A recent California federal district court order may prove a massive boon to data breach class action plaintiffs. The Northern District of California order, issued in In re Adobe Systems, Inc. Privacy Litigation, denied Adobe’s motion to dismiss. The court found that the plaintiffs have standing to sue based on their now-increased risk of future harm due to the alleged compromise of their confidential information by hackers who gained unauthorized access to Adobe’s systems.
This ruling breaks with the majority view that increased risk of identity theft following a data breach is insufficient to satisfy the standing requirements of Article III of the United States Constitution, as articulated in the Supreme Court’s 2013 precedent in Clapper v. Amnesty International. Under Clapper, the threat of injury must be “certainly impending” to give rise to standing. Yet after a data breach, victims may not suffer financial harm immediately. Often, they may find that their identity or financial accounts have been compromised months or years after the breach. As a result, most courts have dismissed data breach putative class actions for lack of standing.
According to the Northern District of California, however, the alleged disclosure of the plaintiffs’ nonpublic personal information, including usernames, passwords, and credit card numbers, was sufficient injury to confer standing to sue. The court found that “the threatened harm alleged here is sufficiently concrete and imminent to satisfy Clapper.”
So far, the decision’s effect is unclear. But it certainly provides additional support for plaintiffs seeking to assert claims on behalf of a class injured by a data breach. Nevertheless, the court noted that the most factually analogous case, a data breach class action in the Southern District of Ohio, reached the opposite conclusion. Given the proliferation of data heists targeting large corporations, it is likely that this important question of law will continue to develop rapidly over the coming months.