chevron-down Created with Sketch Beta.

Business Law Today

July 2018

Emerging Legal Issues in Data Breach Class Actions

Joseph Yenouskas and Levi Swank

Summary

  • Many data breaches have spawned multi-plaintiff or class action lawsuits by customers whose PII was accessed by unauthorized third parties as a result of the breach.
  • Until recently, businesses faced modest litigation risk because most courts held that litigants lacked standing to sue in federal court, reasoning that plaintiffs had yet to suffer an injury, absent allegations that data exposure resulted in adverse consequences.
  • The law in data breach cases is unsettled, and over the next year, courts will be forced to grapple with emerging issues.
Emerging Legal Issues in Data Breach Class Actions
iStock.com/Nastco

Jump to:

Introduction

Businesses face more than reputational risk when the personally identifiable information (“PII”) of their customers is stolen during a data breach. Many data breaches have spawned multi-plaintiff or class action lawsuits by customers whose PII was accessed by unauthorized third parties as a result of the breach. But, until recently, businesses faced modest litigation risk in these cases because most courts held that litigants lacked standing to sue in federal court, reasoning that plaintiffs had yet to suffer an injury absent allegations that the exposure of their PII resulted in identity theft or unauthorized and unreimbursed charges to their financial accounts. This survey discusses new developments in the law of standing in data breach cases, as well as decisions about the viability of legal claims. Currently, the law is sharply divided, and it is likely to remain so for the foreseeable future.

Article III Standing for Data Breach Cases

Background

The recent evolution in case law concerning the standing of plaintiffs in data breach litigation is the outgrowth of two U.S. Supreme Court decisions that established the framework for analyzing Article III’s “injury-in-fact” requirement. In Clapper v. Amnesty International USA, the Supreme Court held that the plaintiffs’ fear that their private communications might be intercepted by government surveillance programs was not an injury in fact because any “threatened injury must be certainly impending to constitute injury in fact,” and “allegations of pos-sible future injury are not sufficient.” The plaintiffs’ injury was “too speculative” because its occurrence “relie[d] on a highly attenuated chain of possibilities” that “the Government [would] imminently target communications to which [they were] parties.” Nor were “measures that they have undertaken to avoid . . . surveillance” an injury; “otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.” Yet, the Clapper Court cautioned that its cases have “not uniformly require[d] plaintiffs to demonstrate that it is literally certain that the harms they identify will come about,” provided there is “a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.

In Spokeo, Inc. v. Robins, the Court reiterated that the injury-in-fact requirement “does not mean [] that the risk of real harm cannot satisfy that requirement.” The Spokeo Court held that an alleged Fair Credit Reporting Act (“FCRA”) violation did not, ipso facto, confer standing because “a bare procedural violation, divorced from any concrete harm,” does not “satisfy the injury-in-fact requirement of Article III.” It explained that “[i]n determining whether an intangible harm constitutes injury in fact,” two considerations were important: “whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts”; and “because Congress is well positioned to identify intangible harms that meet minimum Article III requirements, its judgment is also instructive and important.”The Spokeo Court re-manded the case to the Ninth Circuit to determine “whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement.”

Recent Developments

In most data breach cases, the alleged injury resulting from the unauthorized access of PII is the increased risk of identity theft and concomitant expenses associated with mitigating that risk. The courts have reached differing conclusions depending on whether actual identity theft has occurred and whether such an occurrence is found to be a prerequisite for standing.

In Lewert v. P.F. Chang’s China Bistro, Inc., for example, the Seventh Circuit held that theft of debit and credit card information conferred standing to sue. One plaintiff incurred four fraudulent transactions on his debit card, and there-after purchased credit monitoring services, and while the other plaintiff “did not spot any fraudulent charges on his card, nor did he cancel his card and suffer the associated inconvenient or costs,” he alleged that he “spent time and effort monitoring his card statements and his credit report.” The court held that the injuries alleged were sufficient. First, “the increased risk of fraudulent charges and identity theft” was “concrete enough to support a lawsuit” “because [plaintiffs’] data has already been stolen. Second, the plaintiffs alleged “time and effort” resolving fraudulent charges and other “measures to mitigate [their] risk. P.F. Chang’s argued that the data breach “posed a risk only of fraudulent charges to affected cards, not of identity theft,” but the court refused to dismiss the case for lack of standing based on “a factual assumption that has yet to be tested.

