2014 witnessed a proliferation of cyber security data breaches and resulting data breach litigation. Most class actions filed in the wake of a data breach assert injuries for increased risk of identity theft, fraudulent financial charges on credit cards, and costs incurred from having to enroll in third-party credit-monitoring services. But realistically, not every data breach results in an injury. Article III standing can be a significant defense for disposing security data breach claims in the relatively early stages of litigation.
Standing derives from Article III of the U.S. Constitution, which limits the powers of the federal judiciary to the resolution of “cases” and “controversies.” U.S. Const. Art. III, §2. To maintain a lawsuit, every plaintiff must plead and ultimately prove that he or she has suffered sufficient injury to satisfy the “case or controversy” requirement. At the pleading stage, a plaintiff must allege: (1) an injury-in-fact that is concrete and particularized, as well as actual or imminent; (2) that the injury is fairly traceable to the challenged action of the defendant; and (3) that the injury can be remedied by a favorable ruling. If the plaintiff cannot satisfy this criteria, the claim must be dismissed. This article discusses some recent data breach decisions that address standing.
Clapper v. Amnesty Int’l USA. Much of the recent standing litigation stems from the United States Supreme Court decision in Clapper v. Amnesty Int’l USA, — U.S. –, 133 S. Ct. 1138 (2013). In Clapper, respondents, whose work required them to engage in international communications with individuals potentially targeted under the Foreign Intelligence Surveillance Act, sought to have the Act declared unconstitutional and/or to obtain an injunction against the surveillance. Clapper, 133 S. Ct. at 1142-43. To establish Article III standing, the respondents alleged injury from the objectively reasonable likelihood that their communications would at some point be targeted under the Act; and (2) the fact that they already had undertaken costly measures to protect the confidentiality of their international sources. Id. at 1147. The Supreme Court rejected both arguments.
For the first argument, the Supreme Court concluded that although it may be “objectively reasonable” that plaintiffs’ communications could be intercepted, they had failed to show that the “threatened injury” was “certainly impending.” The Supreme Court held that a “speculative chain of possibilities … based on potential future surveillance” was insufficient. For the second argument, the Supreme Court determined that if parties could establish Article III standing on reasonably incurred costs to avoid the risk of future harm, such a result could “water down” the requirements of Article III:
If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.
Id. at 1150-51. Although the respondents’ costs to avoid surveillance was not “fanciful, paranoid, or otherwise unreasonable,” the Supreme Court held they could not “manufacture standing merely by inflicting harm on themselves based on fears of hypothetical harm that was not ‘certainly impending.’”
Standing in Security Data Breach Litigation. A key issue in cyber security data breach cases is whether allegations of injuries from increased risk of identity theft and costs incurred from credit-monitoring services are sufficient to establish standing. In other words, do these boilerplate claims allege an injury that is concrete and particularized, as well as actual or imminent. Some courts have held that they do not. In re Science Applications Int’l Corp. (SAIC), — F. Supp. 2d –, 2014 WL 1858458 (D.D.C. May 9, 2014) is a good example.
SAIC involved the break-in of an employee’s car in which the car’s GPS system and stereo were stolen, as well as data tapes containing personal and medical records of approximately 4.7 million people. SAIC, 2014 WL 1858458 at *1. Notably, the data tapes contained no financial information of the persons, and they required special hardware in order to access the data on them. SAIC notified affected persons of the breach, and lawsuits followed, alleging various for increased risk of identity theft, violation of privacy, and costs incurred from class members enrolling in credit monitoring services. Following consolidation of the lawsuits and the filing of an amended consolidated complaint, SAIC moved to dismiss. The court dismissed claims for increased risk of identity theft. Looking to the U.S. Supreme Court’s recent discussion on standing in Clapper, the court concluded the claims did not allege a concrete injury, let alone one that was “certainly impending.”
