securityGuest Commentary

by Jennifer Wissinger, a 2014 Judge K.K. Legett Fellow at the Washington Legal Foundation and a student at Texas Tech School of Law.

Data-breach cases were supposed to be a new, lucrative litigation frontier for plaintiffs’ attorneys. Some experts speculated a wave of class-action suits would emerge against companies victimized by unauthorized access of customer data. Media reports of lawsuits filed in the immediate aftermath of high-profile data breaches, like the one that befell Target last December, have created the impression that these cases are proliferating rapidly. Reality belies such perceptions of success, however. Trial courts in fact have routinely dismissed data-breach lawsuits because plaintiffs cannot answer the American legal system’s most fundamental threshold question: have you actually been harmed? As a series of U.S. Supreme Court cases construing the constitutional standing-to-sue requirement dictate, mere fear of possible future harm does not suffice. In many data-breach cases, fear of future harm is the most plaintiffs can prove.

As The Legal Pulse has discussed, the Supreme Court most recently addressed standing two years ago in Clapper v. Amnesty International. Since 2012, federal and state trial courts have consistently applied Clapper’s reasoning to dismiss data-breach cases for lack of standing. In the last two months, three more courts have thrown out data-breach cases because the plaintiffs failed to show that the expected injury was at least “certainly impending.”

Galaria v. Nationwide Mutual Insurance Co. After Nationwide’s computer systems were hacked, the company notified its customers and advised them to safeguard their personally identifiable information (PII). Even though Nationwide offered its customers free credit monitoring for a year, the plaintiff in Galaria sued alleging violations of the federal Fair Credit Reporting Act (FCRA) and unlawful invasion of privacy under Ohio common law.

The U.S. District Court for the Southern District of Ohio dismissed both claims. On the FCRA claim, the court found that the plaintiff could allege no more than the fear of future injury, which was contingent on the actions of a third party—the data thief. It explained, “[T]he Supreme Court is reluctant to find standing where the injury-in-fact depends on the actions of independent decisionmakers as the injury in those circumstances is speculative.” The court also held that because the plaintiff’s PII had no inherent monetary value, Galaria could not establish standing by arguing that his PII had diminished in value. Finally, although the court did find Galaria had standing to sue for breach of privacy, he could not prove Nationwide had publicized his PII, and thus he was unable to state a claim under Ohio law.

In Re: SAIC Backup Tape Data Theft Litigation.In the second case, a simple smash-and-grab theft from a car turned into a multi-district consolidated suit against Science Applications International Corporation (SAIC). The plaintiffs alleged numerous tort claims and invasion of privacy over stolen data tapes that contained SAIC employees’ personal and medical information.

The U.S. District Court for the District of Columbia agreed with SAIC’s argument that the alleged injury of identity theft was speculative, and thus the plaintiff lacked standing to sue. Judge Boasberg explained the chain of events that the plaintiff would need to establish in order to prove standing. The thief would not only need to know what the tapes were and how to access the information—which the court deemed to be beyond the average person’s computer knowledge—but also would need to actually use the information to commit identity theft. As the court stated, “[G]iven that thirty-four months have elapsed [since the data breach], either the malefactors are extraordinarily patient or no mining of the tapes has occurred.” Two plaintiffs out of the 4.7 million putative class members were able to establish a link between the stolen tape and theft of their identity. The court, however, refused to impute those plaintiffs’ ability to establish standing to the entire class, an encouraging outcome for data-breach suit defendants.

Vides, et al. v. Advocate Health and Hospital Corp.Data-breach cases don’t appear to be overcoming the standing hurdle any better in state courts. In Vides, the plaintiffs alleged six state common-law and statutory causes of action for harm allegedly suffered from the theft of Advocate Health laptops containing unencrypted patient information. The 19th Judicial Circuit of Lake County, Illinois cited Clapper, as well as numerous federal and state court decisions, in concluding that absent “certainly impending” or actual instances of identity theft arising from the data breach, the plaintiffs lacked standing to sue on the common-law claims. The plaintiffs fared no better with their statutory claims, as the court held that they must establish constitutional standing even though state law provides a cause of action for their alleged injuries.

Justice Alito wrote in Clapper that “[n]o principle is more fundamental to the judiciary’s proper role in our system of government than the constitutional limitation of federal-court jurisdiction to actual cases or controversies.” The U.S. Supreme Court has accordingly set demanding standards for those who want to bring their grievances to a courtroom. While we do not minimize the personal concerns that arise when one’s data is illegally accessed or stolen, only those victims who can prove they have suffered actual harm as a result, or that their harm is “certainly impending,” should be able to litigate their claims.