There is no question that data breaches are among the most common and costly threats to consumers and companies alike. What remains the subject of vehement debate is whether plaintiffs in cyber-attack cases must allege stolen data was misused in order to have standing in court. In a recent decision, Judge Lucy H. Koh of the Northern District of California offered a more expansive, plaintiffs-friendly view of that question than most other federal courts that have considered the matter.
In In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK (N.D. Cal. Sept. 4, 2014), Judge Koh found that plaintiffs in a consolidated class action suit had standing to sue defendant Adobe Systems, Inc., despite plaintiffs’ failure to allege actual improper use of stolen personal information. This holding is particularly significant because the U.S. Supreme Court in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), drove many other courts across the country to dismiss similar causes of action based on a lack of standing. Judge Koh’s decision may give renewed vigor to data breach plaintiffs nationwide.
For those unfamiliar with the facts of the Adobe breach, in July 2013, hackers accessed Adobe’s servers and spent several weeks undetected, removing customer names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing and e-mailing addresses. Plaintiffs, as both customers of Adobe licensed products and Creative Cloud subscribers, filed suit alleging violations of Sections 1798.81.5 and 1798.82 of the California Civil Code, and seeking injunctive and declaratory relief.
Like many other data breach defendants who have relied on Clapper, Adobe moved to dismiss all claims, arguing that plaintiffs lacked standing to sue. Following Clapper, Adobe argued that data breach plaintiffs must assert “certainly impending” injuries and reiterated that allegations of possible future injuries are insufficient. A slight impediment was the Ninth Circuit’s decision in Krottner v. Starbucks Corp., which had acknowledged that the possibility of future injury was sufficient to confer standing. 628 F.3d 1139 (9th Cir. 2010). Adobe argued that Clapper essentially overruled Krottner, but Judge Koh disagreed, finding that Clapper did not change established standing requirements. Rather, the court explained that Krottner remains controlling precedent in the Circuit and, although the cases use differing language to describe the degree of injury a plaintiff must allege in order to have standing, these differences are not irreconcilable. Furthermore, Judge Koh reiterated that even if Krottner were no longer good law, the harm threatened by the Adobe breach was sufficiently concrete and imminent to satisfy Clapper.
Judge Koh emphasized that the hackers deliberately targeted Adobe’s servers and spent several weeks collecting the plaintiffs’ personal information. As such, the danger that plaintiffs’ stolen data would be subject to misuse was, according to Judge Koh, “certainly impending.” The court reasoned that requiring plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would run counter to the well-established principle that harm does not need to have already occurred or be “literally certain” to constitute injury. In fact, the court noted that requiring plaintiffs to wait for a threatened harm to materialize in order to sue would pose a standing problem of its own because the more time that passes between a data breach and an instance of identity theft, the more latitude a defendant has to argue that the theft is not traceable to its breach.
In addition to reconciling Clapper and Krottner, the court distinguished other cases dismissed for lack of standing where risks of injury imposed by data breaches were more attenuated and insubstantial than Adobe. For example, the court cited to In re Sci. Applications Int’l Corp. Backup Tape Data Theft Litig., 2014 WL 1858458 (D.D.C. May 9, 2014), in which a thief inadvertently stole encrypted backup data tapes containing medical information, and Polanco v. Omnicell, Inc., where there was no allegation that the thief intentionally targeted the stolen laptop for its data or that there was an increased risk of misuse of the information in the future. 988 F. Supp. 2d 451 (D.N.J. 2013). Conversely, the Adobe hackers specifically targeted the servers in order to steal customer data and posted portions of that stolen information on the Internet.
Sweeping attacks on corporate technology systems are occurring with increased frequency, so data breach class actions suits will continue to multiply. Following Clapper, plaintiffs who had not suffered actual misuse of stolen personal information faced an uphill battle. In fact, prior to this decision, only one other court (See In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014)) had recognized standing absent allegations of actual misuse of stolen data. Whether Judge Koh’s decision will remain in the minority or whether it signals a sea-change in the way that courts view “certainly impending” injuries arising from a data breach remains to be seen. Either way, it will ensure that the standing debate will rage on.
Matt has counseled clients on the evaluation of data privacy risks, responses and solutions, and he serves as a breach coach, providing analysis and advice to address data breach events, including forensics, notification pursuant to federal and state laws, credit monitoring, and public relations issues. In addition to breach response, Matt has counseled insurers on the underwriting of cyber/tech policies.
