The federal district court for the Northern District of California held that where Plaintiffs alleged specific incidents and injuries resulting from an intentional data security breach, those Plaintiffs could survive a motion to dismiss based upon standing and related issues.

Court Denies Dismissal in Part, Based Upon Details of Alleged Data Security Breach & Injuries In re Adobe Systems, Inc. Privacy Litigation, No. 5:13-cv-5226 (N. D. Cal. 9/4/2014) (available at http://docs.justia.com/cases/federal/district-courts/california/candce/5:2013cv05226/271810/55)

Six named Plaintiffs filed a class action against Adobe Systems, Inc., for damages allegedly incurred by reason of a data security breach in which hackers allegedly obtained credit card and other personal information of up to 38 million Adobe customers. Plaintiffs asserted claims based upon the California Customer Records Act ("CRA"), Cal. Civ. Code 1798.81.5 and 1798.82 (available at http://www.leginfo.ca.gov/cgi-bin/displaycode?section=civ&group=01001-02000&file=1798.80-1798.84);  the federal Declaratory Judgment Act, 28 U.S.C. 2201 (available at http://www.law.cornell.edu/uscode/text/28/2201); injunctive relief under the California Unfair Competition Law ("UCL"), Cal. Bus. & Prof. Code 17200, et seq. (available at  http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=17001-18000&file=17200-17210); and restitution under the California UCL.

Adobe moved for dismissal of all claims based upon lack of standing, because the named Plaintiffs did not allege any injury in fact. Slip Op. at 9-10, citing Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (2013) (available at http://www.supremecourt.gov/opinions/12pdf/11-1025_ihdj.pdf ); O'Shea v. Littleton, 414 U.S. 488 (1974) (available at https://supreme.justia.com/cases/federal/us/414/488/) (class representative must establish individual injury in fact and a case or controverys with the defendant). The Plaintiffs claimed injury in fact based upon (1) increased risk of harm from the data security breach; (2) cost to mitigate the data security breach; and (3) inadequate notice of the data security breach required by the CRA. Id., at 20. The Court granted Adobe's motion to dismiss the CRA claim in part, because the plaintiffs did not allege any injury specific to an alleged deficiency in the notice that Adobe provided pursuant to the CRA. Id., at 20.

The Court denied Adobe's remaining grounds for dismissal. In analyzing the Plaintiffs' claims of increased risk of harm, the Court harmonized its prevailing precedent in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (available at http://cdn.ca9.uscourts.gov/datastore/opinions/2010/12/14/09-35823.pdf) withClapper. In Krottner, the Ninth Circuit held that the theft of a laptop containing unencrypted personal data conferred standing where it created a "credible threat of real and immediate harm." 628 F.3d at 1143. Adobe argued, however, that district courts almost uniformly have interpreted Clapper to require all alleged future injuries to be "certainly impending" before it could confer standing. Slip Op. at 11 (citations omitted). The Court disagreed, stating that Clapper "did not change the law of Article III standing." Id., at 13. Instead of meaning "literally certain" that an injury will occur, id., the "certainly impending" language simply rejected an alternative "objectively reasonable likelihood" standard that the Second Circuit had articulated. Id., at 12. In Clapper, the plaintiffs had not alleged that any of their communications had been compromised, or that they had been singled out for future interception under the Foreign Intelligence Surveillance Act. Nor had theClapper plaintiffs demonstrated any propensity for the government actually to intercept any of their communications successfully.

Consequently, the Court harmonized Krottner and Clapper by equating the Ninth Circuit's standard of "immediate danger of sustaining some direct injury" withClapper's language requiring a "certainly impending" threatened injury. Slip Op. at 14. The Court then held that the Adobe Plaintiffs would satisfy either Clapper orKrottner, because their information had been stolen during the data security breach and the hackers had used Adobe's own systems to decrypt their personal information. Id., at 15. Plaintiffs also alleged that some of the stolen data actually had surfaced on the internet, and had been misused to discover vulnerabilities in Adobe products. Id.

The Court also rejected Adobe's argument that mitigation costs could not confer standing because plaintiffs "cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending." Slip Op. at 17, quoting Clapper, 133 S. Ct. at 1151. Instead, the Court found that because the increased risk of specific future harm conferred standing, so did the costs incurred to mitigate the harm. Id. at 18.

Based upon its findings that the Plaintiffs had alleged sufficient injury to confer standing, the Court denied Adobe's motion to dismiss the claim for declaratory judgment. Adobe's licensing agreements stated that it would "provide reasonable administrative, technical, and physical security controls to protect your information. However ... no security controls are 100% effective and Adobe cannot ensure or warrant the security of your personal information." Slip Op., at 2-3. The Court held that for purposes of a motion to dismiss, the Plaintiffs' allegations that Adobe had failed to implement "standard industry practices" created an issue of fact whether it had provided "reasonable" security to its licensees. Id. at 24. Similarly, the Court accepted as true the allegations of four named Plaintiffs that they had relied upon Adobe's security assurances when purchasing their Adobe licenses. Id., at 28-29. The Court therefore denied Adobe's motion to dismiss the UCL claims of those four Plaintiffs, and granted the motion to dismiss injunction claims as to the two Plaintiffs who did not plead any reliance upon Adobe's security assurances. Id. at 29.

In sum, the Court held that where certain named Plaintiffs alleged specific incidents and injuries resulting from an intentional data security breach, those Plaintiffs could survive a motion to dismiss based upon standing and related issues. The Court dismissed claims where the Plaintiffs had not alleged a specific connection between an alleged violation of law and resulting injury, or where Plaintiffs had not alleged reliance upon specific statements or practices that were implicated in the injury.