Ann Marie Mortimer

In a data breach action against a major hotel chain, the court considered, as it has in many such cases, what should be the threshold for standing under Article III of the Constitution, and what should a plaintiff be required to allege in the first instance, other than the fact of the breach itself, to create a path forward to litigate alleged injuries.

“The law surrounding data breach cases is still in its relative infancy,” said Mortimer, a data breach specialist and managing partner at Hunton Andrews Kurth. “In many respects, a lot of data breach cases are based on a claim for injury looking for a legal theory to support it.”

Drawing upon her experience defending Yahoo in a series of highly publicized consumer class actions arising from the largest data breach in history, Mortimer said one of the keys to limiting a particular claim to California residents was largely based on her challenge of the plaintiff’s ability to show injury. In Re Yahoo! Data Breach Litigation 16-CV05463. (N.D. Cal. Filed Dec. 17, 2016).

While user names, encrypted passwords and birthdays were allegedly stolen, plaintiffs were unable to show how this information could directly allow for a potential wrongdoer to perpetrate financial harm, Mortimer said.

“There are so many data breaches. It is hard to meet the legal threshold of actually showing an injury that is ‘fairly traceable to the conduct alleged,’ which is of course the threshold required to show Article III standing,” Mortimer said. “It should not be enough to say, ‘My information may have been compromised, so therefore I have been injured.’ Something more is required.”

Standing will continue to be the first-stop battleground for determining data breach cases, Mortimer said, until courts come to a clear consensus on what constitutes injury. Careful jurists at the district court level and above are considering these issues. However, they are very fact dependent, Mortimer said, so even if the same standards are applied, courts may reach different results based on the facts of the case.

“These cases are being filed every day, but they are not making it through the crucible of pleading, merits discovery and ultimate adjudication,” Mortimer said. “We’re still guessing as to what the contours of the law are, but we know the first stop in that analysis is always going to be standing, and courts are frankly deciding these cases in different ways.”

“But if you apply Article III rigorously, then the question the court will ask is if there is a way to extrapolate from the information taken and the harm alleged to a causal chain showing that the plaintiff’s injury is fairly traceable to the conduct alleged,” Mortimer said.

— Blaise Scemama