Plaintiffs Alleging Only "Future Harm" Following a Data Breach Continue to Face a High Bar
By Dana Post
In this electronic age, rarely a day goes by without hearing of a cybersecurity incident which has resulted in data being lost, stolen or compromised. Amid the onslaught of data breach reports from around the world, companies are learning just how devastating a breach can be—not only from a reputational standpoint but due to the litany of regulatory and private litigations that may ensue following the breach. While the law in data breach litigation is still developing, it is becoming increasingly clear that defendants are more likely to have a private lawsuit dismissed if they can argue that the only harm alleged from a data breach is hypothetical future harm. The Supreme Court’s recent decision in Clapper v. Amnesty Int’l, moreover, casts further doubt on standing in data breach cases where the only harm alleged is speculative.
Data Breach Cases Involving Allegations of Future Harm
The data breach cases brought to date by private litigants have generally involved hackers gaining access to a company’s database; theft or loss of a company’s unencrypted laptop computer or backup tapes, or claims that a company failed to properly safeguard data before any data was actually lost or stolen. Where actual harm is sufficiently alleged—such as identity theft or fraudulent charges—a claim is more likely to proceed.
In Lone Star Nat’l Bank v. Heartland Payment Systems for example, the court allowed negligence and contract claims to proceed following a breach of credit card processor data when issuer banks alleged they incurred costs associated with replacing compromised cards and reimbursing customers for fraudulent charges.
And in Resnick v. Avmed, plaintiffs sued after two unencrypted company laptops were stolen and plaintiffs became victims of identity theft; the court found that plaintiffs had standing to sue because the complaint “specifically alleged that plaintiffs’ suffered financial injury” and the alleged injury was fairly traceable to defendants conduct.
In the absence of actual identity theft or other quantifiable harm, however, the majority of courts have held that the risk of future harm is insufficient to confer plaintiffs’ constitutional standing under Article III, which requires an injury to be “concrete, particularized and actual or imminent; fairly traceable to the challenged action, and redressable by a favorable ruling.” In those data breach cases where standing was established, moreover, plaintiffs have had difficulty surmounting the additional hurdle of showing requisite harm from the breach.
In Katz v. Pershing, for example, the plaintiff, on her behalf and others similarly situated, claimed a risk of future harm due to Pershing’s failure to protect sensitive nonpublic information in accordance with obligations under contract and consumer protection laws. The plaintiff alleged, among other things, that she was injured for purposes of standing based on expenditures made to protect against fraud, including the purchase of identity theft insurance and credit monitoring services. The Katz court held that the lack of an actual data breach was a “fatal” omission for a standing analysis and suggested that had a hacker actually misappropriated her data she would have satisfied “Article III's requirement of actual or impending injury.” Critically, the court stated that to achieve standing, plaintiffs “must allege and show that they personally have been injured” and the complaint “does not contain an allegation that the plaintiff’s nonpublic personal information has actually been accessed by any unauthorized user.” See Anderson v. Hannaford Brothers Co., in which costs incurred by the store’s customers in obtaining replacement credit cards and identity theft insurance following a data breach were sufficient to confer standing under Maine law regardless of whether any fraud occurred.
Similarly, in Reilly v. Ceridian Corp., law firm employees on behalf of themselves and others similarly situated filed a complaint against Ceridian, a payroll processing firm, after an unknown hacker gained access to personal and financial information of Ceridian’s customers. Plaintiffs alleged an increased risk of identity theft; incurred costs to monitor their credit activity, and emotional distress as a result of the breach. The Reilly court affirmed the District Court’s opinion that allegations of “an increased risk of identity theft as a result of the security breach are hypothetical, future injuries and are therefore insufficient to establish standing” under Article III. As concerns the alleged time and money expenditures to monitor their financial information, the Reilly court concluded that “costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more ‘actual’ injuries than the alleged increased ‘risk of injury’ which forms the basis for Appellants’ claims.”
