Data privacy litigation is one of the current growth areas of the law that young lawyers interested in mass torts should be aware of. Companies in the United States love consumer data. In fact, each year U.S. companies collect enough of it to fill 10,000 Libraries of Congress. See Bill McDermott, “Business in Surreal Time,” SAP Sapphire Now, Nov. 5, 2012. To be sure, the collection and use of consumer data is not a new phenomenon; companies have been analyzing point-of-sale transactional data through the use of barcodes since the 1970s. See James Manyika et al., Big Data: The Next Frontier for Innovation, Competition, and Productivity (McKinsey & Company May 15, 2011). But today businesses have taken the collection and use of data to new heights, “mining” stockpiles of consumer information with sophisticated algorithms to optimize top and bottom lines. See id. (estimating that retailers using big data can increase operating margins by more than 60 percent).
November 10, 2015 Articles
Clapper and Remijas: A Footnote in the Door for Data Breach Plaintiffs
By Anonymous
Businesses collect consumer personal information from a variety of sources. In addition to saving consumer names, addresses, and payment information at checkout, sign-up, and log-in, companies record consumer footpaths and body language in stores, ping consumer “apps” to track real-time locations, track consumer Internet browsing habits with “cookies,” and monitor consumer social media posts. See id. Once the data are collected, companies can use algorithms to gain incredible insight into consumer buying behaviors and respond with targeted product marketing and promotions. See id. (Williams-Sonoma, for example, uses its customer database of 60 million households, which includes household income, housing value, and number of children, to send targeted emails with 10 to 18 times increased response rates over non-targeted emails); see also Charles Duhigg, “How Companies Learn Your Secrets,” N.Y. Times Mag., Feb. 16, 2012 (recounting that in 2011, a Target Stores algorithm crunched a teenaged consumer’s sex, age, and store purchases and determined that she was in her second trimester of pregnancy, inadvertently revealing the pregnancy to her father when Target sent the teenager advertisements customized for expectant mothers). For a somewhat unsettling demonstration of the power of algorithms, use your smartphone to visit http://avoidhumans.com/index.php, a site that uses metadata in FourSquare and Instagram posts to calculate which locations nearest the user have the fewest people present.
The advantages of collecting and computing consumer data go beyond insight into the consumer, however. Companies can also sell personal information to businesses like Acxiom, a data broker that recorded over a billion dollars in sales last year offering “analytical services” to advertisers. See Acxiom Corporation Annual Report (Apr. 10, 2015) (“analytical services” is shorthand for the sale of “bundles” of millions of consumer names, addresses, and spending habits categorized by various demographics, such as political parties and income brackets). Even state agencies have recognized this potential: In 2013, many drivers were surprised to learn that the New York State Department of Motor Vehicles earned $60 million in 2012 selling driver names, addresses, and dates of birth to data brokers. See Desiree Wiley, “NYS DMV Made $60 Million Selling Drivers’ Personal Information,” (WKBW television broadcast May 20, 2015). For young lawyers, the takeaway point is that companies have significant business and financial incentives to aggressively collect and store consumer personal information and will continue to do so into the foreseeable future.
Data Breaches
Unfortunately, as with all things, the benefits of big data come at a cost. The concentrations of personal information on company servers attracts a particularly nasty element of organized crime. Once forced to sift garbage for the shredded financial information of a single victim, identity thieves can now hack into one, often under-protected, corporate database from the comfort of their own homes and collect the financial information of millions. And they do. In its 2010 Data Breach Investigations Report, Verizon estimated that organized criminal groups are responsible for 85 percent of data breaches. See Verizon RISK Team, 2010 Data Breach Investigations Report (Apr. 23, 2011).
Most data privacy litigation centers on responsibility for unauthorized access to the personal information that makes up big data. A data breach is “an event in which an individual’s name plus Social Security number, medical record and/or financial record or debit card is potentially put at risk [due to] malicious or criminal attack, system glitch or human error.” See Ponemon Inst., 2015 Cost of Data Breach Study: United States (May 12, 2015). In 2014 alone, there were 1,541 confirmed data breaches resulting in the exposure of 1,023,108,267 individual consumers’ personal information. See Gemalto, 2014—Year of Mega Breaches & Identity Theft: Findings from the 2014 Breach Level Index (Feb. 12, 2015). Of the top five biggest data breaches, three were of United States companies (Home Depot, eBay, and JPMorgan Chase) and comprised 277 million consumer records. See id. Sadly, the state of cybersecurity has not improved in 2015. In February, hackers accessed Anthem Insurance’s database. Anthem Insurance is the second largest insurer in the United States, and its database contained 80 million insureds’ names, dates of birth, member IDs, Social Security numbers, addresses, phone numbers, and email addresses. See David McCandless, “World’s Biggest Data Breaches,” Information is Beautiful (updated Aug. 11, 2015).
