When data breaches occur, they typically involve lots of people, making them prime targets for class actions. The litigation usually involves allegations about the breach itself – was the breach the result of a company policy or due to negligence, for example? In addition, the allegations go to what the company did after it detected the breach. For instance, did it disclose the breach in a timely matter? Claims may be brought under both common law and federal and state statutes. For the past several years, most cases have not gotten to the class certification stage because they have been dismissed on standing grounds, and when they have reached the class phase, certification has been denied because of the predominance of individualized issues. Two recent U. S. Supreme Court decisions, Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), in which the Court held that actions based on speculative injury cannot proceed due to lack of standing, and Comcast Corp. v. Behrend, 133 S. Ct. 1426 (2013), an antitrust case out of the Third Circuit, in which the Court held that when damages are individualized, a class cannot be certified, continue these trends. While neither case is a data breach class action, both have significant ramifications in the data breach context.
Standing Decisions Leading to Clapper
The initial issues for a defendant facing a data breach class action are whether the named plaintiff has standing, and relatedly, whether the named plaintiff has suffered any damages. Under the Supreme Court’s standard enunciated in Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992), to have Article III standing, a named plaintiff must have suffered an “injury in fact” that is “distinct and palpable,” and the injury must be fairly traceable to the challenged action and redressable by a favorable decision.
Many cases have been dismissed on standing grounds. For example, in Hammond v. The Bank of New York Mellon, 2010 WL 2643307 (S.D.N.Y. June 25, 2010), plaintiffs alleged that Bank of New York lost a number of unencrypted back-up tapes containing sensitive personal information in transport. Plaintiffs brought common law claims for negligence, breach of implied contract and breach of fiduciary duty, as well as statutory claims under the consumer protection statutes of various states. As is true in many data breach class actions, the named plaintiffs did not sustain an injury and could not show an unauthorized charge on their credit cards, for example. Thus, they lacked standing, because their own claims were based on a fear of future injury, which was too conjectural for there to be standing.
Similarly, in Randolph v. ING Life Insurance and Annuity Company, 486 F. Supp. 2d (D. D.C. 2007), the plaintiffs were insureds who filed a class action against ING alleging invasion of privacy and negligence after certain laptop computers containing personal information, including social security numbers, were stolen from the home of the ING’s representative. The named plaintiffs could not show any actual injury stemming from the theft. Rather, they alleged that they were at an increased risk of future harm in the form of identity theft. The court held that such injury was merely speculative, and thus could not satisfy Article III standing.
A number of Circuit courts have recognized standing. In one of the earliest cases, the Seventh Circuit recognized standing, but nevertheless dismissed the action for lack of a compensable injury. Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 (7th Cir. 2007), involved allegations that, through its website, the defendant bank had solicited personal information on applicants for banking services and failed to adequately secure that information. The named plaintiffs alleged negligence and breach of implied contract – an implied contract to safeguard the solicited personal information. Rejecting cases that failed to find standing where there was no actual injury, the Seventh Circuit held: “the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm…” Nevertheless, while the court found standing to exist, the court affirmed dismissal because the injury alleged was not compensable under Indiana law.
Similarly, the Ninth Circuit has recognized standing, but has dismissed for failure to state a claim because of a lack of damages. In Ruiz v. GAP, Inc., 380 F. App’x 689 (9th Cir. 2010), a job applicant brought a putative class action against the GAP based on the theft of a laptop computer that contained social security numbers. The Ninth Circuit held that “’a credible threat of harm is sufficient to constitute actual injury for standing purposes.” Nevertheless, the court affirmed dismissal based on a lack of damages.
In 2011, the First Circuit allowed a case to proceed, finding standing. In Anderson v. Hannaford Bros.Co., 659 F.3d 151 (1st Cir. 2011), the Hannaford Brothers supermarket chain was sued in putative class actions after hackers had stolen more than 4 million credit and debit card numbers. The district court had dismissed the claims of all parties except those that had not been reimbursed for actual fraudulent charges, holding that a merchant is not liable for speculative harm. On appeal, the First Circuit reversed, holding that reasonable out-of-pocket expenses necessary to mitigate future harm are recoverable, holding that such steps are a reasonably foreseeable consequence of a data breach. As discussed below, class certification was recently denied in this case.
And in 2012, the Eleventh Circuit held that the named plaintiffs in a data breach class action had standing, reversing the district court. Resnick v. Avmed, Inc., No. 11-13694 (11th Cir. Sept. 5, 2012), involved the theft of two unencrypted laptop computers containing personally identifiable information. The complaint alleged that Avmed had failed to secure the laptops. Importantly, two of the named plaintiffs alleged actual financial injury. They were able to show that they took steps to protect themselves from identity theft and that there was no other conceivable way that their identities could have been stolen but for the Avmed theft. In particular, the named plaintiffs alleged that the same information that was on the laptops was stolen to open a bank account. The injury was traceable to the theft.
In addition to common law claims, plaintiffs often bring statutory claims. But, like common law claims, there is a question on whether there is standing or damages for these claims.
FAA v. Cooper, 132 S. Ct. 1441 (2012), involved a pilot who was suing for emotional distress damages after the government revealed his HIV positive status. The Privacy Act only allows for actual damages, so the question was whether emotional distress damages constitute actual damages, something the statute was silent on. The Court held that such damages were not actual damages under the Act. Justice Sotomayor’s dissent points up the split in the Court: “Today the Court holds that ‘actual damages’ are limited to pecuniary loss. Consequently, individuals can no longer recover … the primary, and often only, damages sustained as a result of an invasion of privacy, namely mental or emotional distress.”
