[BreachExchange] D.C. judge: No actual damages, no claims for data breach victims

[Destry Winant]

https://uk.reuters.com/article/legal-us-otc-data-breach/dc-judge-no-actual-damages-no-claims-for-data-breach-victims-idUKKCN1PT23W

If you believe the 9th U.S. Circuit Court of Appeals in 2018’s In re
Zappos.com (888 F.3d 1020), federal appellate courts have reached a
near-consensus in the past few years about whether the victims of
corporate data breaches meet constitutional requirements to sue. With
the exception of a few outlier decisions that are distinguishable for
unusual facts, the 9th Circuit said in Zappos, the circuits courts now
agree that plaintiffs need only allege an increased risk of identity
theft to establish their constitutional right to sue the businesses
that left their personal information vulnerable to hackers.

Zappos disputes this supposed consensus and has asked the U.S. Supreme
Court to resolve the question of constitutional standing for data
breach victims whose information has not been misused. The justices
scheduled the Zappos petition for its conference last December but are
apparently holding the case until they decide what to do about the
standing issues in Frank v. Gaos, a case in which the court ordered
additional post-argument briefing on whether class members claiming
violations of the Stored Communications Act have a right to sue.

But unless and until the Supreme Court decides to wade into standing
in data breach cases, plaintiffs in at least five federal circuits –
including the 3rd, 6th, 7th, 9th and D.C. Circuits – don’t have to
worry about their right to sue. If their sensitive personal data was
breached, they have constitutional standing.

That’s just the first obstacle, though. And a ruling (2019 WL 367984)
last week by U.S. District Judge Christopher Cooper of Washington,
D.C., in a data breach class action against the health insurer
CareFirst shows that defendants can successfully repurpose arguments
about plaintiffs’ inability to show actual damages to get cases
tossed.

Judge Cooper initially dismissed the CareFirst class action in 2016,
finding that plaintiffs didn’t have standing because they hadn’t
alleged their stolen information was actually misused. In 2017, the
case was revived by the D.C. Circuit (865 F.3d 620), which said the
threat of identity theft is adequately substantial and concrete to
meet constitutional standing requirements. CareFirst’s lawyers at
Eversheds Sutherland petitioned the Supreme Court to take up the issue
of standing in data breach litigation but the justices declined.

On remand to Judge Cooper, Eversheds dusted off its old arguments
about plaintiffs’ inability to cite specific allegations about how
their data was supposedly misused – except that this time, the
dismissal motion was framed as a failure to state a claim rather than
a failure to establish constitutional standing. “The breach occurred
more than 1,400 days ago and plaintiffs’ alleged damages remain
entirely speculative,” the dismissal memo said. “Plaintiffs must plead
a tangible injury or loss of some form to sustain most of their causes
of action. Yet plaintiffs plead none. No plaintiff alleges specific
facts about how he or she has been damaged. Plaintiffs offer only
generic statements that their impending harms include time spent ‘to
protect themselves’ and costs associated with identity theft, credit
monitoring, and damage assessment services and non-specific ‘mental
and emotional pain and suffering and anguish’ as a result of the
cyberattack.”

Judge Cooper mostly agreed, in a thoughtful opinion that analyzes
recent developments in data breach litigation. (“The court
acknowledges the difficulty of applying traditional tort and contract
principles in the contemporary context of data security,” he wrote.
“It also recognizes that courts across the country have divided on a
number of important legal issues that frequently arise in data breach
litigation.”)

The judge specifically pointed out that allegations sufficient to
establish standing don’t necessarily amount to an adequate claim for
damages, as, he said, the 9th Circuit held in the landmark 2010
decision in Krottner v. Starbucks (628 F.3d 1139), one of the first
rulings to address standing for victims of data theft. In the
CareFirst case, Judge Cooper said, only two of the named plaintiffs, a
Maryland couple who allege they were the victims of tax refund fraud,
claim to have experienced a specific economic injury from the 2014
theft of CareFirst data. Under D.C. precedent, the judge said, the
risk of economic harm isn’t enough to make out a claim for negligence
or breach of duty.

The plaintiffs offered alternative damages theories: They lost the
“benefit of the bargain” they struck in purchasing policies that
purported to protect their confidential information; they suffered
consequential damages, such as the cost of purchasing credit
monitoring services, after the hack occurred; or they suffered
emotional distress. Judge Cooper, citing rulings from colleagues in
D.C. federal court rejected those theories, though he acknowledged
that other courts have gone the other way.

That’s particularly true when it comes to allegations that plaintiffs
can claim damages based on overpayment for services that didn’t live
up to security promises. Plaintiffs’ lawyers at Nidel & Nace, Paulson
& Nace and the Giatras Law Firm contended that the trend in data
breach litigation is toward acknowledging these “benefit of the
bargain” injuries. In the Yahoo and Anthem cases, for instance, U.S.
District Judge Lucy Koh of San Jose – a leading judge on data breach
class actions – agreed that plaintiffs adequately alleged economic
injuries from paying for data protection they didn’t receive.

Judge Koh’s reasoning failed to sway Judge Cooper. “Trend or no across
the country, the court declines to go beyond the decisions of its
fellow (D.C.) courts … in the absence of controlling law from the
District of Columbia Court of Appeals, especially because the standard
for alleging actual damages is generally higher than that for
plausibly alleging an injury-in-fact,” the judge wrote.

Judge Cooper similarly broke with judges in other major data breach
class actions on the question of whether defendants have a common-law
duty, in addition to a contractual obligation, to safeguard customer
data. CareFirst asserted that its customers cannot claim negligence,
fraud or other torts based on a breach of the insurer’s contractual
duty. As Judge Cooper acknowledged, many federal courts have held that
defendants have a basic responsibility to protect customer data and
can be liable for negligence when they fail to exercise that
responsibility. Judges have allowed data breach class actions against
Sony, Arby’s, Home Depot and Target to move forward under that theory.
But the judge found reasons to distinguish the facts in those cases
from those alleged against CareFirst, which isn’t accused, for
instance, of specifically ignoring warnings about data security or of
affirmatively acting to weaken data protections.

In the end, Judge Cooper left standing only a breach of contract claim
and a Maryland consumer protection claim by the couple who claimed
their stolen data was used in a tax refund fraud.

It’s not clear whether plaintiffs whose claims were entirely dismissed
can quickly appeal Judge Cooper’s ruling or must ask for an
interlocutory appeal. I reached out to Jonathan and Christopher Nace
but didn’t hear back. CareFirst counsel Matt Gatewood declined to
comment.