Surging wave of data class actions

Defending putative data privacy and data security class actions today is more complex than in past years. Since 2010, there has been an explosion of such class actions filed against Internet companies, mobile service providers and device manufacturers, social networks, social gaming sites, advertising companies, application providers and companies that merely advertise on the Internet, among others. Most of these cases involve alleged technical violations, but no real injury.

Most data privacy cases are brought under federal statutes and equivalent state laws ill-suited to such claims, but which offer recovery of statutory damages and attorney fees. The typical allegation is that information was potentially exposed to third parties, but does not involve any measurable injury or monetary loss.

Security breach cases, by contrast, typically are brought under state common law theories such as negligence, breach of fiduciary duty, or breach of implied contract. Many are brought by victims who lost money as a result of a breach, although an increasing number are initiated by people whose information may have been exposed, but who have not yet been victimized.

Data Privacy

Lack of standing to sue in federal court is a potential obstacle to class actions where no money has been lost. Indeed, many data privacy suits have been dismissed for lack of standing. In Edwards v. First American Corp., 610 F.3d 514 (2010), however, the 9th U.S. Circuit Court of Appeals held that standing nevertheless may be established if a plaintiff may state a claim under a statute that does not require a showing of damage or injury. As a result, these actions increasingly have been brought in the 9th Circuit alleging violations of federal statutes that do not require a showing of monetary loss. Most are filed in the Northern District of California.

Even where a case gets past standing challenges, data privacy cases generally have not fared well for plaintiffs in the absence of injury or damage. For example, a plaintiff must have $5,000 in damages to state a claim under the Computer Fraud and Abuse Act - a threshold that bars many privacy claims, especially those based on behavioral advertising where there is usually only de minimis damage. This threshold requirement has proven to be an insurmountable bar in many cases. E.g., In re Google Android Consumer Privacy Litig., No. 11-02264 (N.D. Cal. Mar. 26, 2013).

Common law claims present similar hurdles. For example, breach of contract claims premised on a posted privacy policy or terms of use will not stick absent damage. E.g., Low v. LinkedIn Corp., No. 11-cv-01468-LHK, 2012 WL 2873847m at * 12-13 (N.D. Cal. July 12, 2012) (dismissing plaintiff's claim).

Even specialized statutes intended to make it easy to bring consumer class actions may not be well suited where there is only de minimis damage. For example, the California Legal Remedies Act, which provides a remedy for damages suffered in connection with a consumer transaction, defines "consumer" as an individual who purchases or leases any goods or services for personal, family or household purposes. A CLRA claim therefore may not be maintained where a plaintiff seeks a remedy from a free Internet site or free app where no purchase has been made. E.g., In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 717 (N.D. Cal. 2011).

Similarly, California's notoriously broad unfair competition statute requires a showing of actual injury. That statute allows claims to be based on violations of statutes that do not expressly create independent causes of action. See Kasky v. Nike Inc., 27 Cal. 4th 939, 950 (2002). Claims for unjust enrichment also may not work in California because unjust enrichment is no longer recognized as an independent cause of action. See Hill v. Roll Int'l Corp., 195 Cal. App. 4th 1295, 1307 (2011).

Although most cases involving no injury or damage continue to be viewed with skepticism by courts, a few decisions evidence the willingness of judges to try to stretch the law to accommodate new claims. For example, in In re Hulu Privacy Litig., No. 11-03764 (N.D. Cal. Dec. 20, 103), the court held that a plaintiff need not show harm to recover statutory damages under the Video Privacy Protection Act (VPPA). The VPPA provides that a court "may award" actual or statutory damages. Although the court did not directly decide the issue, it is difficult to find a rationale for awarding discretionary damages if a violation were to be established without any finding of harm.

