March 14, 2016 Articles

Who Can Sue after a Data Breach?

Courts disagree over whether plaintiffs whose data have not been misused have standing.

By Brittany Robbins

In 1793, Thomas Jefferson asked the Supreme Court to issue an advisory opinion addressing 29 foreign affairs issues. 13 Federal Practice and Procedure, Jurisdiction § 3529.1 (3d ed.). The Supreme Court refused to answer them, reasoning that its power was limited to cases and controversies. Supreme Court of the United States, The Court and Constitutional Interpretation (last updated Oct. 15, 2015).

Fast forward 200 years. Business torts, including data breaches, continue to raise traditional standing concerns. A plaintiff filing a data breach lawsuit in federal court must establish an injury in fact that is (1) concrete and particularized and (2) actual or imminent. The injury must be fairly traceable to the challenged action, and it must be likely the injury will be redressed by a verdict for the plaintiff. Lujan v. Defs. of Wildlife, 504 U.S. 555, 560–61 (1992); In re Google, Inc. Privacy Policy Litig. No. 5:12-cv-01382, slip op. at 8 (N.D. Cal. Dec. 3, 2012).

Companies challenging standing in data breach litigation frequently object to the harm’s “imminence.” Judges must consider whether a plaintiff’s allegations that its stolen data will be misused in the future create a non-hypothetical, or imminent, risk of harm. The Supreme Court recently held, in a case brought under the Foreign Intelligence Surveillance Act, that a “speculative chain of possibilities does not establish that injury based on potential future [harm] is certainly impending. . . .” Clapper v. Amnesty Int’l. USA, 133 S. Ct. 1138, 1150 (2013). The Supreme Court further held that plaintiffs cannot manufacture standing by expending money to protect against a speculative harm; standing arises only when the harm being defended against is imminent. Id. at 1155. Clapper represents the state of the law on standing. Courts hearing data breach cases rely on it to decide the critical standing question: whether data that have been stolen, but not yet misused, present an imminent risk of harm—namely, that the data will be misused. Courts have split in addressing that question.

What Is a Data Breach?
The phrase “data breach” is everywhere from headlines to boardroom meetings. But what is a data breach? A data breach occurs any time an unauthorized individual gains access to personally identifiable information (PII). PII is sensitive, protected, confidential data, including a person’s name, date of birth, Social Security number, driver’s license number, address, and credit card data.

How often is PII stolen? According to Verizon’s 2015 Data Breach Investigations Report, five malware events occur every second. (Malware is software that “compromises the operation of a system by performing an unauthorized function or process.” National Initiative for Cybersecurity Careers and Studies, A Glossary of Common Cybersecurity Terminology.) The risk of being hacked is palpable—major hotel chains, retailers, banks, websites, and the U.S. government have all been hacked within the past decade. According to Robert S. Mueller III, former director of the FBI, “there are only two types of companies: those that have been hacked and those that will be.”

Along with a data breach comes financial consequences. Companies spend money investigating the breach, repairing compromised systems, notifying victims, providing credit monitoring services to victims, and paying legal fees. The IBM/Ponemon Institute Cost of Data Breach Study (registration required) found that data breaches, on average, cost a company $3.5 million, with each stolen record costing an average of $145. For major corporations, this number jumps exponentially—Target spent $162 million; Home Depot spent $43 million; Sony spent $15 million; and insurance covered a hefty sum more.

Finally, data breaches frequently prompt lawsuits. Defendant companies that are breached may face tort, misrepresentation, breach of contract, statutory private rights of action, and invasion of privacy claims. For example, plaintiffs may allege that a company was negligent in protecting consumer or employee data or that a company misrepresented its cybersecurity policy.

Data Breaches in the Courtroom—A Question of Standing
Some plaintiffs filing data breach lawsuits have evidence that their data were used fraudulently after the breach. Courts find this to be an actual, non-hypothetical injury that confers standing. For example, when hackers accessed information from 4.2 million credit and debit cards, and made some 1,800 unauthorized charges, the First Circuit found standing. Anderson v. Hannaford Bros., Co., 659 F.3d 151, 154, 164 (1st Cir. 2011). See also Enslin v. Coca-Cola, No. 2:14-cv-06476, 2015 WL 5729241, at *6 (E.D. Pa. Sept. 29, 2015) (finding that plaintiffs have standing when their PII has been misused because the injury is no longer abstract or hypothetical).