On March 1, 2012, Robert S. Mueller III, former director of the Federal Bureau of Investigation, said: “I am convinced that there are only two types of companies: those that have been hacked and those that will be.” Robert S. Mueller, III, Remarks as Prepared for Delivery at RSA Cyber Security Conference (Mar. 1, 2012). Unfortunately, that pessimistic outlook appears true. A recent study by Raytheon ǀ Websense reported that “nearly 9-in-10 of the organizations represented in [a survey of security executives at 100 large U.S. companies] have had at least one breach with a loss or compromise of data in the past year.” See Raytheon ǀ Websense, Study—Why Executives Lack Security Posture Confidence (Aug. 18, 2015). Yet, despite the staggering amount of personal information at risk and the prolific frequency of data breaches, the same study revealed that fewer than one-third of security executives are confident in their company’s cybersecurity measures. See id.
Appreciating the above, companies consuming significant amounts of personal information, consumers whose information is being collected, and mass tort lawyers representing either side must be better prepared for the eventuality of a data breach. Legally, such preparation requires understanding the consumers’ standing to bring lawsuits against companies for failure to protect consumer information. The rest of this article reviews the most recent developments in standing for data breach plaintiffs, beginning with the Supreme Court’s interpretation of the injury requirement in Clapper v. Amnesty International USA, followed by a look at the subsequent district court decisions applying Clapper, and concluding with an analysis of the Seventh Circuit’s recent decision in Remijas v. Neiman Marcus, LLC, the first federal appellate decision on the subject since Clapper.
The Article III Injury Requirement
Article III, Section 2, Clause 1 of the Constitution limits the power of the judicial branch to cases and controversies. The earliest expression of this limitation came in 1793, when the Supreme Court declined to advise President George Washington on international relations between France and the nascent United States, observing that it would constitute an impermissible advisory opinion. See Letter from John Jay to George Washington (Aug. 8, 1793), in 4 The Founders’ Constitution, Document 34 (Philip B. Kurland & Ralph Lerner eds., Univ. of Chicago Press 2000). Since then, it has been well established that a plaintiff bears the burden of proving his or her standing to litigate in federal court. See Lujan v. Defs. of Wildlife, 504 U.S. 555, 561 (1992). To establish standing, a litigant “must prove that he has suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.” Hollingsworth v. Perry, 133 S. Ct. 2652, 2661 (2013) (citing Lujan, 504 U.S. at 561). The scope of this article is limited to the first requirement, a “concrete and particularized injury,” but the latter requirements, traceability and redressability, should not be disregarded, as both present significant additional hurdles for data breach plaintiffs litigating in federal court.
Clapper and the “Certainly Impending” Standard
In 2013, the Supreme Court issued Clapper v. Amnesty International USA, a decision with significant impact on data breach litigants despite its disparate context. The plaintiffs in Clapper consisted of attorneys and human rights and media organizations whose work required them to engage in “sensitive and sometimes privileged telephone and e-mail communications with . . . individuals located abroad.” Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1145 (2013). The question before the court was whether the plaintiffs had standing to litigate the constitutionality of certain amendments to the Foreign Intelligence Surveillance Act of 1978 (FISA) and to seek an injunction against FISA-authorized surveillance, notwithstanding their failure to submit any evidence that they had been subjected to surveillance pursuant to the act. Id.; see also 50 U.S.C. § 1881a (authorizing government to surveil “persons reasonably believed to be located outside the United States” if seeking “foreign intelligence information”). In support of standing, the plaintiffs argued that they suffered a concrete future injury in the form of “an objectively reasonable likelihood that their communications will be acquired under [FISA] at some point in the future.” Clapper, 133 S. Ct. at 1145. Alternatively, the plaintiffs alleged that they suffered a present economic injury in the form of costly steps taken to protect the confidentiality of their communications in the future.