The court first determined that increased risk alone was insufficient to confer standing. Although the lawsuit alleged that plaintiffs were 9.5 times more likely to suffer identity theft as a result of the data breach, the statistical data was irrelevant because it had nothing to do with whether the alleged injury was “certainly impending”:
Plaintiffs begin by asserting that an increased risk of harm alone constitutes an injury sufficient to confer standing to sue. Due to the data breach, they claim that they are 9.5 times more likely than the average person to become victims of identity theft. Compl., ¶ 23. That increased risk, they maintain, in and of itself confers standing. But as Clapper makes clear, that is not true. The degree by which the risk of harm has increased is irrelevant—instead, the question is whether the harm is certainly impending.
Id. at *6 (emphasis added); see also Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 654 (S.D. Ohio 2014) (“That is, a factual allegation as to how much more likely they are to become victims than the general public is not the same as a factual allegation showing how likely they are to become victims.”).
The court then concluded that claims for increased risk of identity theft were too speculative to be “certainly impending” because they depended upon too many contingencies, including whether the thief realized that the stolen tapes contained data, had access to machinery to extract and decrypt the data, and whether the thief would use the data. Although the fear of identity theft was reasonable, fear is not enough:
. . . it is reasonable to fear the worst in the wake of such a [data] theft, and it is understandably frustrating to know that the safety of your most personal information could be in danger. The Supreme Court, however, has held that an “objectively reasonable likelihood” of harm is not enough to create standing, even if it is enough to engender some anxiety. [Citation omitted.] Plaintiffs thus do not have standing based on risk alone, even if their fears are rational.
SAIC, 2014 WL 1858458, at *7; see also Strautins v. Trustwave Holdings, Inc., 2014 WL 960816 (N.D. Ill. Mar. 12, 2014) (increased risk of future harm did not confer standing); In re Barnes & Noble Pin Pad Litig., 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013) (same).
Along this same reasoning, the SAIC court also concluded that costs incurred from enrolling in credit monitoring services to prevent identity theft were insufficient to confer standing, even if enrolling in such services was “sensible”:
Nor is the cost involved in preventing future harm enough to confer standing, even when such efforts are sensible. . . . the Supreme Court has determined that proactive measures based on “fears of … future harm that is not certainly impending” do not create an injury in fact, even where such fears are not unfounded.
SAIC, 2014 WL 1858458, at *7.
In Galaria, a Ohio District Court also determined that claims for increased risk of identity theft did not satisfy Article III standing in the absence of facts showing that “such harm is ‘certainly impending.’” Galaria, 998 F. Supp. 2d at 654. According to the court, the defendant’s offer to pay for credit monitoring services as a result of the data breach into its system further minimized the likelihood of an impending injury: “Moreover, Named Plaintiffs’ allegation that Defendant offered a free year of credit monitoring and identity theft protection further supports the Court’s conclusion that risk of injury is not certainly impending.”
More recently, an Illinois District Court in Remijas v. The Nieman Marcus Group, LLC, 2014 WL 4627893 (N.D. Ill. Sept. 16, 2014) rendered similar holdings. The case involved the December 2013 Nieman Marcus security data breach in which credit card information for approximately 350,000 customers was stolen. At the time of the litigation, and unlike in SAIC and Galaria, approximately 9,200 cards holders already had incurred fraudulent charges on their credit cards. Nieman Marcus, 2014 WL 4627893 at *3. The fraudulent charges, according to the court, allowed the court to infer that the 3,200 cardholders did have their data stolen, and that the remaining cardholders were at a “certainly impending” risk of seeing similar fraudulent charges on their cards. However, the court concluded that the allegations did not permit a plausible inference that the cardholders had suffered a concrete injury to permit standing because the fraudulent charges had been reimbursed or forgiven. The court explained:
. . . I am satisfied that the potential future fraudulent charges are sufficiently “imminent” for purposes of standing. But of course, even having conceded imminence, both injuries (present and future) must still be concrete. Here, as common experience might lead one to expect, Plaintiffs have not alleged that any of the fraudulent charges were unreimbursed. On these pleadings, I am not persuaded that unauthorized credit card charges for which none of the plaintiffs are financially responsible qualify as “concrete” injuries. [Citations omitted.] Without a more detailed description of some fairly substantial attendant hardship, I cannot agree with Plaintiffs that such “injuries” confer Article III standing.
