While news broke on August 18th of Ashley Madison’s stolen data being released via the dark web, Target was penning the final strokes on a $67 million settlement agreement with Visa stemming from its 2013 largely-publicized data breach
Millions of Records, Millions of Plaintiffs
When data breach cases started hitting the court system, it wasn’t surprising for plaintiffs to attempt remedies via class action lawsuits. After all, it was their personal identifying information (“PII”) or protected health information (“PHI”) that was hacked during a data breach. In Target’s breach, that included up to 40 million credit card numbers and possibly phone numbers and email addresses
These are just two examples of recent attacks, plaintiffs, and the type of information harvested by cyber attackers. The victims of these breaches vary in relation to the company attacked, the type of information stolen, and how the information may be used. In the past two years we’ve seen cyber attacks directed at Universities (University of Maryland, with more than 300,000 records compromised
The data hacked in these cyber attacks belonged to customers, students, employees, and patients. The data collected by hackers is sometimes a subset of PII. For example, the Ashley Madison breach data likely included hijacked email addresses as the administrator’s of the website did not require an email authentication process when setting up a user account
The Clapper Standing Requirement
A data breach plaintiff is no different from any other federal plaintiff. Article III standing must be established in order to survive a 12(b)(1) motion to dismiss for lack of subject-matter jurisdiction
“an injury must be concrete, particularized, and actual or imminent. Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes—that the injury is certainly impending. Thus we have repeatedly reiterated that the injury must be certainly impending in fact, and that the allegations of possible future injury are not sufficient.” See Green v eBay Inc., 2015 WL 2066531 at *3 (E.D.La. May 4th, 2015) (citing Clapper at 1147) (alteration omitted) (internal quotation marks and citations omitted).
As you will see in the below highlighted cases, many data breach class action lawsuits were not able to meet the stringent burden of showing actual or immediately-pressing injury without knowing when or if they would suffer the Clapper-required injuries.
Threat of Fraudulent Activity Does Not Establish Standing
In 2012, Barnes & Noble announced 63 of its stores across nine states were targeted by hackers. Credit and debit card information was skimmed from register PIN pads over at least a six week period. Barnes & Noble then delayed notifying the public, and potential affected victims, of the breach. In re Barnes & Noble Pin Pad Litigation, 2013 WL 4759588 (N.D.Ill. Sept. 3, 2013). A consolidated class action was filed in the Northern District of Illinois and Judge Darrah ordered the case dismissed, as the plaintiffs weren’t able to meet the Clapper standing standard. The court held that Barnes & Nobles’ failure in notifying the plaintiff’s did not sufficiently warrant standing – nor did allegations of identity theft or fraud. Id. at *3. “Nothing in the [c]omplaint indicates [p]laintiffs have suffered either a ‘certainly impending’ injury or a ‘substantial risk’ of an injury, and therefore, the increased risk is insufficient to establish standing.” Id.
Paytime, Inc., was the recipient of a cyber attack on April 2014, where over 230,000 client files containing PII was “misappropriated.” Storm v Paytime, Inc., 2015 WL 1119724, at *3 (M.D.Pa., March 13, 2015). Class action lawsuits were filled, consolidated, and ultimately dismissed under the “high bar” established by Clapper in the (12)(b)(1) Article III standing analysis. Id. at *4. The court in Storm looked to Third Circuit caselaw for further guidance, finding it “require[d] its district courts to dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending. Allegations of increased risk of identity theft are insufficient to allege a harm.” Id. at *5 (citing Reilly v Ceridian Corp., 664 F.3d 38, 43 (3d Cir. 2011)). The court found that there were insufficient facts to establish a third party hacked their information or that there was any actual or imminent “misuse” of the data, which is a requirement under the Reilly standard. Id. at *5-6.
Shortly following Storm, In re Horizon Healthcare Services Inc. Data Breach Litigation, 2015 WL 1472483 (D.N.J. March 31, 2015) would use a similar analysis, supplementing Clapper with Reilly to dismiss plaintiff’s multiples claims for insufficient standing. The health services company had two employees’ encrypted laptops stolen, cumulatively leading to the theft of over 800,000 clients’ PII and PHI. Horizon investigated the incident, then notified authorities and those affected within days of the theft. Id. at *1. The court found most of plaintiffs’ allegations were “generalized” injuries and relied on common law and statutory damages to establish their injuries. Id. at *4. The plaintiffs were unable to establish imminent injury under the Reilly standard, “hav[ing] not alleged any post-breach misuse of compromised data.” Id. at *6. To further drive home the point, the court illustrated that the alleged “future injuries stem from conjectural conduct of a third party and are therefore inadequate to confer standing.” Id. (citations omitted). One plaintiff who did suffer from identity theft following the breach still had his claims dismissed by the court, as he was not able to establish that the theft was caused by the breach at issue. Id. at *7-9.
