One of the most common and effective defenses raised by privacy class action defendants has been lack of standing. Federal courts have jurisdiction over cases only when the plaintiff has standing to sue. Therefore, courts will dismiss a case when the plaintiff does not meet the requirements for standing. For standing to exist, the plaintiffs’ injury must be “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.”1 In other words, the plaintiff must have suffered some actual harm, or face an imminent risk of suffering a concrete injury. Frequently, class action plaintiffs have been unable to establish standing based on alleged injuries from the unauthorized exposure of personal information. The recent U.S. Supreme Court case of Clapper v. Amnesty International USA2 may have strengthened the standing shield for defendants even more.
Plaintiffs Are Asserting Creative Injuries in Privacy Class Actions
In an effort to establish standing, plaintiffs often assert creative and sometimes theoretical injuries that allegedly resulted from an entity’s exposure of information about them. For example, plaintiffs have alleged harm based on the loss of control over or value of the disclosed personal information, fear that data will be used against their interests, embarrassment of the disclosure, the cost of identity-theft protection, and the replacement cost of mobile devices purportedly involved in the data compromise. Federal courts have largely rejected these supposed injuries and dismissed claims asserted following a data-breach incident for lack of standing. However, some courts have allowed the cases to proceed.3
Clapper v. Amnesty International USA: Standing Arguments
The U.S. Supreme Court recently analyzed the standing requirement in Clapper and may have made the requirement more stringent in practice. In Clapper, the plaintiffs argued that a section of the Foreign Intelligence Surveillance Act (FISA) is unconstitutional, because it allows for the government’s surveillance of sensitive and privileged conversations between the plaintiffs and individuals located outside the United States. In a 5-4 decision, the Supreme Court declined to reach the constitutional issue because it concluded that the plaintiffs lacked standing. In so holding, the Court rejected the two theories of standing asserted by the plaintiffs:
- there was “an objectively reasonable likelihood” that their communications would be intercepted pursuant to FISA in the future; and
- the risk of future surveillance under FISA was so great that the plaintiffs incurred costs to protect against such future surveillance of their international communications.
Speculative Injury Does Not Confer Standing
In considering whether the plaintiffs had standing to challenge the constitutionality of FISA, the Court first rejected the “objectively reasonable likelihood” of future injury standard proposed by the plaintiffs, which had been applied by the Second Circuit. The Court clarified that to find standing based on a threat of future harm, the “threatened injury must be certainly impending to constitute injury in fact.” Allegations of possible future injury are inadequate. The Court found that the plaintiffs failed to show any “certainly impending” harm because a series of events involving independent actors would have to occur before the government could intercept any of the plaintiffs’ international communications under FISA.
The Court acknowledged in a footnote that at times, it has found standing based on the existence of a “substantial risk” of future injury that reasonably prompts a plaintiff to incur costs to avoid or mitigate that harm. Even under the “substantial risk” test, however, the plaintiffs in Clapper did not have standing due to the attenuated chain of inferences necessary before any possible future injury. As the Court explained, “We decline to abandon our usual reluctance to endorse standing theories that rest on speculation about the decisions of independent actors.”4
Self-Imposed Costs Do Not Confer Standing Where the Future Harm Is Not Certainly Impending
The Court also rejected the plaintiffs’ theory that the costs of their preventative actions constitute present economic injury that confers standing. The Clapper plaintiffs asserted that they took costly measures to protect the confidentiality of communications and prevent government surveillance. These measures, the plaintiffs argued, constituted an injury that met standing requirements.
The Supreme Court rejected the argument and stated that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”5 Otherwise, the Court concluded, an enterprising plaintiff would be able to secure a lower standard for standing by simply making expenditures “based on a nonparanoid fear” of speculative future harm.
The Supreme Court’s holding in Clapper that speculative future injuries and present economic expenditures based on such speculative harm are insufficient to confer standing will likely provide a valuable strengthened shield for privacy-related class action defendants.6
The alleged harm from data breaches typically involves a future harm with several links in a chain of inferences involving independent actors. For example, in cases where a hacker has accessed encrypted credit card numbers on a company’s servers, the company could argue that a long series of events would need to occur before an actual and concrete injury was “certainly impending.” Such plaintiffs would need to show:
- the hacker actually acquired the data;
- the hacker successfully decrypted the data;
- the hacker was targeting that specific type of data (e.g., the data related to the plaintiff was not obtained ancillary to an effort to obtain intellectual property, classified information, or some other payload);
- the plaintiffs’ credit card account was not closed by the credit card company; and
- any fraudulent purchases on the credit card would not be reimbursed by the credit card company.
Moreover, Clapper supports the conclusion that federal courts have generally reached, which is that the cost of identity-theft protection taken preemptively by the plaintiffs does not constitute an injury that confers standing. Plaintiffs commonly assert that they have subscribed to identity-theft protection services after learning that information about them has been compromised and claim that the cost of such service is the injury. If the chain of events that would have to occur before the plaintiff would suffer harm is too attenuated, the plaintiff’s self-imposed costs are insufficient to establish standing under Clapper. The Supreme Court made clear that plaintiffs cannot obtain standing by purchasing protections based on fears of speculative future harm, which may describe preemptively subscribing to identity-theft services based on a fear of identity theft.
In summary, Clapper will likely provide defendants with a stronger shield in privacy class action litigation. Defendants may prompt dismissal of a case by arguing that the alleged injury to the plaintiffs relies on a series of speculative events involving independent actors that is insufficient to support standing. In cases where plaintiffs allege that the costs of identity-theft protection services or other precautionary measures are the injury conferring standing, defendants can respond that plaintiffs may not self-impose costs in response to speculative future harm to obtain standing.
1 Monsanto Co. v. Geertson Seed Farms, 561 U.S. ___, 130 S.Ct. 2743, 2752 (2010).
2 Clapper v. Amnesty Int’l USA, 568 U.S. ____, 133 S. Ct. 1138 (2013).
3 E.g., Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 2010) (holding that “generalized anxiety and stress” and increased risk of future identity theft resulting from a laptop theft containing sensitive information conferred standing); Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629 (7th Cir. 2007) (holding that the plaintiffs had standing due to the threat of future harm or an increased threat of future harm after the defendant’s website was hacked, even without evidence of any data misuse or “completed direct financial loss”); Ruiz v. Gap, Inc., 622 F.Supp.2d 908 (N.D. Cal. 2009) (holding that the plaintiffs’ increased risk of identity theft following the theft of a laptop containing sensitive information conferred standing); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F.Supp.2d 273 (S.D.N.Y. 2008) (relying on Pisciotta to hold similarly in the case of a stolen laptop).
4 Id. at 1150.
5 Id. at 1151.
6 Sony has made this argument in its privacy class action litigation. The motion is pending before the court at the time of this writing. In re: Sony Gaming Networks and Customer Data Security Breach Litigation, No. 11-md-2258 AJB (MDD) (S.D. Cal.).