injury-in-fact.
The Adobe court distinguished the case before it from others, including SAIC, on the basis that the personal information at issue had been targeted, thereby making its potential use “certainly impending”:
The facts of SAIC stand in sharp contrast to those alleged here, where hackers targeted Adobe's servers in order to steal customer data, at least some of that data has been successfully decrypted, and some of the information stolen in the 2013 data breach has already surfaced on websites used by hackers.
Because the court found that the increased risk of identity theft was a cognizable injury for purposes of standing, so were costs incurred to enroll in credit monitoring services:
in order for costs incurred in an effort to mitigate the risk of future harm to constitute injury-in-fact, the future harm being mitigated must itself be imminent. As the Court has found that all Plaintiffs adequately alleged that they face a certainly impending future harm from the theft of their personal data, see supra Part III.A.1.a, the Court finds that the costs ... incurred to mitigate this future harm constitute an additional injury-in-fact.
For additional information on these matters, please contact Joshua Mooney (215.864.6345 | firstname.lastname@example.org).
 U.S. Const. Art. III, §2.
 Clapper v. Amnesty Int’l USA, -- U.S. --, 133 S. Ct. 1138, 1142-43 (2013).
 Id. at 1147-54.
 Id. at 1147.
 Id. at 1150.
 Id. at 1151.
 In re Science Applications Int’l Corp. (SAIC), -- F. Supp. 2d --, (D.D.C. May 9, 2014).
 Id; see also Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 654 (S.D. Ohio 2014) (“That is, a factual allegation as to how much more likely they are to become victims than the general public is not the same as a factual allegation showing how likely they are to become victims.”).
 Id. ; see also Strautins v. Trustwave Holdings Inc., (N.D. Ill. Mar. 12, 2014) (increased risk of future harm did not confer standing); In re Barnes & Noble Pin Pad Litig., (N.D. Ill. Sept. 3, 2013) (same).
 Galaria, 998 F. Supp. 2d at 654.
 Remijas v. The Nieman Marcus Group LLC, (N.D. Ill. Sept. 16, 2014).
 Id; see also Burton v. MAPCO Express Inc., (N.D. Ala. Sept. 12, 2014) (dismissing action with leave to amend, but explaining that because fraudulent charges from cyber data breach had been forgiven, plaintiffs were unlikely to meet the jurisdictional amount in controversy requirement).
 Nieman Marcus.
 In re Adobe Sys. Inc. Privacy Litig., (N.D. Cal. Sept. 4, 2014).
 Id.; see also In re Sony Gaming Networks & Customer Data Security Breach Litig., 996 F. Supp. 2d 942, 962-63 (S.D. Cal. 2014) (denying motion to dismiss and holding allegations of disclosure of personal data from data breach conferred Article III standing because of threat of resulting harm).