Names, encrypted passwords, dates of birth, email addresses, and phone numbers of over 120 million eBay customers were potentially compromised when the company was hacked in February and March of 2014. eBay notified all of its users two months later about the breach, recommending that they change their passwords. eBay, Inc., at *1. Once again, a district court dismissed the matter before the bench, applying the Clapper standard. Judge Morgan acknowledged “[i]n most data breach cases, the complaints allege sensitive information was stolen…. In such cases, courts nonetheless have found that the mere risk of identity theft is insufficient to confer standing, even in cases where there were actual attempts to use the stolen information.” Id. at *4 (citations omitted). The threat of identity theft was too tenuous of a connection to establish standing for this court.
Sea Change – Reading Clapper in a New Light
While many courts took a stern approach to the Clapper ruling, other courts began to push the interpretation of that Supreme Court case in the context of data breach matters.
Adobe’s servers were hacked in July 2013 into September, where the hackers were able to access customer PII and Adobe product source code repositories. Upon confirmation of the breach, Adobe announced the news in early October. In re Adobe Systems, Inc. Privacy Litigation, 66 F.Supp3d 1197, 1206 (N.D.Ca., September 4, 2014). Multiple lawsuits were filed and ultimately funneled into a consolidated class action. The court in Adobe dug deep into the Clapper majority in its finding that there was standing: “Clapper did not change the law governing Article III standing . . . . [but] merely held that the Second Circuit had strayed from these well-established standing principles by accepting a too-speculative theory of future injury. . . . [T]he Court is reluctant to conclude that Clapper represents the sea change that Adobe represents.” Id. at 1214. The court went on to distinguish Adobe by pointing out Clapper’s underlying sensitive issues, which required a more rigorous standing analysis. Id. To further dig into the argument, Judge Koh found the alleged harm was “sufficiently concrete and imminent” to satisfy Clapper. Id. The nature of the attack, the type of information harvested, and evidence of some breached data made available on the internet sufficiently met these demands. Id. at 1214-15.
The Sony breach of late 2014 was reported in the news on a daily basis. It couldn’t have been a surprise that the employees affected by the 100 terabyte breach later filed a class action lawsuit for redress due to released PII and PHI. Corona, et al v Sony Pictures Entertainment, Inc., 2015 U.S. Dist. LEXIS 85865 at *1-2 (C.D.Ca. June 6, 2015). The standing analysis in Sony provided by the court was succinct. Referencing Clapper and its impending certainty standard, the court found there was Article III standing with minimal fuss, pointing to the resulting posting of the breached data onto file-sharing websites and the subsequent alleged subsequent physical threats made to employees and their family members. Id. at *5-6.
The Neiman Marcus case is the most recent of those included, with a reversal on a lower case dismissal ordered by the Seventh Circuit in July 2015. The underlying case stems from a data breach that occurred at Neiman Marcus between July and October 2013 from a malware attack Neiman discovered in December 2013 and announced to the public in January 2014. Remijas v Neiman Marcus Group, LLC, 2015 WL 4394814 at *1 (7th Cir. 2015). During that time, PII including 350,000 cards were potentially threatened with 9,200 cards confirmed as fraudulently used. Id. Class action lawsuits were soon filed and ultimately consolidated in June 2014. Id. at *2. The district court dismissed the class action suit for standing, relying on Clapper. Id. at *4. The circuit court distinguished the Neiman Marcus plaintiffs from those in Clapper, stating that the majority decision “did not jettison the ‘substantial risk’ standard…[nor did] it require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about.” Id. (citing Clapper at 1150 n.5).
The circuit court goes further by cautioning “not to overread Clapper.” Id. at *5. Pointing to the initial breach and subsequent credit card monitoring services, this pushed the plaintiffs beyond the limitations found in Clapper. Id. Previous causation arguments were overcome by this court, finding that Neiman Marcus’ admitting to the breach and exposed cards sufficiently addressed this concern. Even if some of the affected customers were similarly affected by the Target breach, this potential dual exposure does not prevent plaintiff’s standing. Id. at *7.
Target is closing the circle on its multi-year fallout from its data breach. Reports indicate a settlement with Master Card will closely follow the Visa settlement and a $10 Million settlement was reached earlier in the year with the class action lawsuit plaintiffs
Interested in Cybersecurity? If so, read Driven’s article by Yohance Bowden, The Changing Threat Posed by Recent Cyber Attacks, which focuses on the 2014 Sony breach and offers a 7 step roadmap to assist corporations in implementing a data security plan.