Some plaintiffs, however, file suit before their data have been misused. There is a split of authority over whether these plaintiffs have standing.

The majority of courts hold that plaintiffs whose data have been stolen but not misused do not have standing. The First and Third Circuits, and some district courts in the Fifth, Sixth, Eighth, Eleventh, and D.C. Circuits, require plaintiffs to show more than data theft to establish standing. Courts in these jurisdictions hold that the risk of plaintiffs’ stolen data being misused in the future, and therefore the risk of plaintiffs suffering an injury, is not imminent.

For example, Reilly v. Ceridian Corp.arose when hackers stole personal and financial information from about 27,000 people. 664 F.3d 38, 40 (3d Cir. 2011). The plaintiffs alleged that the breach increased their risk of identity theft. While no information had been misused, the complaint speculated that the hackers could access the information and intended to use it to the plaintiffs’ detriment. Id. at 42. The Third Circuit held that the plaintiffs did not have standing because their alleged injury was not imminent; rather, it was based on a hypothetical risk of harm that depended on the actions of an unknown third party. Id. See also Green v. eBay Inc., No. CIV.A. 14-1688, 2015 WL 2066531, at *4 (E.D. La. May 4, 2015) (“[I]t is well settled that a claim of injury generally is too conjectural or hypothetical to confer standing when the injury’s existence depends on the decisions of third parties[.]”) (internal citations omitted)).

The plaintiffs also attempted to establish standing by arguing that they were injured because they purchased credit monitoring services. Reilly, 664 F.3d at 46. The Third Circuit disagreed. Plaintiffs cannot “prophylactically spen[d] money” to ease their fear of future harm and rely on that cost to establish standing. Id.

A minority of courts hold that a data breach itself confers standing. In contrast, the Seventh Circuit and some district courts in the Ninth Circuit have found that the risk of harm resulting from a data breach confers standing. Remijas v. Neiman Marcus Grouparose out of a breach that exposed information associated with 350,000 credit cards. 794 F.3d 688, 689 (7th Cir. 2015). The plaintiffs alleged they spent time and money (1) resolving fraudulent charges and (2) protecting against future identity theft. Id. at 692. The Seventh Circuit held that the plaintiffs presented a non-speculative risk of harm that created standing. In determining that the breach presented an imminent risk of harm, the Seventh Circuit questioned why hackers would steal a consumer’s PII or identity if not to make fraudulent charges. Id. at 693. See also In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014) (finding an imminent risk of harm because Adobe’s network was deliberately hacked).

These courts also hold that money spent to mitigate harm from a data breach is an injury in fact. Because the plaintiffs “face a certainly impending future harm from the theft of their personal data,” the costs incurred to mitigate this future injury provides an actual harm that would also satisfy Article III standing. In re Adobe Sys., 66 F. Supp. 3dat 1217.

What This Means for Companies
Historically, companies could dismiss data breach cases with standing challenges. But today, standing challenges face judicial resistance. Accordingly, more cases may be resolved on summary judgment—courts can decide as a matter of law whether companies (1) negligently store data, (2) breach contractual duties to implement cybersecurity, and (3) misrepresent the effectiveness of their cybersecurity policies.

To prevail on summary judgment, companies must implement cybersecurity policies. Companies should draft a plan outlining how to respond to a data breach. The plan should establish a data breach response team that includes employees, outside counsel, and public relations teams. The plan should detail whom to contact upon discovering a breach. Further, it should outline how to stop the release of further documents and information.

In addition, a company must ensure its employees, from the secretarial staff to the chief executive officer, are well versed in best cybersecurity practices. Employees should refrain from opening suspicious emails and should be careful which sites they visit. They should create complex passwords and avoid writing them down. Employees should be advised against leaving movable technology unattended. And the company should invest in firewalls, encrypt data that are in motion and at rest, and continuously monitor its system for vulnerabilities.

A reasonable investment in cybersecurity may persuade a judge to dismiss a data breach lawsuit on summary judgment. Therefore, even if a case is not dismissed on standing grounds, companies may still avoid protracted litigation and excessive damages.

Keywords: litigation, business torts, data breach, standing

Brittany Robbins – March 14, 2016