Judge Finds Injury-in-Fact Adequately Alleged in RockYou Data Breach Action

Posted on April 28, 2011 by Scott J. Carpenter

Where others have failed, Alan Claridge did not. Recently, a Federal judge in the Northern District of California declined to dismiss Plaintiff Claridge’s claims arising from a data breach involving the social entertainment site RockYou. Arguing that the data breach harmed the value of his personal information, Plaintiff convinced the court not to dismiss his action for lack of standing.

In December 2009, hackers accessed a RockYou database containing customers’ personally identifiable information (“PII”), including Alan Claridge’s. Claridge’s sued RockYou for claims such as negligence, breach of contract and violation of various federal and California state laws.

While many plaintiffs in data breach cases (unsuccessfully) allege harm suffered based on an increased risk of identity theft as well as inconvenience and out-of-pocket expenses associated with credit monitoring, Plaintiff employed a unique argument. As the court described, “Plaintiff generally alleges that defendant’s customers, including plaintiff, ‘pay’ for the products and services they ‘buy’ from defendant by providing their PII, and that the PII constitutes valuable property that is exchanged not only for defendant’s products and services, but also in exchange for defendant’s promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant’s role in allegedly contributing to the breach of plaintiff’s PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data.”

 

According to the court, the alleged was enough for purposes of standing. “On balance, the court declines to hold at this juncture that, as a matter of law, plaintiff has failed to allege an injury in fact sufficient to support Article III standing . . . [T]he court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.” 

 

The court, however, did note that it “has doubts about plaintiff’s ultimate ability to prove his damages theory in this case,” and that “[i]f it becomes apparent, through discovery, that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of personal information, the court will dismiss plaintiff’s claims for lack of standing at the dispositive motion stage.”  So, while this may have been a small victory for data breach plaintiffs, the viability of the argument that PII has value and that data breaches may cause harm to that value remains uncertain.
Tags: , , , , ,

Recent Death of Data Breach Class Action Resuscitates Lack of Standing Arguments in Identity Exposure Cases

Posted on December 1, 2009 by Brendon Tavelli

On November 23, 2009, a federal court in Missouri bucked the recent trend in identity exposure lawsuits and refused to recognize Article III standing in a class action lawsuit that alleged simply an increased risk of identity theft resulting from a data breach. In Amburgy v. Express Scripts, Inc., Magistrate Judge Frederick R. Buckles of the U.S. District Court for the Eastern District of Missouri held that “plaintiff’s asserted claim of ‘increased-risk-of-harm’ fails to meet the constitutional requirement that a plaintiff demonstrate harm that is ‘actual or imminent, not conjectural or hypothetical.’ Plaintiff has therefore failed to carry his burden of demonstrating that he has standing to bring this suit.” Consequently, the Court dismissed the plaintiff’s action – which included claims for negligence, breach of contract, violations of state data breach notification laws and violations of Missouri’s Merchandising Practices Act ("MPA”) – in its entirety for lack of subject matter jurisdiction pursuant to Rule 12(b)(1) of the Federal Rules of Civil Procedure. In doing so, the court breathed new life into the lack of standing argument that had begun to fall out of favor in identity exposure cases.

Prior to the Court’s decision in Amburgy, the trend in lost data cases had been in favor of finding subject matter jurisdiction, even where the plaintiff's allegations failed to state a valid cause of action. (See our post regarding McLoughlin v. People’s United Bank, Inc. here.) Indeed, as Judge Buckles observed in his opinion, subsequent to the Seventh Circuit’s decision in Pisciotta v. Old Nat’l Bancorp, “district courts have consistently determined that claims of increased risk of identity theft resulting from security breaches sufficiently allege an injury-in-fact to confer Article III standing.” After noting the Seventh Circuit’s lack of discussion in Pisciotta about applying the U.S. Supreme Court’s recognized standards for determining standing under Article III, Judge Buckles engaged in a thorough analysis of the plaintiff’s standing to sue. Relying principally on the Supreme Court’s opinion in Whitmore v. Arkansas, the Court concluded that the plaintiff lacked standing because he “cannot show that he has suffered or will immediately suffer a concrete injury-in-fact.”

In addition to dismissing all of plaintiff’s claims for lack of subject matter jurisdiction, the Court explained that the claims for negligence, violations of state data breach notification laws and violations of Missouri’s MPA also should be dismissed under Rule 12(b)(6) of the Federal Rules of Civil Procedure for failing to state a viable cause of action. The Court pointed out that Plaintiff’s breach of contract allegations stated a claim for at least nominal damages under Missouri law, but the Court lacked subject matter jurisdiction to entertain the matter.
Tags: , , , , , , , , , ,