[BreachExchange] Hold On, You Didn’t Overpay for That: Courts Address New “Overpayment” Theory from Plaintiffs in Data Breach Cases
Audrey McNeil
audrey at riskbasedsecurity.com
Fri Aug 12 13:56:40 EDT 2016
http://www.lexology.com/library/detail.aspx?g=80330208-7e98-47ad-925b-
341e54e81eef
With the ever-increasing amount of personal information stored online, it
is unsurprising that data breach litigation has become increasingly common.
A critical issue in nearly all data breach litigation is whether a
plaintiff has standing to pursue claims—especially where there is no
evidence of actual fraud or identity theft resulting from the purported
data breach. The plaintiffs’ bar has pursued a litany of legal theories in
the attempt to clear the standing hurdle, including the recent theory of
“overpayment” (a/k/a “benefit of the bargain” theory). Under this theory,
the plaintiff alleges that the price for the purchased product or
service—whether sneakers, restaurant meals, or health insurance—included
some indeterminate amount allocated to data security. Depending on how the
theory is framed, the purported “injury” is either that the plaintiff
“overpaid” for the product or service, or that the plaintiff did not
receive the “benefit of the bargain,” because the defendant did not
appropriately use the indeterminate amount to provide adequate data
security. Despite plaintiffs’ attempts to establish standing through this
novel theory, courts have limited its applicability in a variety of ways
discussed below.
Recent Article III Standing Development
Article III standing is a prerequisite to sustaining an action in federal
court.[1] To establish standing, a plaintiff must have an injury that is
“concrete, particularized, and actual or imminent,” “fairly traceable to
the challenged action,” and “redressable by a favorable ruling.”[2] In
Spokeo, Inc. v. Robins,[3] the Supreme Court recently reemphasized that an
injury must be both “concrete” and “particularized” to create standing.[4]
The Supreme Court held that “concreteness” means the injury “actually
exist[s],” and as applied to the facts of Spokeo, that “a bare procedural
violation, divorced from any concrete harm” does not satisfy the
injury-in-fact requirement of standing.[5]
Standing in Data Breach Cases
Standing is often hard to establish in the quintessential data breach
case—where the plaintiff alleges that “hackers” breached the defendant’s
data system and absconded with personal information. Standing is even
harder to establish where the plaintiff merely alleges that the defendant’s
data security is vulnerable, is easily compromised, or is not up to
industry standards. In those circumstances, the plaintiffs’ bar has pursued
a variety of theories as to how the plaintiff has suffered an Article III
injury—which courts have often rejected—including the increased risk of
identity theft,[6] time spent monitoring or guarding against potential
fraud,[7] and diminished value of plaintiffs’ personal information.[8] Most
recently, the plaintiffs’ bar has asserted standing based on the
overpayment theory discussed above. But the theory is infirm and likely to
be rejected by courts,[9] for the following reasons, among others:
First, where the plaintiff alleges only that the defendant’s data security
is vulnerable but was not actually breached, courts have held that the
plaintiff lacks standing—including on an overpayment theory. Courts have
reasoned that there can be no harm absent actual unauthorized access to a
consumer’s personal information, and even then additional evidence that
injury occurred or is imminent may be necessary (i.e., evidence that the
information accessed was used to commit fraud or will likely be
misused).[10]Indeed, in the few cases where a court has found standing on
an overpayment theory, the plaintiff’s personal information was actually
breached. And in most of these cases, the plaintiff alleged that her
information was either accessed by unauthorized persons with nefarious
intent or that the plaintiff also suffered actual identify theft as a
result of the breach.[11] In short, mere speculation that the plaintiff’s
data could have or may have been disclosed to, or accessed by, a third
party is insufficient to establish standing.[12]
Second, even where an actual data breach occurs, courts have analyzed the
origins of the overpayment theory and rejected its application to the data
breach context. The theory originated in products liability actions (i.e.,
that plaintiff overpaid for a product, because the product itself was
defective).[13] The Seventh Circuit has stated that it is “dubious” that
such a theory could be “extend[ed] … from a particular product to the
operation of the entire store [where] plaintiffs allege that they would
have shunned [the defendant business] had they known that it did not take
the necessary precautions to secure their personal and financial data.”[14]
Another court rejected the overpayment theory in the data breach context
because “[t]his is not the case where consumers paid for a product, and the
product they received was different from the one as advertised on the
product’s packaging. Because Plaintiffs take issue with the way in which
[the defendant] performed the security services, they must allege
‘something more’ than pure economic harm.”[15]
Third, and closely related to the second point above, courts have rejected
the overpayment theory in data breach cases where the payment was for a
good or service unrelated to data security—e.g., shoes, food, health
insurance, etc.—because the good or service itself was not defective.[16]
Stated differently, a “[p]laintiff could not have ‘overpaid’ for the [good
or] service he purchased because he received what he paid for” where there
are no defects alleged in the good or service itself.[17] One court further
explained that where the amount the plaintiff paid the defendant was for a
membership and where the plaintiff received all of benefits of the
membership, the plaintiff “merely alleging that [the defendant]’s privacy
protections were not as stringent as she believed they would be” is
insufficient to create standing.[18]
Fourth, courts have rejected the “creative” foundation of the overpayment
theory—namely that a plaintiff can establish standing simply by alleging
that some “indeterminate” amount paid for a good or service was for data
security. In some cases, courts have required plaintiffs to be more
specific in their pleadings about what portion was for data security.[19]
As one court put it, “[t]o the extent that Plaintiffs claim that some
indeterminate part of their premiums went toward paying for security
measures, such a claim is too flimsy to support standing.”[20] In data
breach cases targeting a specific payment method (e.g., credit cards),
courts have rejected the overpayment theory for the additional reason that
the plaintiff cannot allege that the price she paid for a product contained
a portion for security to protect her credit card information where a
customer paying cash paid the same amount, yet needed no such security.[21]
Conclusion
The overpayment theory has not proved a panacea for the many standing
problems that plaintiffs face in data breach cases. Yet, undoubtedly, the
overpayment theory is not the last putative arrow in the plaintiffs’ bar’s
quiver as they continue to pursue the hotbed of data breach litigation. And
even if private data breach litigation is dismissed for lack of standing,
there is still risk that a regulator may bring an enforcement action even
absent an actual data breach, as the Consumer Financial Protection Bureau
recently did.[22] At the same time, the Supreme Court’s recent holding in
Spokeo––that an injury must be concrete to establish standing; “that is, it
must actually exist”[23]––will unquestionably affect standing questions in
data breach litigation. K&L Gates will continue to monitor developments in
data breach litigation and provide regular updates.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160812/15286799/attachment.html>
More information about the BreachExchange
mailing list