In a 5–4 decision, the high court held that the plaintiffs’ primary theory of injury “relie[d] on a highly attenuated chain of possibilities” insufficient to satisfy “the well-established requirement that threated injury must be ‘certainly impending.’” Id. at 1143 (citing Whitmore v. Arkansas, 485 U.S. 149, 158 (1990)). The Court observed that the plaintiffs’ future injuries depended on their “highly speculative fear” that the government would (1) target the communications of foreign persons with whom they communicate, (2) invoke FISA in doing so rather than another method of surveillance, (3) receive approval for the surveillance from a FISA court judge, and (4) succeed in intercepting the targeted communications to which the plaintiffs were a party. Id. at 1148. The Court further noted that the plaintiffs failed to submit evidence that any of the above steps had been taken or would be taken in the future. Id. at 1149. Therefore, the Court concluded that the plaintiffs had not established an injury in fact sufficient to support Article III standing. The Court additionally dispensed with the plaintiffs’ present injury, holding that mitigation costs incurred to avoid harm that is not “certainly impending” cannot establish standing, as it would provide litigants with the ability to “manufacture harm on themselves based on their fears of hypothetical future harm.” Id. at 1151 (citing Pennsylvania v. New Jersey, 426 U.S. 660, 664 (1976)).
The Clapper decision and the “certainly impending” standard appeared to close the door on data breach plaintiffs, who generally are unable to offer concrete evidence regarding their hackers’ intentions or when their data will be exploited. Yet, a little-noticed footnote in the decision left the door slightly ajar and eventually produced a plaintiff win in the first federal appellate decision to consider data breach plaintiffs’ standing after Clapper. In footnote 5 of the opinion, Justice Alito wrote:
Our cases do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about. In some instances, we have found standing based on a “substantial risk” that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.
Id. at 1150 n.5.
The footnote, an unusual concession that undercuts the court’s newly minted standard, feels out of place and may have been inserted to hold the narrow majority in light of Justice Breyer’s dissent. See id. at 1160–61 (Breyer, J., dissenting). In the dissent, Justice Breyer argued that the Court’s new standard must be elastic—or risk failing to harmonize with the many previous Supreme Court decisions employing significantly less onerous standards than a literally interpreted “certainly impending.” Id. (listing 11 different future injury standards enunciated between 1976 and 2013, including the “substantial risk” standard). Regardless of its origin, however, the footnote is an interesting addition to the majority decision, and it left open the question of when a “substantial risk” standard, rather than a “certainly impending” standard, should be applied.
Clapper’s Impact
In the aftermath of Clapper came a tide of successful challenges to data breach plaintiffs’ standing. District courts in several states and the District of Columbia interpreted Clapper as foreclosing on standing for plaintiffs alleging increased risks of identity theft or mitigation costs, finding the allegations too speculative to satisfy the “certainly impending” injury requirement. See, e.g., Storm v. Paytime, Inc., 2015 WL 1119724, at *6 (M.D. Pa. Mar. 13, 2015) (case dismissed for lack of standing where plaintiffs made “no factual allegation of misuse or that such misuse is certainly impending”); Peters v. St. Joseph Servs. Corp., 74 F. Supp. 3d 847, 854 (S.D. Tex. 2015) (plaintiff’s inability to describe how she will be injured “without beginning the explanation with the word ‘if’” demonstrated the speculative and nonjusticiable nature of her claim); In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 26–28 (D.D.C. 2014); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 655–60 (S.D. Ohio 2014) (increased risk of identity theft insufficient to establish standing under certainly impending standard); In re Barnes & Noble Pin Pad Litig., 2013 WL 4759588, at *3–4 (N.D. Ill. Sept. 3, 2013) (same); Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451, 470 (D.N.J. 2013) (rejecting standing based on plaintiffs’ “prophylactic” measures to avoid “speculative” future harm).
However, Clapper’s “certainly impending”standard was not fatal to all data breach plaintiffs. Some, mostly in California, successfully drew a distinction between the Clapper plaintiffs, who failed to allege that the government intended to view their communications, and the data breach plaintiffs, who alleged that actors, highly likely to be criminal, intentionally stole their personal information from under-protected company servers, thus establishing that the anticipated harm was “certainly impending.” See, e.g., In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1212–14 (N.D. Cal. 2014) (distinguishing data breach plaintiffs from Clapper plaintiffs); In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 961–63 (S.D. Cal. 2014) (same); Moyer v. Michaels Stores, Inc., 2014 WL 3511500, at *5 (N.D. Ill. July 14, 2014) (same); but see In re Horizon Healthcare Servs. Inc. Data Breach Litig., 2015 WL 1472483 (D.N.J. Mar. 31, 2015) (dismissing lawsuit for lack of standing where laptops were only speculated to have been stolen for purposes of identity theft). Other plaintiffs have successfully asserted present economic injuries based on premiums paid for cybersecurity. See In re LinkedIn User Privacy Litig., 2014 WL 1323713, at *5–6 (N.D. Cal. Mar. 28, 2014) (plaintiffs who purchased subscription services at a price based, in part, on LinkedIn’s allegedly false representations of data security suffered economic loss sufficient for standing). Despite the latter decisions, however, until July of this year it appeared that defendants held a significant upper hand in turning away data breach plaintiffs with standing attacks under Federal Rule of Civil Procedure 12(b)(1) and (6).
