With the ever-increasing amount of personal information stored online, it is unsurprising that data breach litigation has become increasingly common. A critical issue in nearly all data breach litigation is whether a plaintiff has standing to pursue claims—especially where there is no evidence of actual fraud or identity theft resulting from the purported data breach. The plaintiffs’ bar has pursued a litany of legal theories in the attempt to clear the standing hurdle, including the recent theory of “overpayment” (a/k/a “benefit of the bargain” theory). Under this theory, the plaintiff alleges that the price for the purchased product or service—whether sneakers, restaurant meals, or health insurance—included some indeterminate amount allocated to data security. Depending on how the theory is framed, the purported “injury” is either that the plaintiff “overpaid” for the product or service, or that the plaintiff did not receive the “benefit of the bargain,” because the defendant did not appropriately use the indeterminate amount to provide adequate data security. Despite plaintiffs’ attempts to establish standing through this novel theory, courts have limited its applicability in a variety of ways discussed below.

Recent Article III Standing Development

Article III standing is a prerequisite to sustaining an action in federal court.[1] To establish standing, a plaintiff must have an injury that is “concrete, particularized, and actual or imminent,” “fairly traceable to the challenged action,” and “redressable by a favorable ruling.”[2] In Spokeo, Inc. v. Robins,[3] the Supreme Court recently reemphasized that an injury must be both “concrete” and “particularized” to create standing.[4] The Supreme Court held that “concreteness” means the injury “actually exist[s],” and as applied to the facts of Spokeo, that “a bare procedural violation, divorced from any concrete harm” does not satisfy the injury-in-fact requirement of standing.[5]

Standing in Data Breach Cases

Standing is often hard to establish in the quintessential data breach case—where the plaintiff alleges that “hackers” breached the defendant’s data system and absconded with personal information. Standing is even harder to establish where the plaintiff merely alleges that the defendant’s data security is vulnerable, is easily compromised, or is not up to industry standards. In those circumstances, the plaintiffs’ bar has pursued a variety of theories as to how the plaintiff has suffered an Article III injury—which courts have often rejected—including the increased risk of identity theft,[6] time spent monitoring or guarding against potential fraud,[7] and diminished value of plaintiffs’ personal information.[8] Most recently, the plaintiffs’ bar has asserted standing based on the overpayment theory discussed above. But the theory is infirm and likely to be rejected by courts,[9] for the following reasons, among others:

First, where the plaintiff alleges only that the defendant’s data security is vulnerable but was not actually breached, courts have held that the plaintiff lacks standing—including on an overpayment theory. Courts have reasoned that there can be no harm absent actual unauthorized access to a consumer’s personal information, and even then additional evidence that injury occurred or is imminent may be necessary (i.e., evidence that the information accessed was used to commit fraud or will likely be misused).[10] Indeed, in the few cases where a court has found standing on an overpayment theory, the plaintiff’s personal information was actually breached. And in most of these cases, the plaintiff alleged that her information was either accessed by unauthorized persons with nefarious intent or that the plaintiff also suffered actual identify theft as a result of the breach.[11] In short, mere speculation that the plaintiff’s data could have or may have been disclosed to, or accessed by, a third party is insufficient to establish standing.[12]

Second, even where an actual data breach occurs, courts have analyzed the origins of the overpayment theory and rejected its application to the data breach context. The theory originated in products liability actions (i.e., that plaintiff overpaid for a product, because the product itself was defective).[13] The Seventh Circuit has stated that it is “dubious” that such a theory could be “extend[ed] … from a particular product to the operation of the entire store [where] plaintiffs allege that they would have shunned [the defendant business] had they known that it did not take the necessary precautions to secure their personal and financial data.”[14] Another court rejected the overpayment theory in the data breach context because “[t]his is not the case where consumers paid for a product, and the product they received was different from the one as advertised on the product’s packaging. Because Plaintiffs take issue with the way in which [the defendant] performed the security services, they must allege ‘something more’ than pure economic harm.”[15]

Third, and closely related to the second point above, courts have rejected the overpayment theory in data breach cases where the payment was for a good or service unrelated to data security—e.g., shoes, food, health insurance, etc.—because the good or service itself was not defective.[16] Stated differently, a “[p]laintiff could not have ‘overpaid’ for the [good or] service he purchased because he received what he paid for” where there are no defects alleged in the good or service itself.[17] One court further explained that where the amount the plaintiff paid the defendant was for a membership and where the plaintiff received all of benefits of the membership, the plaintiff “merely alleging that [the defendant]’s privacy protections were not as stringent as she believed they would be” is insufficient to create standing.[18]

Fourth, courts have rejected the “creative” foundation of the overpayment theory—namely that a plaintiff can establish standing simply by alleging that some “indeterminate” amount paid for a good or service was for data security. In some cases, courts have required plaintiffs to be more specific in their pleadings about what portion was for data security.[19] As one court put it, “[t]o the extent that Plaintiffs claim that some indeterminate part of their premiums went toward paying for security measures, such a claim is too flimsy to support standing.”[20] In data breach cases targeting a specific payment method (e.g., credit cards), courts have rejected the overpayment theory for the additional reason that the plaintiff cannot allege that the price she paid for a product contained a portion for security to protect her credit card information where a customer paying cash paid the same amount, yet needed no such security.[21]

Conclusion

The overpayment theory has not proved a panacea for the many standing problems that plaintiffs face in data breach cases. Yet, undoubtedly, the overpayment theory is not the last putative arrow in the plaintiffs’ bar’s quiver as they continue to pursue the hotbed of data breach litigation. And even if private data breach litigation is dismissed for lack of standing, there is still risk that a regulator may bring an enforcement action even absent an actual data breach, as the Consumer Financial Protection Bureau recently did.[22] At the same time, the Supreme Court’s recent holding in Spokeo––that an injury must be concrete to establish standing; “that is, it must actually exist”[23]––will unquestionably affect standing questions in data breach litigation. K&L Gates will continue to monitor developments in data breach litigation and provide regular updates.