In contrast, a Colorado federal court dismissed a case for this very reason in Engl v. National Grocers by Vitamin Cottage, Inc. Because the “card issuer identified the fraudulent activity on his account and unilaterally exonerated [plaintiff] of responsibility for the fraudulent charges” and then “closed the account associated with the stolen card number,” the Engl court concluded that he “brought [his] exposure to any future harm from the [] data breach to an end.

In Welborn v. Internal Revenue Service, a District of Columbia district court held that the plaintiffs alleged an injury in fact arising from a data breach of an online tool used by the Internal Revenue Service (“IRS”) to provide prior-year tax returns to taxpayers because two plaintiffs “allege[d] that they have suffered actual identity theft when someone filed false tax returns (and claimed fraudulent refunds) in their names,” and the third plaintiff “has been the victim of at least two occasions of fraudulent activity in her financial accounts, one of which resulted in the removal of funds from a personal financial account, which occurred after the IRS data breach.” But the plaintiffs’ allegation “that they suffer an increased threat of future identity theft and fraud” was “entirely speculative and depends on the decisions and actions of one or more independent, and unidentified, actor(s), and the risk of such harm occurring was not “imminent harm that is ‘certainly impending.’” Other injuries the court found too speculative were “general anxiety,” the “diminished value of their PII,” and “time and money spent monitoring and assessing the potential risk of future harm.

While each plaintiff in Wellborn alleged an injury, the court observed that the second element of standing, causation, required plaintiffs to “put forward facts showing that their injuries can be traced to the specific data incident of which they complain and not to any previous theft or data loss incident.” One plaintiff did not allege that his injury was “fairly traceable” to the IRS’s conduct because he “simply allege[d] that the alleged financial fraud happened after the [] breach. The court found that the other two plaintiffs alleged a sufficient causal connection to their injuries because they “alleged sufficient facts that, if proved, would tend to show that the information used in the fraudulent tax re-turn was of the same type that was stolen.”

The Third Circuit held in In re Horizon Services Inc. Data Breach Litigation that the plaintiffs, whose PII was contained on stolen laptops, sufficiently alleged an injury in fact even though “none of them had [ ] alleged that the information was actually used to their detriment. The plaintiffs alleged injury based on both an “increased risk of harm from identity theft, identity fraud, and medical fraud” and “the violation of their statutory rights under FCRA.” Rather than decide whether the plaintiffs had alleged a non-speculative risk of future injury as required by Clapper, the court “conclude[d] that they have standing due to Horizon’s alleged violation of FCRA.”The Horizon Services court reasoned that, while the court’s “pronouncements in this area have not been entirely con-sistent,” “in some circumstances, [ ] the breach of a statute is enough to cause a cognizable injury—even without economic or other tangible harm. It held that “[i]n light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.” While, under Spokeo, “there are some circumstances where the mere technical violation of a procedural requirement of a statute cannot, in and of itself, constitute an injury in fact,” the Third Circuit found that “[p]laintiffs here do not allege a mere technical or procedural violation of FCRA. They allege instead the unauthorized dissemination of their own private information—the very injury that FCRA is intended to prevent.”