Similarly, in Yunker, the court held that the plaintiff potentially stated a claim under the Electronic Communications Privacy Act, which protects the contents of certain electronic communications but not "noncontent data" such as a zip code, based on the allegation that noncontent data such as a person's universally unique identifier, zip code, gender or birthday, had been disclosed. The court distinguished In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1062 (N.D. Cal. 2012), because the court in Yunker characterized this noncontent data as the contents of the communication. By defining noncontent data as the contents of a communication, the court sidestepped the overwhelming weight of authority under ECPA.

The 9th Circuit similarly engaged in linguistic acrobatics in Joffe v. Google Inc., 729 F.3d 1262, 1277-79 (2013), by holding that payload data transmitted over unencrypted Wi-Fi networks that was inadvertently collected on public roads, incident to capturing photographs for Google's free Street View service, was not "readily accessible to the public." On reconsideration, the 9th Circuit deleted this aspect of its opinion. 2013 DJDAR 16886 (Dec. 27, 2013). Nevertheless, the court's initial ruling shows that courts may be willing to stretch the law to accommodate changing societal views about privacy.

Data Security

In data security cases, when a breach occurs and an actual financial loss can be established, a plaintiff may maintain suit for breach of contract, breach of fiduciary duty, negligence or similar claims, depending on the facts.

Where there is no apparent individual loss, plaintiffs sometimes seek to bolster claims based on apprehension of a potential future harm by subscribing to credit monitoring services, alleging that the cost of monitoring services is a present loss. However, to negate this argument, companies often voluntarily offer consumers free credit monitoring services after a breach.

Where no loss has yet occurred, consumers may be able to establish standing in the 7th (see Pisciotta v. Old National Bancorp., 499 F.3d 629, 634 (2007)) and 9th (see Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (2010)) Circuits based on the threat of future harm. In Reilly v. Ceridian Corp., 664 F.3d 38 (2011), however, the 3rd Circuit rejected the analogy drawn by these circuits between data security breach cases and defective-medical-device, toxic-substance-exposure or environmental-injury cases, where courts typically find standing.

First, in those cases, an injury "has undoubtedly occurred," even if the plaintiffs "cannot yet quantify how it will manifest itself." By contrast, in data breach cases where no misuse is alleged "there has been no injury - indeed, no change in the status quo.... [T]here is no quantifiable risk of damage in the future.... Any damages that may occur ... are entirely speculative...."

Second, standing in medical-device and toxic-tort cases "hinges on human health concerns" where courts resist strictly applying the "actual injury" test "when the future harm involves human suffering or premature death." Similarly, standing in environmental-injury cases is unique "because monetary compensation may not adequately return plaintiffs to their original position." By contrast, in a data breach case, "there is no reason to believe that monetary compensation will not return plaintiffs to their original position completely - if the hacked information is actually read, copied, understood, and misused to a plaintiff's detriment. To the contrary ... the thing feared lost ... is simply cash...."

The 3rd Circuit also rejected the argument that time and money spent to monitor financial information established standing because "costs incurred to watch for a speculative chain of future events based on hypothetical future criminal acts are no more 'actual' injuries than the alleged 'increased risk of injury' which forms the basis for Appellants' claims."

Where standing may be established, courts in the 1st Circuit have broadly defined the duties owed by companies, holding in one case that a grocery store owed a duty of care to customers by virtue of accepting credit card payments. See Anderson v. Hannaford Brothers Co., 659 F.3d 151 (2011). On the other hand, despite this broad ruling, the court ultimately denied plaintiff's motion for class certification, finding that common questions of law and fact did not predominate. See In re Hannaford Bros. Co. Customer Data Security Breach Litig., 293 F.R.D. 21 (D. Me. 2013).

Data privacy and security law continues to evolve as more plaintiffs' lawyers pursue claims in cases involving no harm or monetary damage. Data privacy case law is increasingly determined by the 9th Circuit, while data security cases are brought throughout the U.S. - and the scope of a company's duty to consumers may be interpreted more expansively in the 1st Circuit than elsewhere. The increase in these cases underscores the importance for lawyers to understand the underlying technology at issue - and to know which circuits are more favorable in a given case.