September 30, 2011

KEEPING CURRENT: Claridge v. RockYou, Inc.: "Value" Inherent in Consumers' Personally Identifiable Information

Gary Zhao

Over the past decade, consumers affected by data breaches have asserted both common law and statutory claims in state and federal courts against businesses that are potentially responsible for the breaches. However, common law claims based on negligence and contractual theories generally fail to survive the pleading stage due to lack of actual damages sustained by the consumer. Because the courts are quick to dismiss these claims based on lack of actual damages, there has been little or no incentive, at least from the court system, for businesses holding personal information and/or data to adopt stronger security safeguards to protect personal information. However, in Claridge v. RockYou, Inc., 2011 U.S. Dist. LEXIS 39145 (N.D. Cal. 2011), a federal district court has recently created an exception to the general trend by allowing contract and negligence claims to survive a motion to dismiss filed by the defendant. In doing so, the RockYou court also recognized an ascertainable "value" inherent in a consumer's personally identifiable information (PII).

For affected consumers, the primary hurdle for seeking damages and other relief through the American courts has been the lack of standing to sue when the only injury to the consumer is emotional harm, increased risk of identity theft and/or future credit monitoring costs. Absent evidence that breach resulted in actual injury, the courts have generally found the potential risk of future identity theft, or the mitigation of that risk, does not satisfy the "injury in fact" requirement imposed by Article III of the United States Constitution. Other courts have dismissed data breach claims as a matter of law for various other reasons, all of which also relate to the speculative nature of the injury or the lack of actual damages. Regardless of the specific language or reasoning, courts have been unwilling to assign value or allow for damages related to PII which resulted in large numbers of dismissals at the pleading stage.

Resnick v. AvMed is a good recent illustration the types of unsuccessful claims brought in data breach cases and the reasoning relied upon by the court in denying the relief sought. In Resnick, laptops containing unencrypted medical and personal information for over one million individuals were stolen. The affected individuals brought suit alleging (1) negligence; (2) breach of contract; (3) breach of implied contracts; (4) restitution/unjust enrichment; (5) violation of a state consumer fraud and deceptive trade practices statute; (6) negligence per se; (7) breach of fiduciary duty; (8) breach of implied covenant of good faith and fair dealing; and (9) invasion of privacy. The defendant brought a motion to dismiss based on the plaintiffs' failure to state a cognizable injury. After quoting the Seventh Circuit Court of Appeal's decision in Pisciotta, 499 F.3d at 639-40 ("Without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy") and noting similar judicial treatment of such cases, the court dismissed all nine claims. The court found that the complaint alleged nothing more than a "mere specter of injury: a heightened likelihood of identity theft."

Claridge v. RockYou , however, reached a different result with respect to PII. The defendant, RockYou, is a company that develops and publishes online applications for social networking sites. Customers sign up by providing a valid email address and registration password, which RockYou then stores in its database. Many customers are also required to provide their Facebook or MySpace usernames and passwords in order to use RockYou's applications. Although RockYou promised on its website that it used "commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information," the company did not use encryption to prevent hackers from "easily" accessing users' PII. The failure to encrypt this information had led to the publication of the contents of RockYou's database on underground hacker forums.

The plaintiff filed a putative class action suit against RockYou alleging a plethora of statutory and common law claims. The first amended complaint also alleged that plaintiffs' user information has inherent value. The so called "value" is created when advertisers are attracted to RockYou's platform because it has access to user's personal information.

The attorneys for RockYou brought a motion seeking to dismiss all of the class plaintiffs' claims, particularly, the common law contract and negligence claims, based on the plaintiffs' alleged failure to plead actual damages required to maintain a claim. The motion called plaintiff's theory of recovery "speculative" and "an incomprehensible theory."

In opposition to the motion to dismiss, the plaintiffs' mainly argued that the class "paid" RockYou for products and services that they "buy" from the defendant by providing their personally identifiable information, here, e-mail accounts and social network logins. Thus, the plaintiffs argued that their PII represented "valuable property" that was exchanged "not only for defendant's products and services, but also in exchange for defendant's promise to employ commercially reasonable methods to safeguard the PII that is exchanged." The named plaintiff further argued that he has already suffered an injury in fact because of RockYou's failure to secure his PII, which itself is his personal property. The plaintiff's counsel conceded in his brief that their theory on damages is a novel one and supporting authority for it is scarce.

Though the court dismissed most of the plaintiffs' statutory claims and some its state law claims, it denied RockYou's motion to dismiss with respect to the common law contract and the negligence claims. The court noted, "At the present pleading stage, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified "value" and/or property right inherent in the PII."