Similarly, First American Financial Corp. v. Denise P. Edwards, 610 F.3d 514 (9th Cir. 2010), is an important case which involved a RESPA claim. The case went up to the Supreme Court, but the Court declined to decide it after granting review. The case is significant because the Ninth Circuit held in this case that actual damages are not required for RESPA standing. Rather, “[t]he injury required by Article III can exist solely by virtue of a statute’s creating legal rights, the invasion of which creates standing.”
Similarly, in Gaos v. Google, Case No. 5:10-cv-4809 (EJD) (N.D. Cal. 2012), the District Court for the Northern District of California found standing for a statutory claim based on the violation of the Stored Communications Act. The named plaintiff had alleged actual harm “in the form of Google’s unauthorized and unlawful disclosure of Plaintiff’s search queries, which contained sensitive personal information, to third parties.” While the common law claims were dismissed for lack of standing, the Stored Communications Act was adequately pled as violated, providing the named plaintiff with standing to proceed.
Meanwhile, in a recent decision from the Eastern District of Illinois, the court went in the opposite direction. In Sterk v. Best Buy Stores, No. 11 C 1894 (N.D. Ill. Oct. 17, 2012), the named plaintiff alleged that Best Buy disclosed information about the named plaintiff’s movie history purchases, including the credit card number used to rent a movie, in violation of the Video Privacy Protection Act. Plaintiff could not show actual injury stemming from the transaction. The District Court held that “Congress cannot erase Article III’s standing requirement by statutorily granting the right to sue to a plaintiff who would not otherwise have standing.”
The Supreme Court’s Clapper decision now makes it clear that actual injury is required for a plaintiff to proceed under Article III – in any context, including the data breach context. Clapper was brought under the Foreign Intelligence Surveillance Act (“FISA”). Plaintiffs alleged that an amendment to FISA that permitted the government to intercept their foreign transmissions without probable cause was unconstitutional, and that they had been harmed by having to take measures to protect their communications from surveillance. The Supreme Court held that Article III standing — and not standing under FISA in particular– requires actual injury, and that speculative injury is insufficient to create standing: “we have repeatedly reiterated that ‘threatened injury must be certainly impending to constitute injury in fact,’ and ‘[a]llegations of possible future injury’ are not sufficient.” The Court further cautioned against standing based on self-inflicted injury: a plaintiff “cannot manufacture standing merely by inflicting harm based on fears of hypothetical future harm that is not certainly impending.” Indeed, “[i]f the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparnoid fear.”
Class Certification of Federal Court Data Breach Class Actions Leading toComcast
Because of the standing issues that plaintiffs have faced, not many cases have proceeded to the class certification stage. Cases that have gone to the class certification stage have tended to be dismissed because of the predominance of individualized issues.
For example, in Stollenwerk v. TriWest Healthcare Alliance, No. 2:03-cv-00185-SRB, slip op. (D. Ariz. June 10, 2008), the court denied the named plaintiffs’ motion for class certification. That case stemmed from a burglary at TriWest, a contractor who handled the healthcare program for the military. Plaintiff alleged that after the burglary, his personal information was used on six separate occasions in unauthorized attempts by others to open credit accounts. While two accounts were opened and there were unauthorized charges, he was not liable for any of them. While that amount of specificity gave the named plaintiffs standing to proceed, it operated against them when it came to class certification because it highlighted the individualized nature of the facts as to each putative class member, some of whom may not have been injured at all.
And, in In re Hannaford Bros. Co. Customer Data Security Breach Litig., No. 2:08-MD-1954-DBH (D. Me. Mar. 20. 2013), discussed above, in which the First Circuit affirmed standing, class certification was denied because of the predominance of individualized issues. The Hannaford Court recognized that damages would differ among class members, depending on whether they had incurred fraudulent charges and took steps to mitigate harm. The case was decided before Comcast, and recognized that in the First Circuit, individualized damages were not enough to prevent class certification, but that the individualized nature of the “proof of causation of damages” was enough to decline certification. For that reason, taking the trial plan into consideration, the court held that class certification had to be denied because plaintiffs could not sustain their burden to show that common issues would predominate over individualized ones.
The Supreme Court’s Comcast decision, decided shortly after Hannaford, makes it clear that, indeed, the existence of individualized damages precludes class certification. Comcast was brought by Philadelphia cable subscribers alleging that Comcast had violated the Sherman Act by monopolizing Philadelphia’s cable market. In a decision authored by Justic Scalia, the Court ruled that when damages are so individualized that they outweigh any common elements of the case, a class may not be certified under the predominance requirement of Rule 23(b)(3): “By refusing to entertain arguments against respondents’ damages model that bore on the propriety of class certification, simply because those arguments would also be pertinent to the merits determination, the Court of Appeals ran afoul of our precedents requiring precisely that inquiry. And it is clear that, under the proper standard for evaluating certification, respondents’ model falls short of establishing that damages are capable of measurement on a classwide basis…. respondents cannot show Rule 23(b)(3) predominance: Questions of individual damage calculations will inevitably overwhelm questions common to the class.”
What to make of all of this? Clapper was not decided in the data breach context, and plaintiffs are attempting to cabin its effects to the FISA context. However, the Clapper opinion itself provides no reasoning that would support only a limited application of its holding. Plaintiffs, similarly, will try to confine Comcast to the antitrust context (as the dissent attempted to do in that case), but the decision itself is not so limited. Thus, the battles continue, and the predominance of individualized issues, including damages issues, can still be expected to be the battleground for most data breach class actions that manage to proceed to class certification.