“This is the Voice of Doom speaking! Special bulletin! Flash! The sky is falling! A piece of it just hit you on the head! Now be calm. Don't get panicky. Run for your life!” Foxy Loxy
Much has been written recently about a decision by the 7th Circuit Court of Appeals in Remijas v. Neiman Marcus Groups LLC, 2015 WL 4394814 (7th Cir. July 20, 2015) (Remijas). In Remijas, a class of Neiman Marcus customers was found to have standing to sue under Article III of the U.S. Constitution arising from a data breach incident involving the department store chain. Standing was based not on any actual damage to the Neiman customers but upon the claimed risk of future fraudulent charges and susceptibility to theft because of the breach. This flies in the face of a number of recent decisions, which, based on Clapper v. Amnesty International, 133 S. Ct. 1138, 185 L. Ed. 2d 264, (2013), rejected standing arguments based on threatened - but not actual - harm from data breaches.
As a result, many commentators concluded that the “sky is falling” for defendants in data breach litigation. And the decision is contrary to the trend and may prove to be an important milestone. But before we all conclude the flood gates are now open, it’s important to see where we have been and where we may go.
Data Breach Standing: Where Have We Been?
The first significant case dealing with standing in the data breach context wasKrottner v Starbucks Corp, 628 F. 3d 1139 (9th Cir. 2010). Article III standing existed for some 97,000 Starbucks employees whose personal information was contained on a stolen laptop. The Court determined that the increased threat of theft of personal data on the purloined laptop conferred standing, even though no actual theft of that data (as opposed to the laptop) had occurred.
Three years later, however, the Supreme Court decided Clapper, a bellwether decision for data breach litigation even though it involved no breach. Read broadly, Clapper held that fear of the interception of private information and the cost of trying to protect one’s data does not constitute sufficient injury to confer standing to sue:
They [plaintiffs] claim that they suffer ongoing injuries that are fairly traceable to § 1881a because the risk of § 1881a surveillance requires them to take costly and burdensome measures to protect the confidentiality [**270] of their communications. But respondents cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending. Because they do not face a threat of certainly impending interception under § 1881a, their costs are simply the product of their fear of surveillance, which is insufficient to create standing. See Laird v. Tatum, 408 U. S. 1, 10-15. Accordingly, any ongoing injuries that respondents are suffering are not fairly traceable to § 1881a. Pp. 16-20.
Read more narrowly, however, Clapper recognized that Article III did not require actual injury to confer standing; instead, a possible future injury that was “imminent,” “not speculative” and “certainly impending” might be sufficient.
Read this way, the Clapper plaintiffs simply failed to supply the requisite proof of the imminent harm: “…respondents’ theory of standing, which relies on a highly attenuated chain of possibilities, does not satisfy the requirement that threatened injury must be certainly impending.” Thus, Clapper may stand for the notion that data breach standing was and is a factually specific inquiry.
Nevertheless, Clapper was relied upon in a plethora of decisions, some very recent, which carte blanche rejected the notion of standing in the data breach context based on the perceived absence of actual harm:
- Carlson v GameStop Inc. (Civil Action No 14-3131, MN. June, 2015)
- Green v. EBay Inc. 2015 WL 2066531 (E.D.La. May, 2015)
- Storm v. Paytime Inc., 2015 WL 1119724 (M.D. Pa. March, 2015)
- Peters v St Joseph Servs. Corp. 2015 WL 589561 (S.D. Texas February, 2015)
- Lewert v. P.F. Chang’s China Bistro Inc. 2014 WL 70005097, (N.D. Il. December, 2014)
- Galaria v. Nationwide Mutual Insurance Co. 2014 WL 689703 (S.D. Oh., February, 2014)
- In re SAIC Backup Tape Data Theft Litigation 2014 WL 1858458 D.C. (D.C. June, 2014
- Burton v. MAPCO Exp. Inc. 2014 WL 4686479 (N.D. Ala., September, 2014)
- U.S. Hotel & Resort Management Inc. v. Onity Inc. 2014 WL 3748639 (D. MN. July, 2014)
- In Re Barnes & Noble Pin Pad Litig. 2013 WL 4759588, (N.D. Il., September 2015)
See also: Lambert v Hartman 517 F2d 433(6th Cir 2008); Reilly v. Ceridian Corp., 664 F.3d 38 (3rd Cir. 2011); Brit Ins Holdings N.V. v Krantz 2012 WL 28342 (N.D.Ohio, Jan. 5, 2012); and Giordano v. Wachovia Sec. LLC, 2006 WL 2177036 (D.N.J. July 31, 2006).
And even courts within the 9th Circuit appeared to accept that Clapper was controlling. In In Re Zappos.Com Customer Data Breach Security Breach Litigation (3:12-cv-00325-RCJ-VPC, June 2015), the Court held that the increased risk of revelation of personally identifiable information cannot provide standing and specifically noted that the majority of decisions post-Clapper had not recognized that future risk of harm conferred standing.
