Federal Appellate Courts Split on Standing for Data Breach Claims

28 Mar 2018 12:30 PM | Lynette Pitt (Administrator)

by Michael W. Mitchell, Smith Anderson, LLP

What is easier to do in Alaska, Arizona, California, Hawaii, Idaho, Illinois, Indiana, Kentucky, Michigan, Montana, Nevada, Ohio, Oregon, Tennessee, Washington state, Washington, D.C., and Wisconsin than it is to do in Arkansas, Connecticut, Iowa, New York, Maryland, Minnesota, Missouri, Nebraska, North Carolina, North Dakota, South Carolina, South Dakota, Vermont, Virginia, and West Virginia? (Don't worry, this rhetorical question is safe for work!)

Plaintiffs in the former jurisdictions can sue for a data breach even if they have not suffered any actual injury. Plaintiffs in those jurisdictions need only allege that there is an increased risk of future identity theft from the data breach.

But in the latter jurisdictions, plaintiffs must go further and allege an actual injury from the breach, such as fraudulent charges on existing debit or credit card accounts or the opening of fraudulent financial accounts using the stolen personal information. Otherwise, they cannot establish "Article III standing" and the claim cannot survive a motion to dismiss.

Why does this matter? Because class action plaintiffs who can survive a motion to dismiss have much greater leverage for settlement. A class action case that cannot be dismissed prior to discovery can command some settlement value just on the discovery costs alone.

The Sixth Circuit in Galaria v. Nationwide Mutual Insurance (6th Cir. 2016), the Seventh Circuit in Remijas v. Neiman Marcus (7th Cir. 2015) and Lewert v. P.F. Chang’s China Bistro (7th Cir. 2015), the Ninth Circuit in Krottner v. Starbucks Corp.(9th Cir. 2010) and In re Zappos.com (March 2018), and the D.C. Circuit in Attias v. CareFirst (D.C. Cir. 2017), have applied the lower standard for standing on a data breach claim.

The Second Circuit in Whalen v. Michaels Stores (2d Cir. 2017), the Fourth Circuit in Beck v. McDonald (4th Cir. 2017), and the Eighth Circuit in In re SuperValu Customer Data Security Breach Litigation (8th Cir. 2017), have found that general allegations of an increased risk of identity theft from a data breach alone are not enough of an injury in fact to establish standing. These Circuits have held that plaintiffs also must allege an actual injury.

The U.S. Supreme Court seems unimpressed by this disagreement between multiple federal courts of appeal, because the Supreme Court passed on the opportunity to resolve this split in legal precedent across the country when it recently denied an appeal from the D.C. Circuit's CareFirst decision.

Side bar: The Ninth Circuit's opinion in In re Zappos.com cites to a U.S. Supreme Court decision from 1824 to reject one of Zappos' arguments. Who says old law is of no value in the world of modern technology?

Print Article

This article was originally posted by Mike Mitchell on LinkedIn