Where others have failed, Alan Claridge did not. Recently, a Federal judge in the Northern District of California declined to dismiss Plaintiff Claridge’s claims arising from a data breach involving the social entertainment site RockYou. Arguing that the data breach harmed the value of his personal information, Plaintiff convinced the court not to dismiss his action for lack of standing.
In December 2009, hackers accessed a RockYou database containing customers’ personally identifiable information (“PII”), including Alan Claridge’s. Claridge’s sued RockYou for claims such as negligence, breach of contract and violation of various federal and California state laws.
While many plaintiffs in data breach cases (unsuccessfully) allege harm suffered based on an increased risk of identity theft as well as inconvenience and out-of-pocket expenses associated with credit monitoring, Plaintiff employed a unique argument. As the court described, “Plaintiff generally alleges that defendant’s customers, including plaintiff, ‘pay’ for the products and services they ‘buy’ from defendant by providing their PII, and that the PII constitutes valuable property that is exchanged not only for defendant’s products and services, but also in exchange for defendant’s promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant’s role in allegedly contributing to the breach of plaintiff’s PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data.”
According to the court, the alleged was enough for purposes of standing. “On balance, the court declines to hold at this juncture that, as a matter of law, plaintiff has failed to allege an injury in fact sufficient to support Article III standing . . . [T]he court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.”
The court, however, did note that it “has doubts about plaintiff’s ultimate ability to prove his damages theory in this case,” and that “[i]f it becomes apparent, through discovery, that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of personal information, the court will dismiss plaintiff’s claims for lack of standing at the dispositive motion stage.” So, while this may have been a small victory for data breach plaintiffs, the viability of the argument that PII has value and that data breaches may cause harm to that value remains uncertain.