Joseph M. McLaughlin and Yafit Cohn ()
Corporate data breaches continue to proliferate and typically trigger consumer class action lawsuits alleging that the breach compromised the plaintiffs’ personal and/or financial information. The threshold question in many of these consumer data breach actions is whether the consumer plaintiffs have plausibly alleged an actual harm sufficient to establish standing to sue in federal court under Article III of the Constitution.
Courts have recently reached different conclusions on this question, often relying on one or both of the U.S. Supreme Court’s recent decisions on Article III standing, neither of which concerned data breach claims: Clapper v. Amnesty International USA,133 S. Ct. 1138 (2013) and Spokeo v. Robins. Spokeo, 136 S. Ct. 1540 (2016). Divergent holdings on standing in the data breach context sometimes reflect materially different facts, though they sometimes reflect varying applications of Supreme Court precedent to data breach cases—i.e., opposing views of the standard for actual injury or a reasonable risk of future harm sufficient to create standing to bring a data breach claim. Recently, the U.S. Court of Appeals for the Second Circuit weighed in on the standing question, holding in Whalen v. Michaels Stores that the plaintiff in that consumer data breach action did not allege injury sufficient to satisfy the constitutional standing requirement. 2017 WL 1556116 (2d Cir. May 2, 2017).
Supreme Court Standards
In the 2013 Clapper decision, the Supreme Court reiterated that under Article III, plaintiffs must establish standing to sue by demonstrating an injury that is “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Equally importantly, the opinion clarified that “‘threatened injury must be certainly impending to constitute injury in fact,’ and that ‘[a]llegations of possible future injury’ are not sufficient.”
Clapper addressed whether the respondents had standing to assert a constitutional challenge to §702 of the Foreign Intelligence Surveillance Act, which authorizes the Attorney General and the Director of National Intelligence, after obtaining the approval of the Foreign Intelligence Surveillance Court, “to acquire foreign intelligence information by jointly authorizing the surveillance of individuals who are not ‘United States persons’ and are reasonably believed to be located outside the United States.” The respondents were “attorneys and human rights, labor, legal, and media organizations whose work allegedly requires them to engage in sensitive and sometimes privileged telephone and email communications with colleagues, clients, sources, and other individuals located abroad” whom respondents believed to be likely targets of surveillance. Seeking a declaration that §702 is unconstitutional and a permanent injunction against authorized surveillance under the provision, the respondents advanced two theories of standing. First, the respondents claimed that “they can establish injury in fact because there is an objectively reasonable likelihood that their communications will be acquired under [§702] at some point in the future.” Second, the respondents asserted that they were suffering present injury, because the substantial risk of surveillance under §702 has already impelled them “to take costly and burdensome measures to protect the confidentiality of their international communications.”
The Supreme Court held that an assertion that there is “an objectively reasonable likelihood that their communications with their foreign contacts will be intercepted” pursuant to §702 at some future time “relies on a highly attenuated chain of possibilities” and thus “does not satisfy the requirement that threatened injury must be certainly impending.” The court similarly rejected the respondents’ argument that they have standing by virtue of the various “costly and burdensome measures” they have allegedly taken to protect the confidentiality of their communications with their foreign contacts. The court stated that because the harm respondents sought to avoid was “not certainly impending,” a theory of standing based on a reaction to the risk of such harm is “unavailing.”
Last year, the Supreme Court provided further clarity on Article III standing in Spokeo, a putative class action lawsuit against Spokeo, a search engine company, alleging that the company violated the Fair Credit Reporting Act of 1970. Plaintiff Thomas Robins alleged that a search request on Spokeo for information about him indicated that Robins “is married, has children, is in his 50′s, has a job, is relatively affluent, and holds a graduate degree,” all of which were incorrect. The district court dismissed the complaint, holding that Robins had not properly pleaded injury in fact. The Ninth Circuit reversed, reasoning that Robins had adequately alleged injury in fact because he had alleged that “Spokeo violated his statutory rights, not just the statutory rights of other people,” and because “Robins’ personal interests in the handling of his credit information are individualized rather than collective.” Spokeo, 136 S. Ct. at 1548 (emphasis in original).
The Supreme Court ruled that the Ninth Circuit’s standing analysis was incomplete, because a plaintiff must allege injury that is both “concrete and particularized” in order to establish injury in fact. According to the court, both of the Ninth Circuit’s observations regarding Robins’ claim “concern particularization, not concreteness.” Seeking to clarify the concept of concreteness, the court explained that “concrete” is not necessarily synonymous with “tangible” and that intangible injuries can, in some instances, be concrete. The court cautioned, however, that this “does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” In other words, “Article III standing requires a concrete injury even in the context of a statutory violation.” Because, according to the court, the Ninth Circuit “failed to fully appreciate the distinction between concreteness and particularization” and did not address whether the procedural violations alleged by Robins entailed “a degree of risk sufficient to meet the concreteness requirement,” the court vacated the Ninth Circuit’s decision and remanded the case for further proceedings.
The Second Circuit in Whalen was the latest federal circuit court to apply Article III standing jurisprudence to a consumer data breach action. The plaintiff in the action, Mary Jane Whalen, alleged that she had used her credit card to shop at a Michaels store in December 2013, and two weeks later, her credit card was presented for payment twice in Ecuador. Immediately thereafter, Whalen cancelled her credit card. Whalen did “not allege that any fraudulent charges were actually incurred on the card, or that, before the cancellation, she was in any way liable on account of” the fraudulent presentations of her card. In late January 2014, Michaels announced a potential data breach of its system, seemingly involving the theft of customers’ credit and debit card information. Three months later, Michaels issued another press release, confirming the existence and scope of the data breach and offering customers 12 months of identity protection and credit monitoring services.
