Courts are split regarding the type of injury the plaintiff must allege in a data breach case to satisfy Article III standing. The standing issue typically arises in such cases where personal information has been lost or compromised but has not yet been misused. Historically, plaintiffs who have suffered no apparent loss have alleged standing based on a fear of potential future harm. The First and Third Circuits have rejected standing based on the threat of future harm as too speculative. See Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012) (rejecting standing for plaintiff who purchased identity theft insurance and credit monitoring services, where there was no allegation that her confidential data had been accessed as a result of the data breach); Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (rejecting standing in a suit against a payroll processing firm whose firewall had been penetrated, but where there was no evidence of misuse even though plaintiffs incurred time and expense for credit monitoring). The Seventh and Ninth Circuits, however, have held that consumers have standing to bring a data breach security class action based on the threat of future harm, even though no actual loss had occurred. See Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (finding standing where plaintiffs alleged that someone attempted to open a bank account with plaintiffs' information following the theft of an unencrypted laptop); Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007) (finding standing against a bank whose website had been hacked even though plaintiffs did not allege that they had incurred any financial loss or had been the victims of identity theft). Despite this split, a recent decision by the U.S. Supreme Court in a case deciding standing in a different factual context may curtail this injury in fact approach to standing in future data breach cases.
Supreme Court's Decision in Clapper
In Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), human rights organizations and media groups challenged the constitutionality of a 2008 amendment to the Foreign Intelligence Surveillance Act (FISA) that eased the requirements for the government to obtain approval from a special court for wiretaps on intelligence targets outside of the United States. The plaintiffs, all U.S. citizens, alleged that their work includes sensitive telephone and email communications with likely foreign targets of such surveillance. They asserted that they had standing to challenge this amendment to FISA based on their allegations that such communications would be intercepted in the future. The plaintiffs also alleged that they had suffered present injury by undertaking costly and burdensome steps to protect the confidentiality of their communications from surveillance.
In a 5–4 decision, the Supreme Court held that the plaintiffs were unable to establish Article III standing. The Court held that the plaintiffs could not show, without resorting to speculation, that they faced an imminent threatened injury that was "fairly traceable" to the FISA amendment, especially given that the plaintiffs did not allege any actual knowledge of the government's targeting practices. Conceding that the concept of imminence is "somewhat elastic," the Court stated that it must not be "stretched beyond its purpose," which is "to ensure that the alleged injury is not too speculative for Article III purposes." Clapper, 133 S. Ct. at 1147. The Court noted that a speculative chain of possibilities based on potential future surveillance was not enough to show that "threatened injury" was "certainly impending." The Court also rejected the plaintiffs' standing argument based on the expenses and inconvenience they incurred to protect the confidentiality of their communications with international sources. The Court concluded that although the plaintiffs' fears of government surveillance under the FISA amendment were not "fanciful, paranoid, or otherwise unreasonable," the harm sought to be avoided was not "certainly impending." In other words, the plaintiffs could not "manufacture" standing "merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending. . . . If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear." Clapper, 133 S. Ct. at 1151 (citation omitted).
Post-Clapper Decisions in Data Breach Cases
Several defendants have seized upon the Supreme Court's decision in Clapper to challenge standing in data breach cases where the plaintiffs have not alleged actual misuse of the data. To date, virtually every defendant asserting a Clapper-based challenge has been successful. Federal courts in Illinois, New Jersey, Ohio, and the District of Columbia have interpreted Clapper to require dismissal of data breach lawsuits where the plaintiffs have not alleged actual misuse of the data. See In re Science Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig., MDL No. 2360, 2014 WL 1858458 (D.D.C. May 9, 2014);Strautins v. Trustwave Holdings, Inc., No. 12 C 09115, 2014 WL 960816 (N.D. Ill. Mar. 12, 2014); Galaria v. Nationwide Mut. Ins. Co., Nos. 2:13-CV-118, -257, 2014 WL 689703 (S.D. Ohio Feb. 10, 2014); Polanco v. Omnicell, Inc., No. 13-1417 (NLH/KMW), 2013 WL 6823265 (D.N.J. Dec. 26, 2013); In re Barnes & Noble Pin Pad Litig., No. 12-cv-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013). One California district court, however, found that standing existed even though the plaintiffs did not allege actual misuse of their data. See In re Sony Gaming Networks & Customer Data Sec. Breach Litig. (Sony II), MDL No. 11MD2258 AJB (MDD), 2014 WL 223677 (S.D. Cal. Jan. 21, 2014).
Sony II: Standing Upheld Based on Threat of Future Harm
In Sony II, a class action arising out of the 2011 breach of the Sony PlayStation network by criminal hackers, the Southern District of California determined that the plaintiffs had standing merely because their information had been wrongfully disclosed, even though the plaintiffs did not allege that their information had actually been misused. In its 2012 opinion, the Sony I court held, based on the Ninth Circuit precedent in Krottner v. Starbucks, that the plaintiffs had standing based on their allegations that their sensitive personal information was wrongfully disseminated, which therefore increased the risk of future harm. In re Sony Gaming Networks & Customer Data Sec. Breach Litig. (Sony I), 903 F. Supp. 2d 942, 957–59 (S.D. Cal. 2012). In Krottner, a case decided before Clapper, the Ninth Circuit held that Article III standing must be based on a "real and immediate" threat of harm. Sony requested the court to reconsider its 2012 opinion in light of the Clapper decision. Sony argued that Clapper tightened the "injury in fact" analysis set forth in Krottner. The court did not agree.
