Plaintiffs face tough initial hurdles bringing data breach claims

For businesses in California and across the country, the risk of data breach litigation is on the rise. A myriad of federal and state laws, as well as an evolving body of case law, impose affirmative obligations to prevent the unauthorized disclosure of personal customer information and to notify those affected when data is compromised. The consequent legal and financial exposure to businesses may be mitigated, however, depending on how the law develops on the key issues of standing and proof of damages.

California's data breach statute requires those who maintain the personal information of their customers in unencrypted form to "implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure." Cal. Civ. Code Section 1798.81.5. In the event of a data breach, the statute also requires written notice be sent, "in the most expedient time possible and without unreasonable delay," to any California resident whose personal information is known or believed to have been acquired by an unauthorized person.

California's data breach law also creates a private right of action for damages, but this is by no means the only potential cause of action available to victims of data breach. Other theories may be available under the Stored Communications Act (18 U.S.C. Section 2702), the Unfair Competition Law (Cal. Bus. & Prof. Code Section 17200), the Computer Crime Law (Cal. Penal Code Section 502), the Consumer Legal Remedies Act (Cal. Civ. Code Section 1750), and common law theories of negligence. Express and implied contract-based theories may also be available depending upon the nature of the relationship.

In many cases, however, the individuals whose personal information has been compromised will not have suffered any demonstrable harm in the form of identity theft or monetary damages, calling into question both their standing to assert claims and their ability to prove damages proximately caused by the breach. The law is unsettled and evolving in these areas.

To establish standing under Article III of the U.S. Constitution, a plaintiff must show: "(1) it has suffered an 'injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Krottner v. Starbucks Corp., 628 F.3d 1139, 1141 (9th Cir. 2010). Under this standard, one might assume that the mere risk of future harm in the form of identity theft would be insufficient to establish standing, but the courts are split.

The 9th U.S Circuit Court of Appeals has held - at least at the pleading stage - that exposure of personal information constitutes injury-in-fact only where the plaintiff faces "a credible threat of real and immediate harm," as opposed to harm that is simply "conjectural or hypothetical." Id. at 1143. Both the 9th and 7th Circuits have found standing to exist in cases involving the threat of future harm, while other circuits, including the 3rd and the 6th, have found this risk too conjectural. Krottner; Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir.2007); Reilly v. Ceridian Corp., 664 F.3d 38, 42-46 (3rd Cir. 2011); Lambert v. Hartman, 517 F.3d 433, 437 (6th Cir. 2008). Whether standing exists in a particular case will likely depend upon the extent to which the circumstances support the conclusion that there is an imminent risk the information will be used for identity theft. The passage of time without incident, the type of information compromised, and the manner in which it is compromised will impact the inferences to be drawn.

Damages theories have also been the subject of varying outcomes in the courts. Plaintiffs who have not suffered actual losses from the use of their personal information have had a difficult time surviving the pleading stage. Many courts have held that harm consisting purely of the nuisance of taking corrective action, or economic loss without personal injury or property damages, is not compensable under traditional tort theories. Plaintiffs have argued that tort cases awarding medical monitoring damages to asymptomatic plaintiffs exposed to an increased risk of future disease by medical negligence should be extended by analogy to data breach cases. But the analogy is imperfect since data breach cases generally do not involve even the risk of physical injury or the public health interest at stake in medical monitoring cases. Thus far, the 9th Circuit has declined to apply this analogy to data breach cases seeking credit monitoring damages, albeit in an unpublished decision. See Stollenwerk v. Tri-W. Health Care Alliance, 254 F.App'x 664 (9th Cir. 2007).

The more restrictive theory of contract damages - where privity exists - has also proved problematic for plaintiffs who have not experienced actual losses from identity theft. Ruiz v. Gap, Inc., 622 F.Supp.2d 908, 917 (N.D. Cal. 2009) aff'd, 380 F.App'x 689 (9th Cir. 2010) (unpublished). However, one 9th Circuit decision has declined to dismiss such a damages theory at the pleading stage. See Claridge v. RockYou, Inc., 785 F.Supp.2d 855, 865 (N.D. Cal. 2011). Whether this theory will survive the rigors of discovery and a summary judgment motion remains to be seen.

Although California's data breach statute provides a statutory alternative to common law tort and contract claims, proof of actual damages resulting from a violation of the statute is still required. Further, California's data breach statute defines personal information narrowly. Thus, a claim under California's data breach statute will often be less attractive than a common law claim sounding in tort or contract.

As with most risks faced by businesses, getting in front of the data breach issue before litigation is the key to successful risk mitigation. An investment in legal counsel who is versed in this emerging area of the law to conduct a careful review of data security policies will be money well spent.