Whalen subsequently sued Michaels in the Eastern District of New York, alleging that she “has suffered actual damages and faces an increased risk of future harm.” Whalen v. Michaels Stores, Inc., 153 F. Supp. 3d 577, 578-79 (E.D.N.Y. 2015). With regard to actual damages, Whalen claimed the following injuries: (1) monetary losses from fraudulent card payments; (2) loss of time and money for credit monitoring/replacement cards; (3) overpayment for Michaels’ services, as Whalen claimed she would not have shopped at Michaels had she known of the data breach risks; (iv) lost value of her credit card information; and (v) a statutory violation of NY General Business Law §349, which bars deceptive business practices.
The district court held that Whalen did not have Article III standing to sue Michaels, since she did not suffer actual injury. The court reasoned that: (1) Whalen did not suffer any unreimbursed charges; (2) a plaintiff cannot use his or her own spending on credit monitoring to “manufacture standing,” particularly if the compromised card is cancelled; (3) Whalen did not allege that Michaels charged a premium on its goods for those paying by credit card due to its data security or that Michaels used any customer payments for its security services; (4) Whalen did not explain how her cancelled credit card information lost value after the data breach; and (5) the assertion of a statutory violation in itself does not create standing, since standing is dependent on whether the plaintiff suffered actual injury—not on whether a statute was violated.
Whalen further argued that “she has presented a threat of ‘certainly impending’ injury because she faces threats of identity theft and fraudulent charges.” The court disagreed, however, holding that “Whalen has failed to allege an injury that is ‘certainly impending’ or based on a ‘substantial risk that the harm will occur,’” because she promptly cancelled the compromised credit card and did not experience any fraudulent charges in the two years that passed since the breach.
The Second Circuit affirmed the dismissal for lack of standing, because the plaintiff “neither alleged that she incurred any actual charges on her credit card, nor, with any specificity, that she had spent time or money monitoring her credit.” The court distinguished its ruling from those in the Sixth and Seventh Circuits that upheld standing, where (1) more extensive personal information was stolen or (2) customers had actually incurred fraudulent charges and/or reasonably spent money on credit monitoring. Additionally, the court explained, Whalen did not allege “how she can plausibly face a threat of future fraud, because her stolen credit card was promptly canceled after the breach and no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen.”
Significance of ‘Whalen’
Whalen is a welcome development for companies that experience data breaches. It demonstrates that, at least in the Second Circuit, plaintiffs lack standing to bring claims arising from a data breach if they do not incur fraudulent charges, reasonably expend resources to prevent fraudulent charges, or suffer some other actual injury or plausible risk of a future one. Whalen thus underscores the value of companies taking prompt remedial action after any data breach to protect customers from identity theft and avoid having customers engage in self-help, such as by using their own funds to pay for credit monitoring services.
It bears emphasis that the Second Circuit in Whalen distinguished its ruling from certain decisions in other circuits that upheld a plaintiff’s standing to bring a data breach action where more extensive personal information was stolen (such that there was an increased risk of identity theft) or where customers had actually incurred fraudulent charges and/or reasonably spent money on credit monitoring. The Seventh Circuit in Remijas v. Neiman Marcus Group, for example, “found injuries sufficient for standing in the time and money the class members predictably spent resolving fraudulent charges (even if the bank ultimately repaid those charges), as well as in the identity theft that had already occurred and in the time and money customers spent protecting against future identity theft or fraudulent charges.” Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 966-67 (7th Cir. 2016) (discussing Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015). In Lewert v. P.F. Chang’s China Bistro, the Seventh Circuit held that the plaintiffs’ alleged injuries similarly fit within those categories. Lewert explained that one of the plaintiffs had experienced fraudulent charges, and “[e]ven if those fraudulent charges did not result in injury to his wallet (he stated that his bank stopped the charges before they went through), he has spent time and effort resolving them. He also took measures to mitigate his risk by purchasing credit monitoring.” The other plaintiff, explained the court, had also allegedly “spent time and effort monitoring both his card statements and his other financial information as a guard against fraudulent charges and identity theft.” Additionally, the court found that the plaintiffs’ increased risk of fraudulent charges and identity theft are injuries concrete enough to create standing; though one of the plaintiffs had already cancelled his debit card, the court noted that he was still at risk of identity theft.
Similarly, the Sixth Circuit in Galaria v. Nationwide Mutual Ins. ruled that plaintiffs whose personal information was stolen had established standing to bring the action, reasoning that the theft of personal data placed them “at a continuing, increased risk of fraud and identity theft beyond the speculative allegations of ‘possible future injury’” which Clapper found to be insufficient. Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384, 388 (6th Cir. 2016). Moreover, Galaria held that, in the case before it, there was a sufficiently substantial risk of harm that it was reasonable for the plaintiffs to incur the mitigation costs that they did.
The material differences in the injuries alleged in Remijas, Lewert and Galaria, on the one hand, and Whalen, on the other, suggests that, even in the Second Circuit, a consumer action arising from a data breach conceivably may survive a motion to dismiss if the plaintiff alleges injuries that the Sixth and Seventh Circuits have found to be sufficient to create standing. Last week, the Second Circuit emphasized that at the pleadings stage, a court evaluating allegations of injury-in-fact must accept the allegations of the complaint as true and draw reasonable inferences in plaintiff’s favor. John v. Whole Foods Mkt. Grp., 2017 WL 2381191, at *4 (2d Cir. June 2, 2017). This pleading standard is not onerous, but does require factual allegations of injury resulting from the defendant’s conduct.