These decisions with Clapper led some commentators to suggest that if data breach class action litigation was not dead, it was on life support. See:
What is next in consumer data breach litigation? (from Inside Counsel)
Zappos proposed data breach class action litigation dismissed (Robinson+Cole)
Another Data Breach Class Action Dismissed for Lack of Injury (White and Williams LLP)
But Not So Fast…
Even before Remijas, other courts primarily within the 9th Circuit’s jurisdiction, found to the contrary. Following Krottner, some Courts seemed more than willing to confer standing even if there was no actual damage based on the presence of a “credible threat of harm” that was “real and immediate.” In In re Adobe Sys. Inc. Privacy Litigation, 2014 WL 4379916 (N.D. Cal. September, 2014), a district court distinguished Clapper and found that where a hacker had spent several weeks inside the system collecting data, there was a credible threat of impending harm even when no misuse of the data had yet occurred. See also In re Sony Ganmin Networks & Customer Data Sec Breach Litig. 996 F. Supp 2d 942 (S.D. Cal. 2014). And at least one lower court outside California reached a similar result. Moyer v. Michaels Stores Inc. 2014 WL 3511500 (N.D. Ill., July, 2014).
More recently, in the Target data breach litigation in a Minnesota federal court, Judge Magnuson found plaintiffs had sufficient injuries for standing purposes because they suffered costs “including unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills and late payment charges or new card fees.” Even though Target argued vehemently that plaintiffs failed to plead all these charges were not reimbursed, the Court held this requirement - which stems directly from Clapper - set a “too high a standard,” in essence rejecting Clapper. In Re Target Corp. Customer Data Breach Security Litig., 2014 WL 6775314 (D. MN. December 2014. See also our previous Class Counsel Blog post "Opening the Rule 23 Floodgates: Did plaintiffs just hit the Data Breach Bulls-Eye?
Other courts have found standing, not based on an imminent threat, but on some notion that the value of the information put at risk was devalued. See Svenson v. Google Inc. 2015 WL 1503429; and "Google Wallet: What's You Privacy Really Worth and Do you have the Class Action Standing to Protect It?"
Remijas: a Sea Change?
In Remijas, the 7th Circuit distinguished Clapper because the Clapper plaintiffs established only a “risk” that private messages would be intercepted. The RemijasCourt cited that the customer data had been stolen and as a result many things could occur post-breach that made an actual loss certain. Reading Clappernarrowly and with frankly little real analysis, the Remijas Court assumed an actual loss would occur, without demanding specific proof: that a breach occurred and some data was stolen created the impending certainty of harm out of whole cloth. Demonstrating the axiom that no good deed goes unpunished, Neiman Marcus’ effort to provide free monitoring protection to customers was also turned against it: such prophylactic measures, said the Court, was itself evidence of the certainty of harm!
So Where Does This Leave Us?
Clapper can no longer be counted on as the silver bullet for class action data breach efforts, if it ever was. Perhaps now more than ever, the future of litigation regarding data breaches remains unsettled and fluid. (“Is Cyber Liability Coverage as Essential as P&C Coverage?” by Elissa Doroff and Nancy Kelly.)
As we commented in our Target-related post mentioned above, the number and severity of data breaches have placed pressure on the judiciary to find solutions and remedies for those who understandably fear what might happen to them.
On the other hand, two cases coming before the Supreme Court may soon help define Article III standing: Robins v. Spokeo Inc. and Tyson Foods v. Bouaphakeoboth deal with related issues of whether statutory penalties can create standing and the viability of class actions where many of putative class members have no injury (although neither case involves data breach directly.) The decisions and reasoning of the Court may be helpful in future standing interpretations. See our recent posts "Google Wallet..." and "On the Brink of a Class Action Sea Change?: SCOTUS to Hear Robins and Critical Standing Issues."
And the chip and sign technology, which may become prevalent after October, 2015, may hold the promise of reducing the risks and severity of data breaches and consequently diminishing the need to fashion remedies where data breach damage is merely threatened.
But it cannot be denied that a beachhead has been established and a colorable standing claim--even where the damage is not concrete-can now be made.
What’s a Poor Defendant to Do?
The bottom line is that standing in data breach class action cases has become, and perhaps always was, a factual issue.
It’s important to realize and understand the factual issues involving standing: does the breach in fact present a credible imminent threat of harm or does it, as inClapper and In Re Zappos, present only a speculative one?
The key to success for defendants is understanding the difference and knowing how to marshal the facts to diminish the concrete nature of any threat. Courts have recognized these facts, among others, as being significant to this inquiry:
- Can the perceived harm only be avoided with judicial intervention?
- Was monitoring protection offered post-breach?
- What did the breach consist of? What are the chances and risks that the breach could actually result in a loss?
- Is the threat credible only if an independent third party takes specific action to use the material?
- How many plaintiffs purchased credit card monitoring protection?
- Has anyone whose data was stolen suffered fraudulent charges?
- How much time passed between the breach and any actual harm?
- Did an identity theft occur, and if so, to what extent?
- Was personally identifiable information compromised? Stolen?
- How long were the hackers collecting data within system?
Just as experienced counsel have long used aggressive discovery and factual development to defeat class certification - which also presents fact-specific issues that are sometimes ignored - early factual development and investigation can successively rebut claims of immediacy and certainly impending harm. Now more than ever, using discovery and investigation tools are critical in the early stages of a case to mount a successful standing attack.