Remijas Shifts the Balance in Plaintiffs’ Favor
In late July 2015, defendants contesting data breach plaintiffs’ standing suffered a stinging defeat in the Seventh Circuit, the first federal appeals court to rule on the standing of data breach plaintiffs post-Clapper. Reversing the trial court, a three-judge panel held that the plaintiffs in Remijas v. Neiman Marcus Group, LLC, had satisfied the “substantial risk” standard and thus the injury requirement. In so doing, the court observed that a plaintiff need not “demonstrate that it is literally certain that the harms they identify will come about. In some instances, we have found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.” Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015) (emphasis added). This, of course, is a direct quote from Clapper footnote 5.
Remijas involved a data breach affecting some 350,000 consumer credit card numbers, of which 9,200 cards were already known to have suffered fraudulent charges. Following the disclosure, several cardholders brought an action under the Class Action Fairness Act, 28 U.S.C. § 1332(d), on behalf of themselves and all other affected consumers alleging negligence, breach of implied contract, and violation of state data breach laws. The district court granted the defendant’s motion to dismiss pursuant to Rule 12(b)(1) and 12(b)(6) for lack of jurisdiction.
On appeal, the only question properly before the Seventh Circuit was whether the plaintiffs had adequately pled standing. In their briefs, the plaintiffs identified several present injuries:
1) lost time and money resolving the fraudulent charges, 2) lost time and money protecting themselves against future identity theft, 3) the financial loss of buying items at [defendant’s stores] that they would not have purchased had they known of the store’s careless approach to cybersecurity, and 4) lost control over the value of their personal information.
Remijas, 794 F.3d at 692.
The plaintiffs also alleged two future injuries: an increased risk of future fraudulent charges and a greater susceptibility to identity theft.
The court began its analysis by discussing the viability of the plaintiffs’ alleged imminent injuries in light of Clapper. See id. at 696. It noted that the Supreme Court’s “certainly impending” standard confirmed the Article III limitation that “possible future injury” is insufficient for standing. However, the court reasoned, the enunciation of “certainly impending” was not a rejection of previous Supreme Court cases finding standing based on a “substantial risk”; rather, it was an additional version of the injury-in-fact requirement to be applied to highly speculative allegations, as was the case with the plaintiffs in Clapper. Remijas, 794 F.3d at 696 (citing Clapper, 133 S. Ct. at 1150 n.5). Thereafter, the Seventh Circuit explicitly endorsed the approach taken by the minority of district courts and distinguished between the speculative allegations in Clapper and those of the Remijas plaintiffs. Whereas the Clapper plaintiffs were unable to allege that their communications had ever been intercepted by the government, the Remijas plaintiffs alleged that the defendant’s servers were deliberately targeted by hackers in order to obtain credit card information for purposes of identity theft and fraudulent charges. See id. at 693 (citing In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d at 1197). The court further noted that it may plausibly infer that the plaintiffs’ information was stolen with the intention of using it for financial fraud because “[w]hy else would hackers break into a store’s database and steal consumers’ private information?” Id. Thus, the court concluded that the Remijas plaintiffs need not wait for actual harm to manifest because there is an “objectively reasonable likelihood” that harm will occur sufficient for finding an injury in fact. Id. (citing Clapper, 133 S. Ct. at 1147).
The court then turned to the plaintiffs’ “mitigation” damages (the costs of replacement cards, accounts, and credit monitoring services). See id. at 694. It opined that while Clapper stated that plaintiffs “cannot manufacture standing by incurring costs in anticipation of non-imminent harm[,]” that standard was crafted in the context of “addressing speculative harm based on something that may not even have happened.” Id. (quoting Clapper, 133 S. Ct. at 1155). In contrast, the defendant in Remijas did not deny the plaintiffs’ allegation that their data had been stolen by hackers from its servers. Thus, the court concluded that the substantial risk of future injury was a reasonable cause for incurring costs to mitigate the future harm. This too was in reliance on the text of footnote 5. See Clapper, 133 S. Ct. at 1150 n.5 (“a ‘substantial risk’ that the harm will occur . . . may prompt plaintiff to reasonably incur costs to mitigate or avoid that harm”).
