Who Can Recover Damages After a Data Breach?
Part 1: Challenges that consumers face when asserting claims following a breach.
Federal court decisions in recent data-breach cases suggest that parties affected by a data breach may find it difficult to recover damages for alleged harm associated with the breach. So that’s the focus of this and next month’s columns: who can recover damages after a data breach? This month, we will focus on some particular challenges that consumers face when asserting claims following a breach. Next month, we will turn our attention to challenges that affected business partners may face when looking to the courts for relief after a breach.
Establishing standing to sue is a significant hurdle for consumers claiming damages due to a breach. In general, to demonstrate standing to sue and avoid dismissal of their claims, plaintiffs must prove (1) an injury in fact, (2) causation, and (3) redressability. Each element presents its own challenges.
Injury in Fact. An injury in fact is an invasion of a legally protected interest that is both concrete and particularized and actual or imminent, not conjectural or hypothetical. In simpler terms, there cannot be too many “ifs” involved for an alleged injury to come to pass.
One federal court’s recent decision in In re: SAIC Backup Tape Data Theft Litigation highlighted standing as a challenge to consumer claims. As background, a thief broke into a car and stole the GPS system, stereo, and several computer backup tapes. The car’s owner was an employee of SAIC, an IT company that handles data for the federal government. The tapes contained personally identifiable information (PII) and medical records regarding 4.7 million U.S. military members and their families. There was no financial data, such as credit card or bank account information, on the tapes.
Nonetheless, several of the individuals sued SAIC and various government defendants. Many alleged injury from an increased risk of identity theft. As support, they argued that data-breach victims are 9.5 times more likely than the average person to experience identity theft, and that 19 percent of victims actually will go on to experience identity theft. Many of the plaintiffs also alleged invasion of privacy based on disclosure of the tapes alone.
Some plaintiffs sought compensation for time or money spent monitoring their credit or bank accounts. A handful alleged that their credit cards or bank accounts actually had been misused post-breach. (Yet no plaintiffs alleged that the tapes actually contained financial information.) One plaintiff alleged that loans had been opened in his name post-breach; another alleged that she began receiving targeted marketing for a certain medical condition only after the breach.
Relying primarily on the recent Supreme Court decision in Clapper v. Amnesty International USA, a case that analyzed standing in another context, as well as on several data-breach cases decided by other courts, the SAIC court held that only the plaintiffs who claimed that their personal information was accessed and misused sufficiently pled an injury in fact. The claims premised on mere disclosure involved too many “ifs” for an injury to come to pass. The “ifs” included numerous technical steps a seemingly low-tech thief would have to take to be able to read, upload, decipher, and then misuse the tape data (assuming the thief recognized the backup tapes at all). Generally, where it is not known whether data has been read, copied, or understood, the alleged injuries are too speculative to confer standing.
It is worth noting that more high-tech breaches involving direct access to and use of personal information likely create better injury-in-fact arguments for consumers. For example, affected consumers in the Sony PlayStation data-breach litigation, which involved sophisticated hackers’ criminal intrusion into a computer system, overcame the defendants’ lack of federal standing argument under the circumstances presented by that breach.
But in SAIC, even the time and expense incurred in credit monitoring and other preventive measures were not sufficient to constitute an injury in fact. Action taken based on fear of future harm that is not certainly impending could not create an injury in fact, even where such fears were legitimate. In other words, taking steps to ward off an otherwise speculative injury could not make the injury any less speculative, the court found.
The SAIC court also rejected the plaintiffs’ argument that the defendants’ failure to meet legal standards for data security conferred standing. A legal violation without demonstrated harm still was not sufficient for the particular claims at issue. Thus, the only claims that met the injury-in-fact element were those of the nine plaintiffs who sufficiently pled that their personal information in fact had been accessed and misused post-breach.
Causation. To establish standing, plaintiffs also must be able to show a causal connection between the injury and the conduct for which there is a complaint. The harm must be fairly traceable to the defendant’s acts. Thus, even the SAIC plaintiffs who survived the injury-in-fact analysis had to demonstrate a link between their alleged injury and theft of the tapes.
The SAIC court found that only two of the plaintiffs could demonstrate causation. This included the plaintiff who alleged that a loan was opened in his name without his authorization. This was because the opening of the loan likely required the use of certain personal information included on the tapes. On the other hand, the plaintiffs who alleged harm stemming from unauthorized use of their credit cards and/or bank accounts did not establish causation because such credit card and/or bank account information simply was not on the stolen tapes. Additionally, the court observed that a group of 4.7 million people is likely to include some victims of identity theft, regardless of the backup tape incident.
The other plaintiff who was able to demonstrate causation alleged that she began receiving unsolicited calls from telemarketers who had information about her medical condition that they likely obtained from the stolen tapes.
Redressability. Finally, to prove standing, plaintiffs must demonstrate that it is likely—not merely speculative—that a favorable decision from the court will make them whole. Consumers may find it difficult to demonstrate redressability for many of the same reasons injury in fact presents challenges. In SAIC, the only plaintiffs who crossed the redressability threshold were those who had demonstrated both injury in fact and causation, i.e., the plaintiff who had loans opened in his name and the plaintiff who began receiving unsolicited calls related to her medical condition.
Standing as a Roadblock to Consumer Claims
SAIC and the numerous data-breach cases reviewed therein suggest that consumers with standing may be limited to: (1) those who can demonstrate that their PII has been stolen and misused post-breach; and (2) those who can demonstrate that others’ PII already has been stolen and misused post-breach, suggesting that the same harm to them is imminent. As to the latter category, the allegations of the two surviving plaintiffs in SAIC could not save the other plaintiffs under those circumstances, however. The SAIC court noted that those plaintiffs’ allegations barely crossed the line from possible to plausible; therefore, they could not be used as support for other plaintiffs’ allegations that harm to them was imminent. The court openly doubted any real connection between even those plaintiffs’ allegations and the breach, despite its determination that the allegations met the minimum requirements to establish standing.
While lack of standing may not eliminate all claims asserted in a particular consumer case arising out of a data breach, it may be the defense that substantially lessens the number of plaintiffs and claims that must be defended for the remainder of the litigation. Therefore, lack of standing is an important defense to assert in such cases.