securityCross-posted at WLF’s contributor page

Several years ago, class action lawsuits over the failure of businesses to secure consumers’ personal data looked like the plaintiffs’ bar’s next big thing. In a January 2009 WLF Legal Opinion Letter, former University of Houston Law Center Dean Raymond Nimmer acknowledged that a wave of such “data breach” suits was likely, but he questioned whether plaintiffs could establish actual harm in such cases. As we’ve written here at The Legal Pulse previously, Professor Nimmer’s academic doubts have been borne out in reality, as data breach class actions have mostly failed for lack of standing.

But when things are looking down, the trial bar can normally count on California.

Governor Jerry Brown signed amendments to California’s Security Breach Notification Act on September 27. The amendments require consumer notification if “a user name or email address, in combination with a password or security question and answer that would permit access to an online account” was compromised. The law applies even if that information is not combined with a name, and applies to all types of online accounts (i.e. log-in information for a bank and a social media platform treated equally). Sounds like fresh class action lawsuit claims, right?

Plaintiffs’ lawyers should not get their hopes up, however, as the amendments do not obviate their need to prove injury in data breach suits. A September 3 decision from the Northern District of Illinois, In re Barnes & Noble Pin Pad Litigation, is instructive on this point. Barnes & Noble was the victim of a theft of credit and debit card data from store PIN pad terminals. The company publicly announced the theft six weeks after discovering it, and did not inform customers personally. Customers initiated a class action lawsuit under Illinois and California laws, including California’s breach act.

Barnes & Noble moved to dismiss the claim under Federal Rule 12(b)(1) for lack of standing. Judge Darrah found that the plaintiffs’ mere allegation of an increased risk of identity theft or fraud “is insufficient to establish standing.” He cited to a 2012 U.S. Supreme Court opinion, Clapper v. Amnesty Int’l, for the proposition that the alleged injury must be “certainly impending,” and that “allegations of possible future injury are not sufficient.”

Clapper‘s impact on civil litigation is analogous to the Supreme Court’s 2009 Ashcroft v. Iqbal ruling, which has substantially influenced how judges assess the sufficiency of lawsuit complaints. And just like IqbalClapper arose in the context of America’s fight against international terrorism. The federal government (with the support of WLF’s amicus brief filed on behalf of six former Attorneys-General) successfully argued that Amnesty International lacked standing to challenge the constitutionality of an electronic surveillance law.

In the Barnes & Noble ruling, Judge Darrah also held:

Even assuming the statutes have been violated by the delay or inadequacy of Barnes & Noble’s notification, breach of these statutes is insufficient to establish standing without any actual damages due to the breach. Plaintiffs must plead an injury beyond a statutory violation to meet the standing requirement of Article III.

That reasoning certainly would apply to any suits alleging violations of the California breach act’s new amendments on user names and passwords. Unless plaintiffs’ lawyers can establish actual identity theft or provide concrete facts tying defendants’ acts to a “substantial risk” of harm, they will likely meet the same fate as their brethren in Barnes & Noble.