Also, in Lambert v Hartman, the Sixth Circuit—while not explicitly analyzing the issue—found that plaintiff, who had alleged both an actual financial loss as a result of identity theft and an increased risk of additional, future identity theft, had standing only to bring claims for her actual financial injuries. The court stated that the risk of future identity theft was “somewhat ‘hypothetical’ and ‘conjectural’” to confer standing. See also Hammond v. Bank of New York Mellon Corp., concluding that plaintiffs lacked standing in a data breach case because their claims are “future-oriented, hypothetical and conjectural”; and Allison v. Aetna, Inc., in which the court found that plaintiff, who did not allege receipt of phishing e-mails or other misuse of data following the breach of a job notification website, lacked standing.
Despite these holdings, some courts have found that plaintiffs have Article III standing in data loss cases for future harm while then dismissing such cases because plaintiffs had not established damages. In Pisciotta v. Old Nat’l Bancorp, for instance, plaintiffs sought compensation for costs for past and future credit-monitoring services following a data breach. The Seventh Circuit held that “the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant’s actions.” With respect to damages, however, the Pisciotta court “declined to adopt a ‘substantive innovation’ in state law” because “without more than allegations of increased risk of future identity theft, the plaintiffs have not suffered a harm that the law is prepared to remedy.” See also Caudle v. Towers, Perrin, Forster & Crosby, Inc., following Pisciotta to find that risk of future identity theft or fraud after a security breach were sufficient to confer standing but concluding plaintiffs “have not suffered a harm that the law is prepared to remedy.”
In Krottner v. Starbucks Corp., the court followed the standing analysis in Pisciotta and allowed the claims to proceed without analyzing whether plaintiffs sufficiently alleged damages. In that case, current and former Starbucks employees whose names, addresses and Social Security numbers were stored on a laptop that was stolen from Starbucks alleged the company acted negligently and breached an implied contract. Plaintiffs suffered no financial loss from the theft but alleged they had been “extra vigilant” about monitoring their bank and 401(k) accounts and had generalized anxiety and stress regarding the situation. The Ninth Circuit held plaintiffs “suffered an injury sufficient to confer standing under Article III” due to their “a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data.”
The Standing Analysis in Clapper v. Amnesty
As demonstrated above, while courts have mostly found that an increased risk of harm such as potential identity theft is insufficient to confer standing or establish damages, the law in this area remains unsettled. The Supreme Court’s recent decision in Clapper v. Amnesty Int’l, however, may make it more difficult for plaintiffs who fail to allege concrete harm following a data breach to see their day in court.
In Clapper, the court considered whether respondents had standing to challenge section 1881a of the Foreign Intelligence Surveillance Act based on assertions that there is an “objectively reasonable likelihood” that their communications will be intercepted at some point in the future. Respondents alternatively argued that they were injured-in-fact “because the risk of a §1881a-authorized surveillance already has forced them to take costly and burdensome measures to protect the confidentiality of their international communications.” The Clapper court rejected respondents’ standing arguments explaining that Article III standing requires the threatened injury to “be certainly impending to constitute an injury in fact” and “allegations of possible future injury are not sufficient” Because it was speculative whether the government will imminently target communications to which respondents are parties, the court found respondents lacked stacking. In so ruling, the court stated that “we decline to abandon our usual reluctance to endorse standing theories that rest on speculation about the decisions of independent actors.”
Although the facts of Clapper did not involve a data breach, the reasoning and language of the opinion gives fuel for defendants to argue that the risk of future harm in data breach cases is insufficient for purposes of Article III standing.
As set forth above, with the exception of a few cases, private lawsuits involving data breaches where there is no concrete injury have not had much traction due to the difficulty of quantifying the harm of a privacy violation in a legally cognizable way.
The Supreme Court’s ruling in Clapper may make it more difficult for such cases to proceed. Until this issue is settled, there will likely be forum shopping and forum selection clauses in contracts to help potential litigants prosecute or defend such cases.
Dana Post is a senior attorney who runs U.S. e-discovery and data management at Freshfields Bruckhaus Deringer US, LLP. Dana's responsibilities include advising clients on their e-discovery obligations including the preservation, collection, processing, review, and production of electronic information. She also advises companies on data security issues and issues arising in cross-border litigation, including the data protection laws. Dana is a member of The Sedona Conference - Working Group 6 International Electronic Information Management, Discovery and Disclosure and the International Association of Privacy Professionals.