Standing to sue for risk of identity theft based on the compromise of personal identifying information
December 2014 | EXPERT BRIEFING | DATA PRIVACY
Courts in the United States are grappling, with an increasing frequency, with a fundamental legal question: does an individual whose personal identifying information (PII) has been compromised have standing to sue the company that allegedly allowed the compromise of the PII, if the individual’s only injury is an increased risk of identity theft? A recent opinion from the United States Supreme Court has influenced recent decisions from lower courts on this critical legal issue.
The standing challenge
In the past decade, courts in the United States have experienced an explosion of lawsuits, mostly class actions, arising from the compromise of PII maintained by financial institutions, retailers, employers and other companies. Most cases in the ‘compromise of PII’ context, however, have failed based on the most fundamental legal infirmity – lack of standing. The problem in most of the cases is that the plaintiffs have been unable to allege a concrete ‘injury in fact’ sufficient to establish standing. In most of the cases, plaintiffs have asserted a ‘fear’ or ‘increased risk’ of identity theft when they learn that their PII has been compromised. Most courts have held, however, that the fear or increased risk of identity theft – as opposed to a more ‘concrete’ injury such as an attempted identity theft or other wrongful use of the individual’s PII – does not supply standing sufficient to maintain a lawsuit. In other words, the data breach itself is not necessarily a wrongful act, and, absent some actual and identifiable damage flowing from the breach, plaintiffs cannot maintain their lawsuit.
While many of the early district court opinions addressing standing in data breach litigation (in other words, those in the mid-2000s) consistently dismissed complaints on the basis that the plaintiffs in those cases had failed to allege a concrete injury in fact sufficient to confer standing, the federal courts of appeals were less predictable. Both the Seventh and Ninth Circuit Courts of Appeals upheld standing to sue based on the mere threat of future harm flowing from a loss of PII. See Pisciotta v. Old National Bancorp., 499 F.3d 629 (7th Cir. 2007); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). Conversely, in later opinions, the First and Third Circuit Courts of Appeals refused to find standing based on the threat, without more, of ‘future harm’ caused by the compromise of PII. See Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011); Katz v. Pershing, LLC, 672 F.3d 64 (1st Cir. 2012).
The Clapper opinion
A 2013 United States Supreme Court decision has impacted recent ‘PII compromise’ decisions on the issue of standing. In Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), human rights groups and others challenged the Foreign Intelligence Surveillance Act of 1978 (as amended in 2008, 50 U.S.C. § 1881a) on the basis that the National Security Agency’s warrantless wiretapping program violated their First and Fourth Amendment rights. The FISA, 50 U.S.C. § 1801(i), allows the Attorney General and the Director of National Intelligence, upon gaining approval from the Foreign Intelligence Surveillance Court, to acquire foreign intelligence information by jointly authorising the surveillance of individuals who are not ‘United States persons’ and are reasonably believed to be located outside the United States. The plaintiffs in Clapper were ‘United States persons’ whose work required them to engage in sensitive international communications with individuals whom they believed were likely targets of surveillance under § 1881a.
The Supreme Court held that the plaintiffs lacked standing to sue, rejecting their two primary arguments. First, the plaintiffs asserted that they “can establish injury in fact because there is an objectively reasonable likelihood that their communications will be acquired under § 1881a at some point in the future”. 133 S. Ct. at 1143. Rejecting that argument, the Court held that the “theory of future injury is too speculative to satisfy the well-established requirement that threatened injury must be ‘certainly impending’”. Id. (emphasis original) (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)). The plaintiffs’ “speculative chain of possibilities” failed to establish “that injury based on potential future surveillances is certainly impending or is fairly traceable to § 1881a”. Id. at 1150.
Second, the plaintiffs alternatively alleged that “they are suffering present injury because the risk of § 1881a-authorized surveillance already has forced them to protect the confidentiality of their international communications”. Id. at 1143 (emphasis original). The Supreme Court rejected that argument as well, holding that the plaintiffs “cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending”. Id. The Court concluded that the Clapper plaintiffs lacked standing to sue “because they cannot demonstrate that the future injury they purportedly fear is certainly impending and because they cannot manufacture standing by incurring costs in anticipation of non-imminent harm”. Id. at 1155.
The post-Clapper landscape
While the Clapper case did not arise from a ‘PII compromise’ scenario, courts have cited, and often relied upon, Clapper in the past 20 months to dismiss PII-based claims based on the threat of ‘future harm’ that was not ‘certainly impending’. See Remijas v. Neiman Marcus Group, LLC, 2014 WL 4627893 (N.D. Ill. Sept. 16, 2014); U.S. Hotel and Resort Mgmt., Inc. v. Onity, Inc., 2014 WL 3748639 (D. Minn. July 30, 2014); In re Science Applications Int’l Corp. (SAIC) Backup Tape Data Theft Lit., __ F. Supp. 2d __, 2014 WL 1858458 (D.D.C. May 9, 2014); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014); Strautins v. Trustwave Holdings, Inc., __ F. Supp. 2d __, 2014 WL 960816 (N.D. Ill. Mar. 12, 2014); Planco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013); In re Barnes & Noble PIN Pad Lit., 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013); Yunker v. Pandora Media, Inc., 2013 WL 1282980 (N.D. Cal. Mar. 26, 2013). The reasoning of these courts is best expressed by the SAIC court, which held: “since Clapper was handed down last year, courts have been even more emphatic in rejecting ‘increased risk’ as a theory of standing in data breach cases. … After all, an increased risk or credible threat of impending harm is plainly different from certainly impending harm, and certainly impending harm is what the Constitution and Clapper require”. 2014 WL 1858458, *8 (emphasis original).
In contrast, two reported cases – both out of federal courts in California – have found standing in PII/data breach cases notwithstanding Clapper. See In re Sony Gaming Networks Customer Data Sec. Breach Lit., 996 F. Supp. 2d 942 (S.D. Cal. 2014); In re Adobe Systems, Inc. Privacy Lit., __ F. Supp. 2d __, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014). To some extent, both the Sony and Adobe courts were bound by the Ninth Circuit’s 2010 Krottner opinion, which is binding precedent for federal courts in California. Nevertheless, those courts also opined that Clapper did not effect a fundamental change in the analysis required to assess standing, as Sony held: “Plaintiffs have plausibly alleged a ‘credible threat’ of impending harm based on the disclosure of their Personal Information following the intrusion”. 996 F. Supp. 2d at 962.
Importantly, in the 20 months since the Clapper decision, no federal court of appeals has had the opportunity to apply (or refuse to apply) that opinion in the context of a PII compromise case. Until that occurs, district courts will remain the primary interpreters of the impact of Clapper on the issue of standing in such cases, and Clapper has proven quite persuasive to date in federal district courts outside California.
Barry Goheen is a partner at King & Spalding. He can be contacted on +1 (404) 572 4618 or by email: firstname.lastname@example.org.
Mr Goheen is a partner in King & Spalding’s Business Litigation Practice Group. His practice focuses on privacy-based litigation, including class actions and other multi-party litigation. Mr Goheen has served as lead or co-counsel in data breach and other privacy-related matter for such clients as Capital One, Equifax, Shell, Wackenhut, Aaron’s, SunTrust, MedQuest, and Midland Funding. He speaks and writes frequently on the subjects of privacy litigation and class actions.
© Financier Worldwide