In Beck v. McDonald, the Fourth Circuit affirmed the dismissal of the Privacy Act and Administrative Procedure Act claims arising from the theft of laptops containing patient records from a Veterans Affairs hospital. The plaintiffs alleged two injuries: “(i) the increased risk of future identity theft, and (ii) the costs of protecting against the same. The Beck court noted that its “sister cir-cuits are divided on whether a plaintiff may establish an Article III injury-in-fact based on an increased risk of future identity theft,” but that where courts rec-ognized such injuries, the plaintiffs’ allegations “sufficed to push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent” because in those cases “the data thief intentionally targeted the personal information compromised in the data breaches.” The Beck plaintiffs, however, “have uncovered no evidence that the information contained on the stolen laptop has been accessed or misused or that they have suffered identity theft, nor, for that matter, that the thief stole the laptop with the intent to steal their private information. The court also rejected the plaintiffs’ contention that there was a “substantial risk” of harm occurring, even accepting as true plaintiffs’ allegation that “33% of health-related data breaches result in identity theft. Because the risk was speculative, the cost of protecting against future identity theft also did not confer standing as the harm resulting from such efforts was “self-imposed.” Notably, the Beck court distinguished Horizon Services, where the Third Circuit found standing even though there was no allegation that plaintiffs’ PII had been accessed, because their injury was “the very injury that FCRA is intended to prevent”; whereas in Beck, “[p]laintiffs do not allege that [defendant’s] violations of the Privacy Act alone constitute an Article III injury-in-fact.”41

In Galaria v. Nationwide Mutual Insurance Co., the Sixth Circuit held that the plaintiffs had standing to sue even though none of them pled unauthorized charges or identity theft. The plaintiffs’ allegations amounted to a “substantial risk of harm” because, “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for [] fraudulent purposes.” This inference was confirmed by the defendant’s actions: “Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.” The Galaria court’s finding that the plaintiffs faced “a substantial risk of harm” meant that they “expend[ed] time and money to monitor their credit, check their bank statements, and modify their financial accounts,” which constituted an injury because “it would be unreasonable to expect Plaintiffs to wait for actual misuse—a fraudulent charge on a credit card, for example—before taking steps to ensure their own personal and financial security, particularly when Nationwide recommended taking these steps.”

The Galaria court also addressed whether the plaintiffs satisfied Article III’s causation requirement. The majority of the court held that the plaintiffs’ allegations met the “fairly traceable” requirement for standing because plaintiffs alleged that “the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody.

In Whalen v. Michaels Stores, Inc., the Second Circuit affirmed dismissal of claims for breach of implied contract and under the New York General Business Law based on a data breach at Michaels. The plaintiff alleged that at some point after the data breach, her credit card “was physically presented for payment” on two occasions by an unauthorized third party. Just like the plaintiff in Engl, however, the Whalen plaintiff did not allege that she incurred any fraudulent charges that she was liable to pay, because her credit card company removed the charges and deactivated her account. The Whalen court concluded that the plaintiff’s alleged injury failed the Clapper test because “she never was either asked to pay, nor did pay, any fraudulent charge. Because her credit card was canceled “and no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen,” the court reasoned that the plaintiff “does not allege how she can plausibly face a threat of future fraud.” It rejected the plaintiff’s mitigation allegations as conclusory because she “pleaded no specifics about any time or effort that she herself has spent monitoring her credit.”

While the nature of the breach in Whalen distinguished the case from Galaria, where a broader array of PII was accessed, Whalen is more difficult to reconcile with the Seventh Circuit’s Lewert decision, where the only information obtained by hackers was the plaintiffs’ debit card numbers, and yet the court still held that plaintiffs faced a substantial risk of future injury.

Viability of Data Breach Claims on the Merits

Even if the plaintiffs survive standing challenges in data breach litigation, no federal statute provides a remedy to victims of a data breach, and plaintiffs have been mostly unsuccessful in mooring their claims to other federal statutes, such as the FCRA. Courts have been more receptive to claims under state statutes and the common law, although the outcomes at the pleadings stage vary widely. For instance, in In re Experian Data Breach Litigation, a California federal district court granted in part and denied in part Experian’s motion to dismiss claims arising from the theft of PII stored on Experian’s servers. The court dismissed the plaintiffs’ FCRA claims because Experian did not “furnish” a “consumer report” in violation of the FCRA. Plaintiffs’ New York, Illinois, Ohio, and California negligence claims survived, however, even as to the one plaintiff who was reim-bursed for unauthorized credit card charges. The court held that “[e]ven if, as Defendants argue, a risk of future identity theft isn’t a properly pleaded damage, the complaint also alleges that Plaintiffs have suffered damages by taking measures to both ‘deter’ and ‘detect’ identity theft.” These damages included both unreimbursed credit monitoring expenses and hours spent “addressing issues arising from the Data Breach. The court concluded that “[t]he time that Plaintiffs have allegedly spent addressing issues caused by the data breach” stated a claim for damages.”

