Whether plaintiffs have standing to pursue their claims has been the determinative issue in much of the data breach litigation to this date. In two recent cases, the United States District Court for the District of Nevada and the United States District Court for the Central District of California reached different conclusions on the question of whether the victims of a data breach had standing to sue the companies that held their personal information.
Article III of the United States Constitution limits the judicial power of the United States to cases and controversies. Federal courts use the doctrine of standing to determine whether a judiciable case or controversy exists. To have standing, a plaintiff must establish an injury in fact that is fairly traceable to defendant’s conduct and that is likely to be redressed by the requested relief. Absent that, the court lacks subject matter jurisdiction and will not hear the case. The United States Supreme Court recently ruled on a standing case that dealt with threatened injury, a scenario frequently seen in data breach litigation. In Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138 (2013), the Court held that allegations of possible future injury are not sufficient, and that threatened injury must be certainly impending to constitute injury in fact. The majority of data breach litigation cases decided post-Clapper have held that absent allegations of actual identity theft or fraud, the increased risk of such harm alone is insufficient to establish Article III standing. In Corona v. Sony Pictures Entertainment, Inc., (14-cv-09600 RGK, C.D. Cal. June 15, 2015) and In re Zappos.Com, Inc., Customer Data Security Breach Litigation, (3:12-cv-00325-RCJ-VPC MDL No. 2357, D. Nev. June 01, 2015), the courts reached different decisions on this issue.
In Corona v. Sony, the court found that Plaintiffs have Article III standing to assert their claims. Plaintiffs are current and former employees of Sony whose personally identifiable information (PII) was stolen when Sony was the victim of a cyber-attack. The Plaintiffs’ alleged that their PII was posted on file-sharing websites and used to send threatening e-mails to Plaintiffs and their family members. In response, Plaintiffs were forced to purchase identity protection services and insurance, and have taken other measures to protect their PII. Applying Clapper, and the Ninth Circuit’s decision in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), the Court found that Plaintiffs’ allegations were sufficient to establish a credible threat of real and immediate harm, or certainly impending injury.
Conversely, in In Re: Zappos, the court found that Plaintiffs did not have standing. In that case, Plaintiffs are former customers of Zappos whose PII was stolen when Zappos was the victim of a cyber-attack. Plaintiffs argued that as a result of the theft of their PII they suffered a decrease in the value of their personal information and also suffered an increased risk of future identity theft. They further claimed that this increased risk of future harm forced them to purchase credit monitoring services to mitigate future damages. The court determined that these allegations of harm were insufficient to confer standing. The court noted that Plaintiffs did not allege any facts that their PII was less valuable for sale in any market because of the data breach. Next, the Court applied Clapper and found that any threat of future harm was not “certainly impending.” In support, the court specifically noted it had been three-and-a-half years without any identity theft or fraud since the data breach, that any threat of future harm was based entirely on the decisions of independent and unidentified actors, and that if there was a future identity theft, it would be difficult to determine whether that theft was the result of the Zappos data breach or from some other source. Finally, the court determined that purchasing credit monitoring services to mitigate future damage is insufficient to establish standing unless the harm being mitigated against is imminent, a conclusion the court had already refused to reach.
The issue of Article III standing in data breach litigation is far from settled, and will continue to be a determinative issue in the future. The United States Supreme Court’s decision in Clapper provided clarity, but as the recent decisions highlighted here show, there is the possibility for differing results based on the particular facts of each case. Plaintiffs that can demonstrate that their stolen personal information has been misused in some way, even if it is as simple as being posted on a file-sharing website, will likely have standing, while Plaintiffs that merely claim there is the possibility of future wrongdoing will not. One thing is clear, despite the hope that Clapper would settle this issue, Article III standing will continue to be a contested data breach litigation issue going forward.