Analysis
The Remijas decision may constitute a tipping point for standing arguments in data breach litigation. The injuries alleged in Remijas are frequently alleged in data breach complaint; thus, data breach plaintiffs in the Seventh Circuit may now wield a powerful precedent. Even beyond data breach cases, litigants presenting less speculative allegations of future injury, such as toxic exposure victims without manifest injury, now have a strong argument for the application of a less stringent standard.
The Seventh Circuit seems to have embraced Justice Breyer’s concept of elasticity: A future injury must meet either a “certainly impending” or “substantial risk” standard to be actionable, but whether one or the other is used is based on the degree of proof offered by the plaintiffs. Injuries based more in fear than fact will be judged by the former standard, while those with an “objectively reasonable likelihood” of occurrence will be judged by the latter.
The final impact of Remijas on courts faced with allegations of future injuries remains to be seen. However, considering the number and frequency of data breaches and the admittedly poor cybersecurity employed by many companies, such an opportunity likely will come sooner rather than later. Meanwhile, Remijas has already been approvingly cited by the Federal Trade Commission (FTC) in its effort to hold Wyndham Worldwide accountable for failure to maintain reasonable cybersecurity measures. See Letter from the Federal Trade Commission dated July 24, 2015, Fed. Trade Comm’n v. Wyndham Worldwide Corp. No. 14-3514, 2015 WL 4998121 (3d Cir. Aug. 24, 2015). In a letter to the Third Circuit, the FTC called the court’s attention to the Seventh Circuit’s decision, arguing that if the Remijas plaintiffs’ allegations of identifiable costs to mitigate future harms were sufficient to establish standing, then allegations by the victims of several data breaches at Wyndham must be sufficient to meet “the less demanding requirement of 5 U.S.C. § 45(n) that, to be unfair, a practice must cause or be likely to cause consumer injury.” Id. (internal quotations omitted). In its subsequent opinion, the Third Circuit ruled that the data breach victims’ allegations met the unfairness standard necessary to the FTC’s ability to penalize Wyndham, though the opinion did not cite Remijas. Wyndham Worldwide Corp., 2015 WL 4998121, at *8–9. Even before Clapper, the Third Circuit has been a jurisdiction restrictive to data breach plaintiffs. See Reilly v. Ceridian Corp., 664 F.3d 38, 41 (3d Cir. 2011) (dismissing data breach plaintiffs, pre-Clapper, because “allegations of hypothetical, future injury do not establish standing under Article III”). Thus, whether the Third Circuit’sdecision represents a sea change in the circuit’s receptiveness to data breach plaintiffs or a recognition of the less demanding requirements of the FTC statute is open to debate.
Nevertheless, data-collecting companies need not run for the hills just yet. The fact that the court’s interpretation is based on dicta in a footnote leaves it on less-than-firm ground. In addition, beyond the threshold of standing there are several hoops through which all data breach plaintiffs must jump before reaching settlement or trial. Even the Seventh Circuit noted in itsopinion that the Remijas plaintiffs “may eventually not be able to provide an adequate factual basis for the inference [of injury in fact]. . . .” Remijas, 794 F.3d at 694. Further, to date no court has certified a class of data breach plaintiffs; individualized issues, such as whether plaintiffs received credit monitoring, were subjected to fraud or identity theft, or were reimbursed for unauthorized charges, are frequently reasons for dismissal of Rule 23(b)(3) data breach classes on predominance. See, e.g., In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 293 F.R.D. 21, 30–31 (D. Me. 2013) (putative class action dismissed on predominance despite same procedural posture as Remijas plaintiffs). Thus, even if widely adopted, the decision’s impact likely will be muted.
Conclusion
Data breaches are rapidly becoming ubiquitous, to the chagrin of both consumers and companies; and with the “Internet of Things” on the horizon, the depth of information that companies collect and hackers steal likely will increase exponentially. Thus, young lawyers interested in complex litigation should be aware of Remijas and its likely progeny. Remijas is a powerful addition to plaintiffs’ arsenal, but the “elasticity” of the paradigm provides opportunities for both sides to be creative. Open to debate are the degree to which plaintiffs’ allegations are speculative, what degree of speculation triggers which standard, and whether data breach plaintiffs can meet either standard. In addition, Remijas is not yet set in stone. Although rehearing en banc has been denied, the defendant could still seek Supreme Court review. And Remijas is only one court of appeals. Should a circuit split develop, the Supreme Court likely will take up the matter once again. If that happens, it will be fascinating to see whether the high court attempts to harmonize the body of its opinion in Clapper with the seemingly discordant text of footnote 5, or elects to establish a new standard altogether.
Keywords: mass torts litigation, data breach, standing, certainly impending, substantial risk
Copyright © 2018, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).