Every month it seems that another company has data breached by hackers.  In 2014 notable breaches occurred at Target, Home Depot, Nieman Marcus, and JP Morgan Chase. The most publicized breach occurred right before Thanksgiving, when the “Guardians of Peace” hacked Sony, which led to the online release of the motion picture The Interview rather than in movie theaters.

The legal recourse for victims with personal data compromised by hackers has been difficult. Since many hackers are located outside of the United States and likely judgment proof, most cases are filed using a tort remedy against the company that was a custodian of the data. The first hurdle in a data breach class action lawsuit is standing. To bring a claim in federal court, a plaintiff must satisfy the threshold requirement imposed by Article III of the U.S. Constitution alleging an actual case or controversy. To meet this burden, the plaintiff must establish they suffered an “injury-in-fact,” which is “concrete and particularized,” and “actual or imminent,” not “conjectural or hypothetical.” Plaintiffs have struggled to resolve this issue—if a victim’s personal data has been stolen but has not been used, then how does the plaintiff satisfy the injury-in-fact requirement to achieve standing?

Many courts have relied on Clapper, a SCOTUS case that involved a challenge to the constitutionality of FISA amendments, which allowed the government to engage in surveillance activities. The Court stated that a “threatened injury must be certainly impending to constitute injury-in-fact,” and that “allegations of possible future injury” are not sufficient to have standing. Applying Clapper to data breach cases, a plaintiff would not have standing by showing that risk of identity theft existed simply because data was stolen. The plaintiff would have to show that the risk of identity theft was “impending.” There is no consensus on the meaning of “impending.” Some courts have concluded that individuals who had fraudulent charges on their credit cards were not at an impending risk of identity theft because credit card companies may reverse fraudulent charges, which mitigates the harm. If fraudulent credit card charges do not qualify as an injury-in-fact (is “impending” an issue since injury has already occured), then how high is the bar for a plaintiff to have standing?

Recently, the California district court in In re Adobe seemingly lessened the standing burden for data breach victims. Hackers stole the credit cards and personal information of Adobe’s customers off Adobe’s network. Even though the plaintiffs did not establish that the hackers used their information, the court held the plaintiffs met standing under Clapper because the hackers posted some of the plaintiffs’ information on the Internet. The court believed the likelihood of use was imminent. In addition, the court ruled that the cost to mitigate the risk of harm resulting from the stolen data was an injury-in-fact. Here, the court focused on damages because the plaintiffs paid a service to protect their identity. The court distinguished two cases where the plaintiffs were not granted standing by pointing out that the plaintiffs failed because they did not have damages. Adobe may provide two avenues for plaintiffs to achieve standing in data breach cases: (1) likelihood of use to be imminent and (2) evidence of damages i.e. the plaintiffs spent money to mitigate the risk of harm resulting from the stolen data.

Data breach litigation is not going away. This area of law is evolving and there is no consensus among the courts on what constitutes an injury-in-fact. It will be interesting to see in the near future if courts adopt the broader approach in Adobe.

Forrest James


Tagged with:

2 Responses to After Adobe, will more data breach cases survive a standing challenge?

  1. Joshua de Larios-Heiman says:

    Interesting development. Could you please provide a link/ citation to the decision?