Some claims against Experian under state consumer protection statutes also survived. The plaintiffs successfully alleged a violation of New York’s deceptive trade practices act on the basis that “Experian . . . misrepresented that it would comply with the requirements of relevant federal and state laws pertaining to the privacy and security of” the plaintiffs’ data. The court also held that the plaintiffs stated claims under the “unfair” or “unlawful” prongs of California’s Consumers Legal Remedies Act and Unfair Competition Law.

In In re Premera Blue Cross Customers Data Security Breach Litigation, an Oregon district court held that plaintiffs whose PII was exposed by a data breach of Premera’s computer network could proceed to the merits on their fraud- and contract-based claims. The plaintiffs’ fraud claims under the common law and Oregon consumer protection statutes were based on statements in Premera’s policy booklets, a privacy notice provided to Premera’s members, and the company’s code of conduct posted on its website. The Premera court held that guarantees contained in these documents, such as “[w]e protect your privacy by making sure your information stays confidential,” and aspirational statements concerning “prevent[ing] unauthorized access” had “the capacity to deceive if, as Plaintiffs allege, Premera did not provide adequate data security.” Because “[a] reasonable person, reading these statements, would believe that Premera provides reasonable and adequate data security,” the court held that plaintiffs alleged an affirmative misrepresentation claim.

While the Premera court held that the plaintiffs failed to allege any active misrepresentation, their amended pleadings adequately alleged fraud by omission because “Premera should have disclosed that it did not implement industry standard access controls, did not fix known vulnerabilities in its electronic security protocols, failed to protect against reasonably anticipated threats, and otherwise did not comport with its assurances regarding protecting information.”

The Premera court also held that the plaintiffs’ express contract claims survived, except as to claims based on statements in Premera’s code of conduct, which “are not guarantees but are expressions of corporate optimism” rather than “enforceable promises.” The plaintiffs further alleged that these documents contained “implied terms requiring Premera to implement data security adequate to safeguard and protect the confidentiality of their [] [i]nformation.”The court held that such a claim was viable under Oregon law, but that Washington law required a finding of “legal necessity” before a term would be implied into a contract, and the court “decline[d] to imply a term into the parties’ contracts that would require adequate data security measures be taken

Finally, as to plaintiffs who were not policyholders of Premera but “whose [PII] came into Premera’s possession without any relationship between the parties,” the court rejected the plaintiffs’ alternative argument, that Premera breached an “implied-in-fact contract[] for the provision of data security.” The complaint failed to “allege facts that plausibly suggest that Plaintiffs other than the Policy-holder Plaintiffs gave information to Premera,” nor were there sufficient allegations of the elements of a contract with plaintiffs who were Premera policyholders. In an earlier opinion dismissing certain allegations, the court held that the plaintiffs adequately alleged unjust enrichment based on payments they made to Premera.

In Fero v. Excellus Health Plan, Inc., classes of California, Florida, Indiana, North Carolina, New Jersey, New York, and Pennsylvania customers, federal employee enrollees, and medical providers alleged ten causes of action, including common law negligence and contract claims, and violations of state privacy and consumer protection statutes, arising from a data breach that exposed their PII. The plaintiffs alleged that false tax returns were filed in their names, that they were the victims of identity theft, had fraudulent credit or debit card charges, that they spent money to remediate the breach, and that they spent time mitigating their losses or protecting against future identity theft and were at risk of identity theft in the future. The Fero court held that plaintiffs who “alleged increased risk of harm, unaccompanied by any concrete misuses of their stolen information,” lacked standing because “none allege any facts indicat-ing that the hackers have misused their personal information since the data breach occurred, or that any other suspicious activity has occurred in the three years since.” Rather, “the alleged injuries rely on a chain of possibilities about the actions of independent actors.” The court also held that causes of action under state statutes did not confer standing because, under Spokeo, “Article III standing requires a concrete injury even in the context of a statutory violation.”

