[BreachExchange] Two More Circuits Find Data Breach Standing without Proof that Plaintiffs’ Data Was Misused

[Audrey McNeil]

https://www.jdsupra.com/legalnews/two-more-circuits-find-data-breach-27257/

Data breaches have become commonplace. Despite the best efforts of many,
identity thieves and hackers always seem to find a new vulnerability
somewhere in the system of virtually every company that conducts business
online. And, as the recent Facebook debacle reveals, sometimes data is even
shared with legitimate third parties in ways customers neither realized nor
anticipated.

The Battle for Standing

Standing is a hotly contested battleground when a data breach spawns class
action litigation. After all, we regularly give our credit cards to waiters
and store clerks; we regularly publicize our email addresses in all sorts
of unsecure ways; and much of our other personal information is readily
available in one public forum or another. In all likelihood, after years of
recurring data breaches, each of us has probably had our personal
information exposed in more than one of these privacy incidents. So, why
should the compromise of personally identifiable information absent misuse
of that data traceable to a specific breach confer standing on anyone to
sue any particular data breach defendant?

Courts have struggled with this issue over the years. On the one hand,
Article III requires concrete actual injury or at least impending actual
injury in order for a plaintiff to have standing to invoke federal
jurisdiction. On the other hand, though, there is a growing concern in
America that those who collect customer data should pay a price for not
properly safeguarding it.

These tensions are reflected in a wide variety of standing decisions in the
data breach context.  Some courts (see decisions in Reilly v. Ceridian and
Beck, et al. v. McDonald, et al.) have taken a dim view of the threat of
future harm, i.e., an increased likelihood of future identity theft, as a
proffered basis of Article III standing. Others (see decision in In re
SuperValu, Inc. Customer Data Security Breach Litigation) have questioned
the basis for standing where breaches only involve credit card information,
but not enough information for bad actors to open new credit accounts.
Still though, other courts have bent over backwards to find standing in the
data breach context, arguing that time spent protecting oneself from a data
breach (see Galaria/Hancox v. Nationwide Mut. Ins. Co.) or even the
increased likelihood of data misuse (see Attias v. CareFirst, Inc.) is
enough to confer Article III standing. Earlier this year, the Supreme Court
declined to still the waters, denying CareFirst’s cert position challenging
the D.C. Circuit’s conclusion that fear of future data misuse was enough to
confer standing, despite clear circuit splits over that analysis.

So, the lower court disarray over standing continues to fester. In recent
days, two more circuits have joined the side of class action plaintiffs in
finding standing without data misuse.

The Ninth Circuit

The Ninth Circuit, in In re Zappos.com, found sufficient standing where
plaintiffs’ allegations were based on an “increased risk of identity
theft.” Early 2012, the servers of an online retailer were breached. During
the breach, the personal information—names, account numbers, passwords,
credit card information, etc.— of over 24 million customers was
compromised. Several of the affected customers filed class actions, which
were consolidated at the pretrial proceedings stage. Specifically, the
plaintiffs involved with the recent ruling did not allege that they
experienced any kind of financial loss from identity theft. Initially, the
trial court dismissed the plaintiffs’ claim for lack of Article III
standing. On appeal, the Ninth Circuit was tasked with deciding whether
plaintiffs had standing based on the alleged risk of future harm.

Previously, the Ninth Circuit handled Article III standing of victims of
data theft (see Krottner v. Starbucks Corp.). There, a laptop containing
the personal information of almost 100,000 employees was stolen. Some of
the affected employees sued, alleging that their harm was an “increased
risk of future identity theft.” The Ninth Circuit held that the increased
risk was enough to merit standing, finding that plaintiffs had “alleged a
credible threat of real and immediate harm” due to the theft of the laptop
containing their personally identifiable information.

In Zappos.com, the retailer asserted that the Supreme Court’s latest
finding (see Clapper v. Amnesty International USA) meant that Krottner was
inapplicable to the case at hand. The Clapper plaintiffs argued that for
Article III standing, alleging that “there [was] an objectively reasonable
likelihood that their communications [would] be acquired ‘at some point in
the future.’” The Supreme Court ruled that “an objectively reasonable
likelihood” of injury was insufficient where plaintiffs argument depended
on a series of inferences that was “too speculative” to comprise a
cognizable injury. In Krottner, unlike Clapper, no speculation was needed
where the laptop thief already had all the information necessary to open
accounts and cause financial harm to plaintiffs.

Accordingly, the Ninth Circuit, having decided that Krottner and
Clapperwere not irreconcilable, concluded that Krottner was applicable to
the Zappos plaintiffs’ claims. The Zappos plaintiffs alleged both that the
compromised information could be used to commit identity theft and that
their credit card numbers had been breached, leading the Ninth Circuit to
find that bad actors could immediately cause plaintiffs harm. The court
also pointed to other plaintiffs within the case who had already suffered
identity theft as a result of the breach. The court determined that the
Zapposplaintiffs sufficiently alleged an injury in fact under Krottner.

