Several class actions have been filed in recent years against companies that had their database compromised as a consequence of a data breach. The class usually consists of consumers whose information was stolen in the breach. The problem that plaintiffs have faced in the majority of these actions is lack of standing. Indeed, in most cases, it has not been possible to demonstrate that the breach had caused a damage to those consumers. An increased risk of identity fraud is not sufficient to ground standing. In 2013, the Supreme Court held that increased risk of identity fraud following a data breach is not enough to give standing and “threatened injury must be certainly impending to constitute injury in fact.” Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013).
The Clapper progeny has more or less kept out of courts, consumers who seek redress from a data breach but could not prove an injury.
2013 cases
– Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), holding that increased risk of identity fraud following a data breach is not enough to give standing and “threatened injury must be certainly impending to constitute injury in fact.”
2014 cases
–Tierney v. Advocate Health & Hospitals Corp., No. 13 CV 6237, 2014 WL 5783333 (N.D. Ill. Sept. 4, 2014).
–Remijas v. Neiman Marcus Grp., LLC, No. 14 C 1735, 2014 WL 4627893 (N.D. Ill. Sept. 16, 2014) – – reversed, see Remijas v. Neiman Marcus Grp., LLC.794 F.3d 688 (7th Cir. 2015), below.
–Lewert v. P.F. Chang’s China Bistro, Inc., No. 14 CV 4787, 2014 WL 7005097 (N.D. Ill. Dec. 10, 2014).
In every one of these 2014 cases, following Clapper v. Amnesty International USA, the court held that standing is denied when the only injury is an increased risk of identity fraud following a data breach because that is not an “injury in fact”.
2015 cases
– In re Zappos.com, Inc., 108 F. Supp. 3d 949, at *4 (D. Nev. 2015).
– Fernandez v. Leidos, Inc., 2015 WL 5095893, at *7 (E.D. Cal. Aug. 28, 2015).
–Green v. eBay, Inc., 2015 WL 2066531, at *3-6 (E.D. La. May 4, 2015).
–In re Horizon Healthcare Servs. Data Breach Litig., 2015 WL 1472483, at *6 (D.N.J. Mar. 31, 2015).
–Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 364-68 (M.D. Pa. 2015).
–Peters v. St. Josephs Corp., 74 F. Supp. 3d 847, 854-56 (S.D. Tex. 2015).
In every one of these cases, again following Clapper v. Amnesty International USA, the court rejects standing based on an alleged increased risk of identity fraud. The plaintiff must show that the misuse of data is imminent to obtain standing.
Fly in the face of the majority, in Remijas v. Neiman Marcus Grp., LLC. 794 F.3d 688 (7th Cir. 2015), the court granted standing to plaintiffs based on substantial risk that they could be harmed in the future by the data breach. The court found that plaintiff does not necessarily have to allege that their personal information has been misused. “Clapper does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.” Citing In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014), the Court found that it was “plausible to infer that the plaintiffs have shown a substantial risk of harm from the Neiman Marcus data breach.” Also, the court held that mitigation expenses plaintiffs incurred also qualify as an injury, in fact, relying on the First Circuit’s 2011 decision in Anderson v. Hannaford Bros. Co. 659 F.3d 151, 162 (1st Cir. 2011). It was reasonable for plaintiffs to purchase credit monitoring after being notified that their payment card information was at risk. In fact, the defendant itself offered that for one-year to their customers of Jan 2013/Jan 2014.
For more information, Francesca Giannoni-Crystal
For a comparison with the situation in Europe, read here, here and read Allyson Haynes Stuart,
A Tale of Two Data Privacy Actions: What Constitutes Harm in the US and EU?