The Fero court held that the plaintiffs whose PII had been misused both had standing and stated a claim under certain state common law causes of action and statutes. Plaintiffs’ contract-based claims were premised on Excellus’s privacy policy, which was incorporated by reference into their contracts. The court denied Excellus’s motion to dismiss those claims, noting that “the statements from the privacy policies identified by Plaintiffs plausibly could be read to reflect a definite promise by Excellus to maintain the security of the personal information that it collected and stored on its networks.” But the court dismissed the federal employee plaintiffs’ third-party beneficiary claim, noting that nothing in the contracts evidenced an intent to confer enforcement rights on the insured plaintiffs. The court also dismissed the plaintiffs’ negligent misrepresentation claims, both because the plaintiffs failed to allege reliance, since “Plaintiffs have failed to allege with any particularity that they actually read or saw the notices concerning privacy policies and practices,” and because no facts “suggest that Plaintiffs have a relationship with [Excellus] that is unique or differs from that of a reasonable consumer.

Many state statutory claims also survived in Fero. Under the New York prohi-bition of deceptive acts or practices, the court reasoned that “it is at least plausible that the [defendants’] representations in their privacy policies and on their web-sites concerning data security (catalogued above) would lead a reasonable consumer to believe that the [defendants] were providing more adequate data security than they purportedly were,” and that “the [defendants] failure to disclose the purportedly inadequate data security measures would mislead a reasonable consumer.” The court dismissed the plaintiffs’ California Customer Records Act claims because that law does not apply to a “health care service plan.” Finally, the New Jersey Insurance Information Practices Act and the North Carolina Consumer and Customer Information Privacy Act prohibit the “disclosure” of certain PII. But the court distinguished “disclosure” from “theft,” finding that “the struc-ture of both [statutes] support[s] the conclusion that disclosure does not encom-pass a theft” and, therefore, dismissed these claims.

In USAA Federal Savings Bank v. PLS Financial Services, Inc., an Illinois district court dismissed state negligence and consumer fraud claims brought by USAA after millions of dollars in counterfeit checks were drawn on the bank’s accounts following a data breach at a check cashing and payday lending company. USAA claimed that PLS breached its duty to USAA “of safeguarding allegedly confidential financial information” of customers. The court explained, however, that because “Illinois does not recognize a common law duty to safeguard personal information, USAA cannot establish its claim for negligence against PLS.” The court also dismissed USAA’s claim under the Illinois Consumer Fraud Act, refus-ing to “infer from the allegations of the first amended complaint that the allegedly unfair conduct occurred in Illinois . . . where no allegations suggest that the breach occurred in Illinois or affected Illinois residents.”

Conclusion

The law in data breach cases is unsettled, and over the next year, courts will be forced to grapple with two emerging questions. First, as data breaches become larger and more frequent, and plaintiffs’ PII is stolen through multiple, sepa-rate data breaches, how plaintiffs have suffered an injury, and whether that injury is fairly traceable to the actions of any specific defendant, is less apparent. Second, existing case law is largely based on the assumption that hackers steal PII for financial gain, even though hackers are increasingly motivated by non-commercial ends, such as activism, blackmail, or espionage. Courts may be forced to reevaluate their framework for analyzing standing where identity theft is not the plausible goal of the data breach.

The statements and views expressed in this survey are solely those of the authors, not those of their firm or its clients; accordingly, none of the views or statements should be attributed to their firm or any of its clients, or construed as a comment on non-public as-pects of cases that are discussed herein

    Authors