The court assessed the remaining Article III requirements: whether the
alleged risk of future harm is “fairly traceable” to the conduct
challenged, and whether the injury will be redressed by the litigation.
Relying on a case (see Remijas v. Neiman Marcus Group, LLC) where the
Seventh Circuit ruled “[t]he fact that some other store might [also] have
caused the plaintiffs’ private information to be exposed does nothing to
negate the plaintiffs’ standing to sue” and their injury was nonetheless
“fairly traceable” to the defendant’s data breach, the Ninth Circuit
determined that even if plaintiffs suffered identity theft caused by data
stolen in other breaches, those compromised would not negate their standing
to sue in the case at hand. Further, the court found that the risk of
identity theft was redressable by relief that could be obtained through
this litigation and compensation through damages. Consequently, the Ninth
Circuit reversed the trial court’s judgment as to plaintiffs’ standing and
remanded the case for further consideration.

The Seventh Circuit

Similarly, the Seventh Circuit has reinstated a data breach class action
filed against Barnes & Noble (see Dieffenbach v. Barnes & Noble, Inc.). The
case was previously dismissed—three times— by the U.S. District Court for
the Northern District of Illinois for lack of standing.

In 2012, “skimmers” breached the payment terminals in B&N stores, siphoning
off customer information, e.g., names, payment card numbers, PINs, etc.
Customer card information was stolen from terminals in over 60 B&N stores.
Following the breach, plaintiffs filed a putative class action alleging (1)
breach of implied contract (to secure payment card data); (2) violation of
the Illinois Consumer Fraud & Deceptive Practices Act (ICFA); (3) violation
of the California Security Breach Notification Act (DBNA); and (4)
violation of the California Unfair Competition Act (UCA). In 2013, the
district court first dismissed plaintiffs’ complaint without prejudice for
lack of standing, ruling that plaintiffs failed to allege pecuniary harm.

In 2016, B&N submitted a motion to dismiss the amended complaint. Before
the motion was submitted, however, the Seventh Circuit decided Remijas.
Despite Remijas, the district court again dismissed the complaint, noting
that while plaintiffs could merit standing based on the risk of future
identity theft, plaintiffs still failed to allege “cognizable damages.” In
2017, the same district court, albeit a different judge, dismissed
plaintiffs’ second amended complaint, finding that plaintiffs had not
alleged any economic harm as a result of the breach.

The Seventh Circuit vacated the district court’s dismissal, finding that
plaintiffs’ second amended complaint satisfied pleading standards relative
to the injuries alleged from the breach. The court explained that alleging
injury-in-fact for standing also meets the requirement of alleging a
cognizable injury and entitlement to damages. Further, the court noted that
“the federal rules [of civil procedure] do not require plaintiffs to
identify items of loss (except for special damages).” Specifically, Federal
Rule of Civil Procedure 8(a)(3) does not require plaintiffs to allege the
details of their injury, and Rule 54(c) entitles plaintiffs to any legally
available relief, regardless of whether the relief is pled in the complaint.

The court then looked to the injuries alleged by plaintiffs—loss of access
to personal funds, time spent with law enforcement and banking
representatives, deactivation of card, monthly charges for credit
monitoring, etc.—determining that they were sufficient to meet the
cognizable damages requirements under several of the plaintiffs’ claims.

Looking Forward

It appears that a new trend is emerging at least in some of the more
class-friendly circuits: finding standing in data breach class actions
despite the absence of actual financial harm suffered by the plaintiffs.
Likely, courts are attempting to respond to the proliferation of larger,
more costly data breaches, as well as to a paradigmatic shift in
sensitivity and senses of ownership over individual data. Regardless of the
reasoning, it is evident that more and more plaintiffs’ counsel in data
breach suits will bring their actions in these more favorable venues so as
to be more assured of surviving standing inquiries. Businesses need to
consider how best to prepare themselves for more vigorous, involved
litigation in the data breach context. This includes planning for data
breach litigation long before the data breach hits. Businesses should start
by identifying and retaining knowledgeable, reliable outside data breach
counsel, working with counsel to identify and retain reliable outside data
breach response vendors, and doing all of that in coordination with their
cyber liability insurance carriers. Those who lack cyber liability coverage
should look into the coverage currently available, as this is more of a
buyer’s market than it once was. Data breaches are interdisciplinary; they
require a comprehensive team of legal, forensic, technological, and
marketing professionals to fully and accurately assess, respond to, and
ultimately remediate the damage done. Businesses cannot afford to wait
until after a breach has occurred to assemble their response teams. The
cost of procrastination is simply too high.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180424/f89af9cd/attachment.html>