Among the multitude of unpleasant issues facing a company whose network has been breached is potential liability to customers and employees whose personal information has been compromised. However, recent district court decisions from around the country continue to limit the opportunity of those customers and employees to have their day in court. Specifically, these cases have held that, in order for a customer or employee whose data has been stolen to gain standing to sue the company that experienced the breach, the customer or employee must show that the stolen data was, in fact, used to the customer or employee’s financial detriment. And such financial detriment must be “concrete.” Increased risk of future harm does not suffice, damages are not recoverable for “mitigation” measures – such as the purchase of credit monitoring services – taken to protect against speculative future harm, and an individual’s allegations that he fears such future harm will generally not be enough to establish a claim for emotional distress.
In Green v. eBay Inc., the U.S. District Court for the Eastern District of Louisiana dismissed a putative class action brought on behalf of eBay customers whose data was stolen when eBay user information was hacked. The suit alleged that, as a result of eBay’s security failure, Plaintiffs suffered (a) actual identity theft, (b) improper disclosure of their personal information, (c) out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or identify fraud, (d) the value of the time they had spent mitigating identity theft and/or identity fraud, and (e) the deprivation of the value of their personal information. eBay’s failure, Plaintiffs alleged, violated the Federal Stored Communications Act, the Fair Credit Reporting Act, the Gramm-Leach-Billey Act, and several state laws. The Court disagreed. Noting that the “mere increased risk of identity theft or identify fraud alone does not constitute a cognizable injury[,] unless the harm alleged is certainly impending,” the Court dismissed the suit in its entirety.
Similarly, in Strautins v. Trustwave Holdings, Inc., the U.S. District Court for the Northern District of Illinois granted Defendant’s motion to dismiss Plaintiffs’ class action lawsuit seeking damages stemming from the hacking of the South Carolina Department of Revenue. The data breach had exposed in excess of 3.5 million social security numbers, 380,000 credit and debit card numbers, and the tax records of more than 650,000 businesses. Plaintiffs alleged that they had not received timely and adequate notification of this breach, and that the breach had resulted in the improper disclosure of their personal information, loss of privacy, the need to incur out-of-pocket mitigation expenses (relating both to dollars spent and time expended), and deprivation of the value of their personal identifying information. They also alleged that Defendant, by failing to protect their data, had violated their rights under the Fair Credit Reporting Act. The Court, however, found that Plaintiffs’ “claims of injury . . . [were] too speculative to permit the complaint to go forward.” “Allegations of possible future injury are not sufficient to establish standing,” the Court held. Instead, the “threatened injury must be certainly impending.” (Emphasis in original.)
Even if a plaintiff can show that a hacker used the data it stole from plaintiff’s employer or merchant, such use may not suffice to confer standing on the plaintiff, unless he can also show that he suffered financial harm as a result. In Peters v. St. Joseph Services Corp., for example, hackers infiltrated a health care system provider’s network and accessed personal information of patients and employees, including names, social security numbers, birthdates, addresses, medical records, and bank account information. Even though there was an attempted purchase on Plaintiff’s credit card, which she declined when she received a fraud alert, the U.S. District Court for the Southern District of Texas held that Plaintiff did not have standing to bring suit. The basis for the Court’s holding was that Plaintiff’s allegation that the breach exposed her to certainly impending or substantial risk of identity fraud/theft was too speculative and attenuated to constitute injury-in-fact. Notably, she was unable to “describe how [she would] be injured without beginning the explanation with the word ‘if.’”
Notwithstanding the above decisions, companies should continue striving to establish legal and technological protections against data breaches and exposure to related liability. Even where class actions and other litigations fail, federal agencies and state attorneys general may continue to investigate data breaches and take enforcement actions. (Many have, the Massachusetts Attorney General being one example.) These actions can include, among other things, significant fines and increased oversight of the company’s data privacy and security compliance. And, of course, the potential consequences of data breaches do not end there. Companies that experience a breach may also suffer damage to their brand and to employee morale.