Data breaches and standing: a 38-million-victim question

From Target to Home Depot to Sony, the number of high profile breaches of personal data seems to be proliferating. Do victims have standing to sue the entity that held the data if they cannot prove that property was stolen from them because of the breach?

A case from the Northern District of California recently answered this question in the affirmative. In re Adobe Systems Inc. Privacy Litigation, 13-05226 (N.D. Cal. Sept. 4, 2014) (to be published). But earlier this year, a case from Ohio answered this same question in the negative. Galaria v. Nationwide Mut. Ins. Co., 998 F.Supp.2d 646 (S.D. Ohio 2014). The two cases came to opposite conclusions on whether the 9th U.S. Circuit Court of Appeals' opinion in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), has been abrogated by Clapper v. Amnesty International, 133 S. Ct. 1138, 1147 (2013).

In Krottner, a thief stole a computer from Starbucks that contained unencrypted names, addresses and Social Security numbers of approximately 97,000 employees. Employees whose data were stolen sued Starbucks for negligence and breach of implied contract. None of the named plaintiffs alleged that the theft led to property being stolen from them. Starbucks argued the plaintiffs lacked Article III standing due to the absence of an injury-in-fact.

The 9th Circuit found the threat of future identity theft to be a sufficient injury-in-fact. This was because there was a "credible threat of harm" that was "both real and immediate, not conjectural or hypothetical."

But three years later, the Supreme Court in Clapper stated that in order to satisfy Article III, an alleged injury that has yet to occur must be "'certainly impending' ... '[a]llegations of possible future injury'" do not satisfy Article III.

The plaintiffs in Clapper sued the government on the grounds that amendments to the Foreign Intelligence Surveillance Act were unconstitutional and made it likely that they would be spied upon due to the activist/political nature of their work. The 2nd U.S. Circuit Court of Appeals found standing, as the plaintiffs alleged that there was "an objectively reasonable likelihood" that their communications would be intercepted.

The Supreme Court reversed, holding that "the Second Circuit's 'objectively reasonable likelihood' standard is inconsistent with [the] requirement that 'threatened injury must be certainly impending to constitute injury in fact.'" The court did acknowledge in a footnote that prior its own prior cases found standing based on a "substantial risk that the harm will occur."

The pertinent question is whether Krottner is good law after Clapper. In re Adobe answered this question in the affirmative, finding that Clapper did not represent a major change in standing law and did not overrule earlier cases applying the seemingly lower "substantial risk" standard. Further, the language of the Krottner test ("immediate[ ][ ] danger of sustaining some direct injury") was (1) sufficiently similar to the language of the Clapper test ("certainly impending") and (2) was more stringent than the rejected test of the 2nd Circuit ("objective reasonable likelihood" of injury).

In In re Adobe, hackers stole payment and contact information of over 38 million Adobe customers. The plaintiffs sought injunctive relief, declaratory relief and restitution. They did not allege that property was stolen from them because of the data breach. Rather, their alleged injuries were (1) the increased risk of future harm from the data breach, (2) the cost to mitigate the chances of identity theft, and (3) the loss of the value of their Adobe products. The court found that these would be sufficient injuries under Article III.

In re Adobe distinguished other post-Clapper cases where district courts found no injury-in-fact. From its discussion of these cases, it appears In re Adobe requires that the plaintiff allege facts demonstrating (1) the hackers stole personal information; (2) the hackers had the technical ability to unencrypt and use the information; and (3) that the hackers intended to use the stolen data to the plaintiff's detriment.

Two of the cases In re Adobe distinguished involved thefts of computers containing sensitive data from cars. In those cases, the court found, it was too uncertain that the thieves knew what they had stolen and had the ability and inclination to unencrypt the data. In contrast, "hackers targeted Adobe's serves in order to steal customer data, at least some of that data has been successfully decrypted, and some of the information ... ha[d] already surfaced on websites used by hackers."

These distinctions seem problematic, as the 9th Circuit's decision in Krottner also involved a physical theft of a single computer. The only difference seems to be that in Krottner the stolen data was unencrypted.

In two other cases cited by In re Adobe, hackers did break into the systems of the defendants and stole personal data. However, in those cases, it was unclear whether the plaintiffs' personal information was taken by the hackers.

But In re Adobe did not attempt to distinguish Galaria v. Nationwide Mut. Ins. Co., 998 F.Supp.2d 646 (S.D. Ohio, 2014). There, the defendant was an insurance company whose computer systems were infiltrated by hackers. The hackers stole the plaintiffs' personal information. But the plaintiffs did not allege that the hackers misused their personal information. They alleged virtually the same types of injuries as in In re Adobe. The court held that plaintiffs had not alleged that damages were "certainly impending" per Clapper.

The plaintiffs cited to Krottner. But Galaria held that Clapper precluded the standing test used in Krottner. In direct contradiction to In re Adobe, Galaria found that the 9th Circuit's standing test in Krottner was even less stringent than the 2nd Circuit's standing test that was rejected in Clapper.

Thus, it is uncertain whether victims of data breaches who cannot prove theft of property have standing. But at least they have a published Northern District of California case on their side.