Although the court declined to hold at this juncture that, as a matter of law, "plaintiff has failed to allege an injury in fact sufficient to support Article III standing," the court emphasized that it "has doubts about the plaintiff's ultimate ability to prove his damages theory in this case." It is unclear, at this moment, whether the complaint will survive summary judgment or another dispositive motion by defendant RockYou. It is also unclear as to whether the "value" recognition in RockYou will be adopted by other courts in class action data breach litigation if defendant's business platform is different from that of RockYou.

It should be noted that less than a month after the RockYou ruling, a class action lawsuit has been filed against Sony in the Northern District of California on behalf of potentially 12.3 million users who had their credit card numbers stolen off of its Playstation network. It remains to be seen whether RockYou has any impact on the Sony class action. One online commentator, David Navetta, has already noted the RockYou case "may be a sign of an evolving judicial atmosphere and approach concerning data breach lawsuits." Federal Court Affirms Damages in RockYou Data Breach, InfoSec, April 29, 2011, www.infosecisland.com/blogview/13314-Federal-Court-Affirms-Damages-in-RockYou-Data-Breach.html. Another noted that many plaintiffs' attorneys believe that there will be damages, and the awards will continue to grow. A privacy class actions attorney predicted, "The breaches will become more spectacular in the future." Data Breach Suits Grow, But Damages Hard to Prove, Business Insurance, May 12, 2011, www.businessinsurance.com/article/20110512/NEWS01/110519979.

In conclusion, even with the court's cautionary language, the RockYou decision should not be dismissed by businesses that hold and/or transact personal information/data. The RockYou breach resulted in part due to lack of encryption of the PII. By allowing data breach claims to survive at the motion to dismiss stage, the RockYou court has increased the chance a defendant business being held liable for damages due to data breach. There are also additional legal fees and costs associated with written and oral discovery, and preparation of dispositive motions. The RockYou decision may incentivize and encourage relevant businesses to further invest in stronger and tougher security measures to reduce security breaches.

Additional Resources

Absent evidence that breach resulted in actual injury, the courts have generally found the potential risk of future identity theft, or the mitigation of that risk, does not satisfy the "injury in fact" requirement imposed by Article III of the United States Constitution. See, e.g.,:

Resnick v. AvMed, Inc. , 2011 U.S. Dist. LEXIS 36686 (S.D. Fla. 2011); Hammond v. The Bank of New York Mello Corp., 2010 U.S. Dist. LEXIS 71996; Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp 2d 1 (D.D.C. 2007); Bell v. Acxiom Corp ., 2006 U.S. Dist. LEXIS 72477 (E.D. Ark. 2006); Amburgy v. Express Scripts, Inc. , 671 F. Supp. 2d 1046 (E.D. Mo. 2009); Giordano v. Wachovia Sec. , LLC, 2006 U.S. Dist. LEXIS 52266 (D.N.J. 2006); Key v. DSW, Inc. , 454 F. Supp. 2d 684 (S.D. Ohio 2006).

Other courts have dismissed data breach claims as a matter of law for various other reasons, all of which also relate to the speculative nature of the injury or the lack of actual damages. See, e.g.,:

Cherny v. Emigrant Bank , 604 F. Supp. 2d 605 (S.D.N.Y. 2009) (no actual injury or damages alleged); Caudle v. Towers, Perrin, Forster & Crosby, Inc., 580 F. Supp. 2d 273 (S.D.N.Y. 2008) and Shafran v. Harley-Davidson, 2008 U.S. Dist. LEXIS 22494 (S.D.N.Y. 2008) (both holding that the plaintiffs have not suffered a harm that the law was prepared to remedy); McLoughlin v. People's United Bank, Inc., 2009 U.S. Dist. LEXIS 78065 (D. Conn. 2009) and Belle Chasse Auto. Care, Inc. v. Advanced Auto Parts, Inc., 2009 U.S. Dist. LEXIS 25084 (E.D. La. 2009) (both holding that plaintiffs have not stated a claim upon which relief can be granted); Melacon v. La. Office of Student Fin. Assistance, 567 F. Supp. 2d 873 (E.D. La. 2008) and Kahle v. Litton Loan Servicing LP, 486 F. Supp. 2d 705 (S.D. Ohio 2007) (both holding that such damages are purely speculative and don't amount to actual losses); Forbes v. Wells Fargo Bank, N.A., 420 F. Supp. 2d 1018 (D. Minn. 2006) (alleged injuries are "solely the result of a perceived risk of future harm").

Gary Zhao

Gary Zhao is a partner with SmithAmundsen LLC in its Chicago office where he practices complex commercial litigation. The author thanks Jason Mayer, a summer associate at SmithAmundsen LLC, for his work in helping to research and summarize the cases and edit this article.