Two recent decisions add to the increasing body of caselaw surrounding standing in data breach cases. On September 11, 2014, a Washington federal judge dismissed all but two plaintiffs from a data privacy lawsuit for lack of standing. SeeMendoza v. Microsoft Inc., No. 14-cv-00316, 2014 U.S. Dist. LEXIS 127736 (W.D. Wash. Sept. 11, 2014). The plaintiffs claimed that, after they had cancelled their Xbox Live subscriptions, Microsoft retained information about them, including names and credit card information, and sold it to data mining companies. Microsoft argued that the claims failed to identify cognizable injuries requiring dismissal, and the court agreed. “Absent [from the complaint] is any allegation as to who Microsoft disclosed this information to, when the disclosures occurred, and how they occurred, let alone that these acts particularly injured the named plaintiffs.” Mendoza, supra, at *8. Thus, the claims were dismissed. On September 16, 2014, an Illinois federal judge reached a similar result dismissing claims arising out of a data breach at Neiman Marcus. Remijas v. Neiman Marcus Group, No. 14-cv-01735, 2014 U.S. Dist. LEXIS 129574 (N.D. Ill. Sep. 16, 2014).
The Neiman Marcus decision is consistent with another Northern District of Illinois’ dismissal decision in In re Barnes & Noble Pin Pad, 12-cv-08617, 2013 U.S. Dist. LEXIS 125730 (N.D. Ill. Sept. 3, 2013) (plaintiffs lacked standing because they failed to allege any injury resulting from a data breach). Similarly, an Ohio federal court was also hesitant to grant standing when an actual injury was in question. See Galaria v. Nationwide Mut. Ins. Co., No. 2:13-cv-00257, 2014 U.S. Dist. LEXIS 23798 (S.D. Ohio Feb. 10, 2014) (plaintiffs lacked standing because the customers failed to allege an injury arising from a statutory violation or prohibition).
Other courts, however, are more lenient with standing in this consumer context, allowing cases to go forward when no injury has been claimed. In Resnick v. AvMed, Inc., 693 F.3d 1317, 1321(11th Cir. 2012), the 11th Circuit Court of Appeals held that customers who had not experienced identify theft had standing because of monthly premiums they had paid to AvMed, which used the premiums to pay for data security costs. Id. In February 2014, the Florida District Court approved a $3 million settlement agreement between the plaintiffs and AvMed. See Curry v. AvMed, Inc., 2014 U.S. Dist. LEXIS 48485 (S.D. Fla. Feb. 28, 2014).
The Supreme Court of West Virginia agreed with the 11th Circuit in a recent case involving an accidental disclosure of personal health information of patients of the Charleston Area Medical Center. The court held that class action plaintiffs did have standing to bring causes of action for breach of confidentiality and invasion of privacy even without a showing that personal information had been misused. The court held that the legal interest in having medical information kept confidential was sufficient to allow the claims to go forward. Tabata v. Charleston Area Med. Ctr., Inc.,759 S.E.2d 459 (W. Va. 2014).
Given the uncertainty surrounding standing in data breach litigation, it is critical to stay up-to-date on state and federal precedent to ensure litigation risks are mitigated and assist with litigation strategies.