The recent data breaches at Target, Home Depot, and Jimmy John’s have kept data privacy and security in the news lately. But from a legal perspective, there has never been much that the victims of these breaches could do to obtain a remedy in the absence of actual proof of identity or other theft. Indeed, ever since the U.S. Supreme Court decision in Clapper v. Amnesty International, it has been clear that the mere potential for future injury is insufficient to confer standing on a data breach victim to sue. Instead, the plaintiff must prove that injury is “certainly impending,” a standard that was thought to rule out class action lawsuits arising out of data breaches.
Except in California. Bucking the trend for dismissing class actions resulting from data breaches, a federal court in the Northern District of California in In re Adobe Systems, Inc. Privacy Litigation recently denied a motion seeking dismissal based on a lack of standing. The Adobe litigation arose out of a 2013 hacking that caused a data breach that compromised customer debit and credit card numbers and other personal information. In addition to claims brought under California statutory law, the plaintiff customers, like most of the plaintiffs in other data breach class actions, alleged damages as a result of an increased risk of future harm by identity theft and the cost of mitigating that harm. (The plaintiffs also alleged that they suffered economic injury in the form of lost value of the Adobe products that they paid for, but the court found it unnecessary to address that issue.) Contrary to every other post-Clapper court that has addressed this issue – with the exception of the Southern District of California Court in In re Sony Gaming Networks & Customer Data Security Breach Litigation – the Adobe Court found that the plaintiffs had stated a sufficient claim to establish standing to sue.
First, the court found that the plaintiffs’ complaint contained sufficient allegations of threatened harm to show that injury was “certainly impending.” Specifically, the court noted that “the risk that Plaintiffs’ personal data will be misused by the hackers who breached Adobe’s network is immediate and very real” in that the data was targeted by hackers and that some of it had been decrypted using Adobe’s own systems. The court also recognized that the Plaintiff’s complaint alleged that some of their stolen personal information had already surfaced on the Internet. Under these circumstances, the court stated that “the threatened injury here could be more imminent only if Plaintiffs could allege that their stolen personal information had already been misused. The court found a similar Ohio federal court decision unpersuasive in finding that the potential for injury resulting from a data breach caused by a computer hacking was not “certainly impending.”
Second, the court found that the costs incurred by two of the named plaintiffs to pay for data monitoring services constituted an injury-in-fact. The court found the expenses to be “fairly traceable” to Adobe’s failure to maintain reasonable security measures and that their purchase of data monitoring services would redress their harm.
Hopefully, the Adobe and Sony decisions will not be exported outside of California, but in case they are, here are the takeaways that I see for employers:
A company’s workers can be either the strongest or weakest link in any company’s data security program, they can be the key to avoiding having to respond to these lawsuits. The Home Depot data breach reportedly occurred after employee concerns about the strength of the company’s cybersecurity were ignored by management. A data breach last year at Vodafone was said to have been an inside job. And let’s not forget about all of the potential data breaches that may occur because employees don’t understand how to identify phishing and other social engineering exploits. Outsourcing certain business functions likewise may not help avoid data breaches. The Target breach resulted from the hacking of Target’s HVAC vendor. Human resources departments are now at greater risk than ever of being the targets of data breaches, particularly as employers begin to embrace big data for employee selection and placement. The data breach at the University of Pittsburgh Medical Center this past spring resulted from a breach of its payroll system, which exposed the personal information of approximately 62,000 employees. A lawsuit is pending against UPMC and its software vendor. Recognition that human resources data networks may be vulnerable to hacking likewise will go a long way towards avoiding these lawsuits. Finally, employers need to remember that their human resources and customer data is not vulnerable to just computer hacking. Sloppy policies and procedures and the lack of enforcement of reasonable policies relating to laptops, mobile devices and portable media also contribute heavily to data breaches. Close any gaps now.