securityGuest Commentary

by Spencer Salmon, a 2015 Judge K.K. Legett Fellow at the Washington Legal Foundation and a student at Texas Tech School of Law.

Some years ago, when data breaches first became a problem for the business community, plaintiffs’ lawyers thought class actions on behalf of consumers whose information had been stolen would be the next big moneymaker. To their disappointment, a majority of federal courts across the United States has ruled in favor of data breaches’ most direct and obvious victim—hacked businesses—because plaintiffs have failed to establish standing to sue. In order to establish constitutional standing, plaintiffs must show that the alleged injury is concrete, particularized, actual or imminent, fairly traceable to the action challenged, and redressable. Absent standing, courts lack subject matter jurisdiction over the suit under Federal Rule of Civil Procedure Rule 12(b)(1).

Recently, federal district courts from Nevada (In re, Inc., Customer Data Security Breach Litigation) and Minnesota (Carlsen v. Gamestop, Inc.) joined most federal courts in dismissing data-breach class-action lawsuits for lack of standing.

In re, Inc., Customer Data Security Breach Litigation. In 2012, hackers targeted Zappos servers located in Kentucky and Nevada and stole the personal information for 24 million customers. Upon learning of the breach, some Zappos customers purchased credit monitoring services. Others sued. A Nevada federal court combined two separate class actions into one.

The plaintiffs argued two theories of injury: (1) their personal information decreased in value and (2) they suffered an increased threat of future harm. Zappos moved to dismiss for lack of standing. Judge Robert Jones rejected both theories of harm and dismissed the suits. He explained that the plaintiffs failed to allege facts demonstrating that their personal information had become less valuable. He also held that the plaintiffs’ second theory advanced an injury that was inherently speculative, and thus insufficiently concrete under federal standing jurisprudence.

Carlsen v. Gamestop, Inc. Carlsen sued Gamestop under Minnesota’s Prevention of Consumer Fraud Act laws. He alleged that Gamestop shared his personal information with Facebook after Carlsen purchased an online copy of a video game magazine published by Gamestop. Gamestop’s privacy policy states, “[Gamestop] does not share personal information with anyone.” Gamestop moved to dismiss the complaint for lack of standing.

Carlsen advanced two theories of injury: (1) he paid more for the online material than he otherwise would have paid had he known Gamestop would share his personal information; and (2) he would not have purchased the online material had he known Gamestop would share his information. Judge Donovan Frank rejected both of these theories because (1) Carlsen was unable to show any tangible injury stemming from the information disclosure; (2) Carlsen did not bargain for data privacy so he lost no benefit of the bargain; and (3) Carlsen received full value for his purchase.

Standing to sue is a constitutionally-based doctrine that limits the role of the judicial branch. Without a robust standing requirement, courts would be asked to resolve any and all disputes, no matter how speculative or trivial. The flood of litigation would paralyze the judiciary and render it incapable of fulfilling its role as a neutral arbiter of the law in our democratic society. The need for such limits is quite apparent in the context of a societal concern like data breaches. The question is no longer, “Will a business that holds my data suffer a breach.” Rather, it is, “When will that business suffer a breach?” A judiciary whose role is meant to be limited cannot entertain the complaints of every consumer who felt “wronged” in some emotional or other indefinite manner by a breach. Thankfully, most federal judges have respected their limited role, and demanded proof of concrete, particularized harms in cases like In re Zappos and Carlsen.