Last week, the Eastern District of Louisiana joined the growing majority of district courts around the country that have held increased risk of future identity theft or identity fraud posed by a data breach is not sufficient to confer Article III standing on individuals whose information has been compromised but not yet misused.
In Green v. eBay Inc., No. 14-1688, 2015 U.S. Dist. LEXIS 58047 (E.D. La. May 4, 2015), the named plaintiff brought a putative class action against eBay on behalf of himself and all other eBay users in the United States whose personal information was accessed during data breaches that occurred in February and March 2014. Plaintiff alleged injury in the form of “actual identity theft, as well as (i) improper disclosures of their personal information; (ii) out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or identity fraud due to eBay's failures; (iii) the value of their time spent mitigating identity theft and/or identity fraud, and/or the increased risk of identity theft and/or identity fraud; (iv) and deprivation of the value of their personal information.” Id. at *4. The court acknowledged the clear majority trend following the Supreme Court’s decision in Clapper v. Amnesty International, 133 S.Ct. 1138 (2013) – which despite a few exceptions – has been to dismiss data breach class actions where there is only an increased risk of identity theft or identity fraud, or where individuals are not held financially responsible for fraudulent credit card charges. Id. at **10-15 (collecting and analyzing cases). Despite Plaintiff’s attempt to plead “actual identity theft,” the court stated that “this conclusory statement without any allegations of actual incidents” was inadequate to “demonstrate a concrete and particularized actual or threatened injury that is certainly impending,” and ultimately followed the majority trend and “dismiss[ed] the Class Action Complaint for lack of standing.” Id. at **15-16, 21.
Notably, the court also concluded the “fact that Plaintiff alleges statutory violations does not alone establish standing.” Id. at n.25 (citing In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 U.S. Dist. LEXIS 125730, 2013 WL 4759588, at *3 (N.D. Ill. Sept. 3, 2013)) (“Even assuming the statutes have been violated . . . breach of these statutes is insufficient to establish standing without any actual damages due to the breach. Plaintiffs must plead an injury beyond a statutory violation to meet the standing requirements of Article III.”). Although other district courts dismissing data breach class actions for lack of standing have similarly held alleged statutory violations do not alone establish Article III standing, the landscape could change significantly based on the Supreme Court’s pending decision in Spokeo, Inc. v. Robins, No. 13-1339 (U.S. Apr. 27, 2015).
In Robins v. Spokeo, Inc., 742 F.3d 409 (9th Cir. 2014), the Ninth Circuit held that alleged violations of plaintiff’s statutory rights under the Fair Credit Reporting Act sufficiently satisfied Article III's injury-in-fact requirement. Defendant Spokeo appealed to the Supreme Court. On April 27, 2015, and against the recommendation of the Solicitor General, the Supreme Court granted Spokeo’s petition for writ of certiorari. The question before the Court presented by Spokeo is “whether Congress may confer Article III standing upon a plaintiff who suffers no concrete harm, and who therefore could not otherwise invoke the jurisdiction of a federal court, by authorizing a private right of action based on a bare violation of a federal statute.” Amici curiae such as Facebook, Google, and Yahoo sided with Spokeo and urged the Supreme Court to grant the petition and reverse the Ninth Circuit, arguing that the Ninth Circuit’s decision opens the door to improper and costly “no-injury” class actions.
Ultimately, no matter how the Supreme Court rules in Spokeo, it will likely have significant implications on the standing requirements in data breach and other class actions.
- Cybersecurity and Privacy Law
- Privacy Laws
- California Consumer Privacy Act
- Cybersecurity Regulation
- Cyber Insurance
- Data Breach
- General Data Protection Regulation
- Class Action Litigation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- GDPR Compliance: What is Privacy Shield 2.0?
- Connecticut's Data Privacy Law
- The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)
- The Utah Consumer Privacy Act
- The Colorado Privacy Act
- The Virginia Consumer Data Protection Act
- State Data Privacy Law Series
- TransUnion LLC v. Ramirez and the Impact on Class Action Litigation
- 2023: The Year of the CPRA and CDPA - Virginia Joins California in Passing Comprehensive Privacy Legislation
- Cybersecurity Remains a Top Concern