Noting that the Ninth Circuit in Krottner found Article III standing based on a "credible threat of harm" that was "both real and immediate, not conjectural or hypothetical," the Sony II court held that the Clapper "certainly impending" standard did not set forth a new Article III framework, and that the Supreme Court's decision did not overrule previous precedent requiring that the harm be "real and immediate." "To the contrary, the Supreme Court's decision in Clapper simply reiterated an already well-established framework for assessing whether a plaintiff had sufficiently alleged an 'injury-in-fact' for purposes of Article III standing." Sony II, 2014 WL 223677, at *8. According to Sony II, neither Krottner nor Clapper requires plaintiffs to allege that their information was accessed by a third party. Thus, plaintiffs, at least within the Ninth Circuit, may be able to withstand challenges to standing based on allegations that information was wrongfully disclosed as a result of a data breach incident, causing a threat of future harm.
Cases Rejecting Standing Based on Mere Threat of Future Harm
With the exception of Sony II, every other case since Clapper has held that the mere threat of future harm is insufficient to confer standing in a data breach case. The first such case is In re Barnes & Noble Pin Pad Litigation, a case from the Northern District of Illinois. There, the plaintiffs merely claimed that they had used their credit cards at Barnes & Noble stores that had been compromised. Because the plaintiffs could not prove that their information had indeed been stolen, the court found that the plaintiffs did not have standing. The court also declined to find injury in fact based on the time and expense incurred to mitigate the risk of identity theft, or on claims that the plaintiffs had an increased risk of identity theft due to the breach.
Similarly, in Galaria v. Nationwide Mutual Insurance Co., the Southern District of Ohio likewise declined to find standing based on the plaintiffs' claims of an increased risk of identity theft, the time and expenses for credit monitoring or other risk mitigating measures, deprivation of the value of their personal information, and loss of privacy. The court also rejected as speculative the plaintiffs' argument that they had a statistically higher chance of becoming victims of theft or fraud as a result of the breach. The Galaria court held that the future risks were no different than the threats of future injury rejected in Clapper. Standing did not exist because the risk of such future injury depends on the criminal actions of independent third parties without sufficient factual allegations to demonstrate that such future injury is "imminent or certainly impending." The cost of credit monitoring was also rejected as a basis to confer standing because it was deemed to be the type of manufactured harm the Supreme Court rejected in Clapper.
Strautins v. Trustwave Holdings, Inc., a case from the Northern District of Illinois, likewise rejected the "increased risk" theory of standing, noting that injury was speculative based on a "number of variables, such as whether [the plaintiffs'] data was actually taken during the breach, whether it was subsequently sold or otherwise transferred, whether anyone who obtained the data attempted to use it, and whether or not they succeeded." Strautins, 2014 WL 960816, at *4. The Strautins court noted that, "[l]ike the plaintiffs in Clapper, the harm that Strautins fears is contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendant." Strautins, 2014 WL 960816, at *4. While a plaintiff need not show that it is "literally certain" that he or she will be a victim of identity theft or fraud, the mere fact that risk has been increased does not suffice under Clapper to establish standing. Noting that "Clapper does not completely close the door on probabilistic harm as a basis for standing[,] . . . the import of the Supreme Court's decision in Clapper is that, whatever verbal formulation is used to describe it, the threshold of probability for injuries that have not actually occurred is high." Strautins, 2014 WL 960816, at *5.
In another post-Clapper case, In re SAIC Backup Tape Data Theft Litigation, a data breach case brought in the District of Columbia involving the theft of tapes containing personally identifiable information and medical records of 4.7 million U.S. military members and their families, several individuals sued SAIC and various government defendants. Many alleged injury from an increased risk of identity theft. Several also sought compensation for time or money spent monitoring their credit or bank accounts. A handful alleged that their credit cards or bank accounts actually had been misused post-breach. The SAIC court held that only the plaintiffs who claimed that their personal information was accessed and misused sufficiently pleaded an injury in fact. The claims premised on mere disclosure were too speculative to confer standing. As in most of the other post-Clapper decisions, the time and expense incurred in credit monitoring and other preventive measures were not sufficient to constitute an injury in fact. See also Polanco v. Omnicell, 2013 WL 6823265 (holding that plaintiff's increased out-of-pocket expenses in seeking treatment at "HIPAA-compliant" hospitals rather than at defendants' medical facilities was insufficient to confer Article III standing because plaintiff's decision to do so was based on her speculative belief that defendants would lose personal health information in the future).
Since the Supreme Court's decision in Clapper, plaintiffs have had little success in warding off challenges to standing where there is no allegation of actual misuse of data. Only one case, Sony II, has found standing merely because the plaintiffs' information had been wrongfully disclosed, even though the plaintiffs did not allege that their information had actually been misused. In the wake of Clapper, plaintiffs seeking to pursue data breach claims will likely need to refine their approach to overcome the hurdles of Article III standing.
Keywords: Clapper, Article III standing, data breach, cybersecurity, injury in fact, risk of future harm