Case No. 14-CV-09600RGK (June 15, 2015 Decision)

On Monday, Judge Klausner of the United States District Court for the Central District of California denied Sony’s motion to dismiss plaintiffs’ data breach claims for lack of Article III standing. Below is a brief description of the court’s ruling. Click here to view the decision.

Sony argued plaintiffs, former Sony employees, who had their personal identifiable information (PII) stolen due to a security breach, lacked standing because they failed to allege a current injury or a threatened injury that is certainly impending. In addressing the issue, the court first recognized the “real and immediate harm” standard the Ninth Circuit put forth in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), and then noted the “threatened injury must be certainly impending to constitute injury in fact” that the U.S. Supreme Court put forth in Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013).  The court then relied on In re Adobe Systems, Inc. Privacy Litig., 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014) to find that although the U.S. Supreme Court used slightly different language in Clapper, the “injury-in-fact” standard put forth in Krottner remained unchanged. Applying this standard, the court concluded that because plaintiffs alleged their PII was stolen and posted on file-sharing websites for identity thieves to download, and their PII had been used to send emails threatening personal harm to employees and their families, “there was credible threat of real and immediate harm or certainly impending injury,” and the plaintiffs therefore have Article III standing.

Ultimately the court allowed the following claims to proceed: (1) Negligence (based upon breach of duty to maintain adequate security measures); (2) Violation of California Confidential Medical Information Act (CMIA); (3) Violation of the Uniform Competition Law (UCL), and (4) Declaratory Judgment. The court granted Sony’s motion to dismiss without leave to amend in relation to the following claims: Breach of Implied Contract (no facts indicating Sony’s acts intended to frustrate purpose of employment agreement), Violation of California Customer Records Act (CRA)(former employees are not customers), Violation of Virginia Code sec. 18.2-186.6 (no injury resulting from Sony’s alleged untimely notification and no economic damages alleged), and Violation of the Colorado Consumer Protection Act (no private cause of action). 

Given the vast majority of courts throughout the county have applied Clapper to similar data breach claims and found no Article III standing, it seems likely that, to the extent possible, going forward plaintiffs’ attorneys will continue to file such data breach claims in California as it is one of the few jurisdictions where plaintiffs can overcome the Article III standing hurdle.