The biggest question looming over every class-action case filed in response to a data breach is: Will the plaintiffs have standing? The answer has divided courts in recent cases across the country.
Last year, the U.S. Supreme Court held in Spokeo, Inc. v. Robins that Congress could not confer standing to plaintiffs based on a violation of a statute alone.1 Instead, the Court held that, even if a statute has been violated, plaintiffs must prove they have an injury-in-fact and that the injury is both concrete and particularized. Spokeo added a new layer of complexity in pleading standing in data breach cases. Previously, the Supreme Court held in Clapper v. Amnesty International USA that “conjectural” or “hypothetical” injuries were insufficient to confer standing and that harm must be “certainly impending.”2 What Spokeo and Clapper mean in practice for data-breach cases is far from settled.
In August 2017, the U.S. Court of Appeals for the D.C. Circuit revived claims against CareFirst BlueCross BlueShield resulting from a 2015 breach. The court found that the complaint “plausibly alleges that the CareFirst data breach exposed customers’ social security and credit card numbers.”3 The court found that this data, in combination with the email addresses, names, birthdates, and subscriber numbers that were stolen, were enough to make the plaintiffs’ fear of the data being used in the future to file fraudulent medical claims “substantial.”4 The plaintiffs also argued that they spent money to lessen the risks of identity theft. While the court found that “such self-imposed risk-mitigation costs . . . do not fulfill the injury-in-fact requirement,” those costs “can satisfy the redressability requirement, when combined with a risk of future harm that is substantial enough to qualify as an injury in fact.”5
That same month, in class action litigation against Yahoo regarding the alleged breach of over 1 billion of its users, the U.S. District Court for the Northern District of California held that the plaintiffs’ allegations of heightened identity-theft risk and the loss of value of their personal identifying information was sufficient to meet the requirements of injury-in-fact for Article III standing.6 The case involves three different breaches that Yahoo allegedly suffered, but in all three breaches, hackers allegedly had access to Yahoo account holders’ email contents—which contained personal information, including communications with banks, the IRS, and other sensitive communications—as well as “names, email addresses, telephone numbers, birthdates, passwords, and security questions of Yahoo account holders.”7 The plaintiffs also “allege[d] that the stolen data has appeared on the dark web, and has indeed remained for sale on the dark web ‘as late as March 17, 2017.’”8 In addition to finding that the plaintiffs had suffered an injury-in-fact based on the fear of misuse of their data, the court also found that the data breaches caused “all Plaintiffs to suffer a loss of value of their” personal information.9 Finding that personal information “is a valuable commodity, that a market exists for [such information], [and] that [p]laintiffs’ [information] is being sold by hackers on the dark web,” the court held that the plaintiffs had suffered harm sufficient for Article III standing.10
Recent cases aren’t all good news for plaintiffs, however.
Also in August 2017, the U.S. Court of the Appeals for the Eighth Circuit dismissed almost all of a class action case on appeal from the U.S. District Court for the District of Minnesota for lack of standing. In In re SuperValu, Inc. Customer Data Security Breach Litigation, the plaintiffs’ claims arose from two 2014 breaches in which customers’ credit card data was believed to be stolen from SuperValu.11 Although the plaintiffs alleged that they believed illicit websites were selling their credit card information, the court found the allegations were “speculative” and “fail[ed] to allege any injury ‘to the plaintiff[s]’” (rather than injury to the plaintiffs’ credit card companies, who were spending money to mitigate the potential fraud).12 Because the breaches involved only credit card information, and not sufficient information to open new credit accounts, the Eighth Circuit found their pleadings of “future harm” too speculative.13 The court allowed one named plaintiff’s case to stand. In his case, he alleged that his credit card information had in fact been used, requiring him to cancel his credit card. The rest of the case was dismissed.
Similarly, in September 2017, in a class action case against the U.S. government regarding the 2015 Office of Personnel Management breach—when millions of U.S. employees and contractors’ security clearance and other sensitive information was stolen—the U.S. District Court for the District of Columbia found that theft of private information alone is insufficient to establish an injury-in-fact. The judge noted that the “data breach ar[ose] out of a particular sort of cyberattack against the United States, [which] differentiates it from the majority of the legal precedent that arises in the context of retail establishments or other financial entities.”14 Finding that the “usual assumptions about why the information was stolen and what is likely to be done with it in the future do not apply,” the court held that the plaintiffs failed to establish harm and therefore did not have standing.15 The case is distinguishable from cases against private companies because the cause of action only exists against a government entity. Nonetheless, it shows that courts are treating breaches on a case-by-case basis and with a degree of skepticism regarding standing, even when the case concerns some of the most sensitive types of information.
Finally, in a case that cuts both ways, the Eighth Circuit dismissed a class action but not before finding that the plaintiffs sufficiently alleged standing by asserting a breach of contract claim.16 The defendant in the case, Scottrade, is a securities brokerage firm based in Missouri. A 2013 breach allegedly resulted in hackers acquiring personal identifying information of more than 4.6 million Scottrade customers, and hackers allegedly exploited the information in various ways, including by manipulating stock prices, among other allegations. The court relied on a 2016 holding in Carlsen v. GameStop, Inc., where the Eighth Circuit found that when a company, as part of a contract, promises to protect personal information and then fails to do so, parties to the contract have suffered an injury sufficient to have standing.17 In this case, Kuhns v. Scottrade, the court found that the plaintiff “alleged that he bargained for and expected protection of his [personal information], that Scottrade breached the contract when it failed to provide promised reasonable safeguards, and that [the plaintiff] suffered actual injury, the diminished value of his bargain.”18 Nevertheless, the case was dismissed because the complaint “fail[ed] to allege a specific breach of the express contract.”19 While ultimately dismissed because of a poorly pled complaint, the case does provide a clear route for plaintiffs to bring breach of contract claims, rather than relying on other causes of action for which injury is harder to prove.
1 136 S. Ct. 1540 (2016).
2 568 U.S. 398 (2013).
3 Attias v. CareFirst, Inc., 865 F.3d 620, 628 (D.C. Cir. 2017).
5 Id. at 629.
6 In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *13 (N.D. Cal. Aug. 30, 2017).
10 Id. at *14.
11 870 F.3d 763 (8th Cir. 2017).
12 Id. at 770.
13 Id. at 771.
14 In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig., – F. Supp. 3d –, 2017 WL 4129193, at *2 (D.D.C. September 19, 2017).
16 Kuhns v. Scottrade, Inc., 868 F.3d 711, 716 (8th Cir. 2017).
17 833 F.3d 903, 909 (8th Cir. 2016).
18 868 F.3d at 716.
19 Id. at 717.