Deborah Renner ()
Data breach cases are often brought as class actions because large numbers of people can potentially be affected. But the potential for injury is not enough to create constitutional standing. Before a putative data breach class action can make it to the class certification stage, the named plaintiffs must show that they have standing to pursue the case for themselves, which boils down to a showing that they were injured as a result of the breach.
While the question of standing remains hotly debated in the data breach context, the defense bar has been winning many recent cases, most recently in In re: Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, slip op., Misc. Action No. 12-347 (JEB) MDL 2360 (U.S. D.C. May 9, 2014), in which the U.S. District Court for the District of Columbia held that the “mere loss of data” in a data breach case does not constitute an injury sufficient to confer standing.
The ruling follows on the heels of two other district court rulings holding that standing was not satisfied in the data breach context, Polanco v. Omnicell, 2013 WL 6823265 (D.N.J. 2013), and Barnes & Noble Pin Pad Litigation, 2013 WL 4759588 (N.D. Ill. 2013).
SAIC is an information technology company that was handling data for Tricare, a government agency that provides insurance coverage and health care to active-duty service members and their families.
Plaintiffs alleged that tapes containing personal and medical information for 4.7 million members of the U.S. military and their families were stolen from the parked car of an SAIC employee. The breach victims sued Tricare and SAIC, among others, asserting numerous causes of action (some of which were creative), including increased risk of identity theft, costs related to mitigating future harm, the loss of privacy, failure to adequately protect data and a violation of the right to truthful personal information.
The court granted the defendants’ motions to dismiss all the claims of the plaintiffs who lacked an actual injury traceable to the data breach on the ground that they lacked standing. Only two plaintiffs pleaded sufficient injury to confer standing.
The court held that plaintiffs lacked standing because the “degree by with the risk of harm has increased is irrelevant—instead, the question is whether the harm is certainly impending.” The court found that costs incurred to prevent future injury did not create standing. The court also rejected the invasion-of-privacy claims of most plaintiffs because they did not allege that their personal information had been viewed or exposed in a way that would facilitate access to the data.
The plaintiffs’ claims that were based on alleged legal violations were also found to be deficient. “Standing … does not merely require a showing that the law has been violated, or that a statute will reward litigants in general upon a showing of a violation,” the court ruled. “Rather, standing demands some form of injury—some showing that the legal violation harmed you in particular, and that you are therefore an appropriate advocate in the federal courts.”
The court also dismissed the plaintiffs’ claim based on deprivation of their “right to truthful information about the security of their PII/PHI,” holding that no independent harm has flowed from that alleged deprivation.
Significantly, as the courts did in Omnicell and Barnes & Noble, the SAIC court relied in large part on the U.S. Supreme Court’s decision in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), a case outside of the data breach context that was decided under the Foreign Intelligence Surveillance Act. In Clapper, the court relied on well-settled precedent to hold that “allegations of possible future injury are not sufficient” to confer constitutional standing.
For the class action defense bar, Clapper and its progeny in the data breach context are good news. That said, where there is actual injury, the standing issue may limit the size of the class, but the class certification battle may still have to be fought vis-a-vis the smaller class. There, too, however, defendant companies have good arguments that the individualized nature of any injuries among class members would defeat class certification.
Deborah Renner and Judy Selby are partners at Baker & Hostetler in New York.