Id. at *3; see also Burton v. MAPCO Express, Inc., 2014 WL 4686479, at *5 (N.D. Ala. Sept. 12, 2014) (dismissing action with leave to amend, but explaining that because fraudulent charges from cyber data breach had been forgiven, plaintiffs were unlikely to meet the jurisdictional amount in controversy requirement). Nor did the Niemen Marcus court believe that the risk of identity theft conferred standing:
And again, I accept the inference from this that additional customers are at a “certainly impending” risk of future fraudulent charges on their credit cards. But to assert on this basis that either set of customers is also at a certainly impending risk of identity theft is, in my view, a leap too far. The complaint does not adequately allege standing on the basis of increased risk of future identity theft.
Nieman Marcus, 2014 WL 4627893 at *3-4
Costs incurred from credit monitoring services to guard against the risk of identity theft also did not confer standing because the risk of identity theft did not constitute a cognizable injury for purposes of standing:
The cost of guarding against a risk is an injury sufficient to confer standing only if the underlying harm the plaintiff is seeking to avoid is itself a cognizable Article III injury. [Citation omitted.] As discussed above, however, on these pleadings I am not satisfied that either of the future injuries claimed in the complaint are themselves sufficient to confer standing.
Id. at *4.
However, not every federal court has concluded that allegations of increased risk of identity theft do not confer standing. A critical factual issue appears to be whether the stolen personal data was specifically targeted by the data thieves. If so, standing may be found. In re Adobe Sys., Inc. Privacy Litig., 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014), is instructive.
Adobe involved the August 2013 cyber data breach suffered by Adobe that resulted in the theft of software source code and the personal information of approximately 38 million customers, including names, passwords, credit/debit card information, and addresses. Auditors later concluded that Adobe’s security protocols were flawed and did not conform with industry standards. Adobe, 2014 WL 4379916 at *2. Subsequent class actions alleging violation of California’s Customer Records Act (“CRA”), and seeking declaratory and injunctive relief, were filed and consolidated. Adobe moved to dismiss the CRA claim for lack of standing.
Plaintiffs alleged they suffered cognizable injuries-in-fact through an increased risk of identity theft and costs incurred from purchasing credit-monitoring services. The Adobe court agreed. Because the plaintiffs’ personal data had been targeted by the hackers, and that the hackers had used Adobe’s systems to decrypt the plaintiffs’ credit card information, the court determined that risk that the data would be misused was “immediate and very real.”
Not only did the hackers deliberately target Adobe’s servers, but Plaintiffs allege that the hackers used Adobe’s own systems to decrypt customer credit card numbers. . . . Indeed, the threatened injury here could be more imminent only if Plaintiffs could allege that their stolen personal information had already been misused. However, to require Plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm need not have already occurred or be “literally certain” in order to constitute injury-in-fact.
Id. at *8.
The Adobe court distinguished the case before it from others, including SAIC, on the basis that the personal information at issue had been targeted, thereby making its potential use “certainly impending”:
The facts of SAIC stand in sharp contrast to those alleged here, where hackers targeted Adobe’s servers in order to steal customer data, at least some of that data has been successfully decrypted, and some of the information stolen in the 2013 data breach has already surfaced on websites used by hackers.
Id.; see also In re Sony Gaming Networks & Customer Data Security Breach Litig., 996 F. Supp. 2d 942, 962-63 (S.D. Cal. 2014) (denying motion to dismiss and holding allegations of disclosure of personal data from data breach conferred Article III standing because of threat of resulting harm). Because the court found that the increased risk of identity theft was a cognizable injury for purposes of standing, so were costs incurred to enroll in credit monitoring services:
. . . in order for costs incurred in an effort to mitigate the risk of future harm to constitute injury-in-fact, the future harm being mitigated must itself be imminent. As the Court has found that all Plaintiffs adequately alleged that they face a certainly impending future harm from the theft of their personal data, see supra Part III.A.1.a, the Court finds that the costs . . . incurred to mitigate this future harm constitute an additional injury-in-fact.
Adobe, 2014 WL 4379916 at *9.