As the volume of data generated by our increasingly digitized lives expands and proliferates, so do efforts to steal the data. Criminals particularly target the kind of information that facilitates identity theft, like credit card, bank account, Social Security, and driver’s license numbers. Any significant data breach in which this kind of data is stolen or otherwise disclosed will result in a class action, sometimes several of them. But the reality is that not all data breach incidents result in identity theft, and for various reasons, some produce no quantifiable harm at all.
The absence of quantifiable harm resulting from a data breach, or at least the failure to sufficiently allege such harm, inevitably leads to a challenge to the plaintiff’s Article III standing to sue. Article III, of course, limits the power of federal courts to “Cases” and “Controversies,” which means a plaintiff must have standing, or the power “to maintain a lawsuit in federal court to seek redress for a legal wrong.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016). Standing exists if a plaintiff has (1) suffered an “injury in fact” (2) that is “fairly traceable” to the defendant’s conduct and (3) that is likely to be remedied by a favorable ruling. Id.
Data breach cases usually focus on the injury-in-fact requirement. To prove injury in fact, a plaintiff must establish “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” Lujan v. Defs. of Wildlife, 504 U.S. 555, 559–60 (1992). A potential future injury may qualify as an injury in fact where there is “a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5 (2013).
Federal district and circuit courts have been less than uniform in their treatment of these issues. This well-documented divergence may be as much a function of the facts specific to particular matters as to a general jurisprudential approach to standing. Still, it is fairly accurate, and certainly convenient, to say that the issue breaks down, on one side, to a belief that the theft or involuntary disclosure of personal information is inherently harmful because it presents the risk of future identity theft (which is why the information was stolen in the first place) and, on the other side, to the view that there can be no remediable harm, and thus no “injury in fact,” in the absence of actual identity theft or at least measurable efforts to respond to the breach (because a plaintiff cannot recover damages for a purely harmless or fully mitigated data breach).
This overly simplified description played out in Ninth Circuit’s recent decision in In re Zappos.com, Inc., 884 F.3d 893 (9th Cir. 2018). Hackers allegedly stole the personal data (names, debit and credit card information, etc.) of more than 24 million Zappos customers. Class actions filed by several customers around the country were consolidated for pretrial proceedings in the District of Nevada. The district court ruled that plaintiffs who alleged they suffered financial loss from the breach had standing but plaintiffs who did not allege such harm lacked standing.
Zappos urged the Ninth Circuit to affirm the district court in part on the basis of the Supreme Court’s holding in Clapper that “an objectively reasonable likelihood” of injury was insufficient to establish standing and that a plaintiff must “satisfy the well-established requirement that threatened injury must be ‘certainly impending.’” Clapper, 586 U.S. at 401. The Ninth Circuit looked to other cases indicating that standing may be premised on the “substantial risk” that harm might occur in the future, and the court held that the plaintiffs had sufficiently alleged a substantial risk of identity theft by alleging that their data were of the type used by hackers to commit identity theft and that some plaintiffs had already suffered that fate. Zappos, 884 F.3d at 898.
Those hoping that Zappos will spur the Supreme Court to introduce some needed clarity should know that, just two weeks after Zappos was decided, the Court denied certiorari in a case raising virtually the same standing issue. Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), cert. denied, 138 S. Ct. 981 (2018). As in Zappos, the plaintiffs in Attias alleged that the defendant’s negligence allowed the theft of personal information of the kind that can be used to commit identity theft and that the information was stolen for precisely that purpose. The District of Columbia Circuit, like the Ninth Circuit in Zappos, found those allegations sufficient to establish a substantial risk of future injury. While the Supreme Court’s denial of certiorari in Attias has no independent value, it seems unlikely that a certiorari petition in Zappos would present a materially different question for review.
Does Zappos close the door on standing challenges in the Ninth Circuit? A better question might be whether a defendant has any other options for addressing the unharmed class member problem that Zappos and decisions like it appear to invite. A footnote in the Ninth Circuit’s decision points to one avenue of relief. The Ninth Circuit noted that its arguably lenient approach to standing was driven in part by the relatively low bar plaintiffs face at the pleading stage and that the plaintiffs would eventually have to produce evidence supporting their allegations of harm or face summary judgment. Zappos, 884 F.3d at 899 n.11. This may be cold comfort, given the court’s view of the nature of harm in a data breach case. But at least it indicates that the Ninth Circuit will not allow the claims of unharmed class members to proceed to a class-wide trial.
In this regard, the Ninth Circuit’s comments echo those of Chief Justice Roberts in his concurrence in Tyson, in which he pointed out that Article III does not give federal courts the power to order relief to any uninjured plaintiff, class action or not. Tyson Foods, Inc. v. Bouaphakeo, 136 S. Ct. 1036, 1053 (2016) (Roberts, C.J., concurring). It is tempting to view this remark as a suggestion that certification itself depends on an affirmative showing that all class members possess the same standing as the class representative. But the Supreme Court arguably ended the issue in Spokeo, writing that “named plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class to which they belong.” Spokeo, 135 S. Ct. at 1547 n.6 (internal quotations omitted). And Chief Justice Roberts did not suggest in his Tyson dissent that a putative class member’s lack of injury was a standing issue to be addressed at certification. Rather, he stated that, “if there is no way to ensure that the jury’s damages award goes only to injured class members, that award cannot stand.” 136 S. Ct. at 1053.
Summary judgment is not the only vehicle available to challenge a plaintiff’s or class member’s ability to recover without proof of compensable harm. We know from the Supreme Court’s decision in Comcast Corp. v. Behrend, 133 S. Ct. 1426, 1432–33 (2013), that a class should not be certified without a damage model that measures only those damages attributable to compensable violations. Even the Ninth Circuit adheres to this principle. See Leyva v. Medline Indus. Inc., 716 F.3d 510, 514 (9th Cir. 2013) (acknowledging that, under Comcast, “plaintiffs must be able to show that their damages stemmed from the defendant’s actions that created the legal liability”). Thus, while “‘the need for individualized findings as to the amount of damages does not defeat class certification,’” that rule applies only “where there is a common methodology for calculating damages.” Doyle v. Chrysler Grp., LLC, 663 F. App’x 576, 579 (9th Cir. 2016) (quoting Vaquero v. Ashley Furniture Indus., Inc., 824 F.3d 1150, 1155 (9th Cir. 2016)). A class should not be (or remain) certified if “it is unclear whether ‘damages could feasibly and efficiently be calculated once the common liability questions are adjudicated.’” Id. (quoting Leyva, 716 F.3d at 514).
Thus, while Zappos appears to confirm that the Ninth Circuit intends to stick with its lenient standard for pleading Article III standing in data breach cases, defendants still have viable means to address the problem of uninjured class members.