Published on Sep 1, 2015 While news broke on August 18th of Ashley Madison’s stolen data being released via the dark web, Target was penning the final strokes on a $67 million settlement agreement with Visa stemming from its 2013 largely-publicized data breach[1]. This bookend series of events on a single day from two divergent companies highlights the life cycle of a data breach, from discovery, to announcement, to resulting lawsuits. What I find worth watching in this cycle is the recent evolution of consumer plaintiff standing in class action lawsuits, because of the potential costly implications for corporations.
Millions of Records, Millions of Plaintiffs
When data breach cases started hitting the court system, it wasn’t surprising for plaintiffs to attempt remedies via class action lawsuits. After all, it was their personal identifying information (“PII”) or protected health information (“PHI”) that was hacked during a data breach. In Target’s breach, that included up to 40 million credit card numbers and possibly phone numbers and email addresses[2], in Ashley Madison’s breach, that included up to 32 million names, street addresses, and email addresses[3].
These are just two examples of recent attacks, plaintiffs, and the type of information harvested by cyber attackers. The victims of these breaches vary in relation to the company attacked, the type of information stolen, and how the information may be used. In the past two years we’ve seen cyber attacks directed at Universities (University of Maryland, with more than 300,000 records compromised<href=”#_ftn4″ name=”_ftnref4″>[4]), government agencies (most recently IRS and OPM, with up to 390,000<href=”#_ftn5″ name=”_ftnref5″>[5] and 25 million records compromised<href=”#_ftn6″ name=”_ftnref6″>[6], respectively), large corporations (JPMorgan Chase with up to 83 million records hacked<href=”#_ftn7″ name=”_ftnref7″>[7]), and, more specifically, health organizations (Anthem, with more than 80 million records affected<href=”#_ftn8″ name=”_ftnref8″>[8]).</href=”#_ftn8″></href=”#_ftn7″></href=”#_ftn6″></href=”#_ftn5″></href=”#_ftn4″>
The data hacked in these cyber attacks belonged to customers, students, employees, and patients. The data collected by hackers is sometimes a subset of PII. For example, the Ashley Madison breach data likely included hijacked email addresses as the administrator’s of the website did not require an email authentication process when setting up a user account<href=”#_ftn9″ name=”_ftnref9″>[9]. The Anthem breach paints a more troubling scenario. The hackers swept up a more complete portfolio of patients’ PII, creating an “identity-theft kit,” selling at exponentially higher rates on the black market over credit card numbers because of its ability to create long-term identity theft as opposed to short-bursts of credit card-related fraudulent activity<href=”#_ftn10″ name=”_ftnref10″>[10]. In the Sony breach, it wasn’t only black market purchasers who were reveling in data made available by hackers. Media outlets were rifling through terabytes of dirty data and reporting on salacious Hollywood closed door discussions and private emails in order to get more readers to click on articles. Given the potential long-term ramifications of these cybersecurity breaches and the alarmingly high number of people affected, class action lawsuits quickly followed after news of the attacks. As we look at the caselaw on these class action suits, the procedural outcomes are starting to swing from one end of the pendulum to the other.</href=”#_ftn10″></href=”#_ftn9″>
The Clapper Standing Requirement
A data breach plaintiff is no different from any other federal plaintiff. Article III standing must be established in order to survive a 12(b)(1) motion to dismiss for lack of subject-matter jurisdiction<href=”#_ftn11″ name=”_ftnref11″>[11]. The leading case referenced by the bench in the early tide of cyber attack cases is Clapper v Amnesty International USA, 133 S.Ct. 1138 (2013). The ruling in this case, which centered on application of the newly enacted Foreign Intelligence Surveillance Act, came out as some of the largest cyber attacks, and the following lawsuits, were taking place. In Clapper, the majority held in order for a plaintiff to establish Article III standing:</href=”#_ftn11″>
“an injury must be concrete, particularized, and actual or imminent. Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes—that the injury is certainly impending. Thus we have repeatedly reiterated that the injury must be certainly impending in fact, and that the allegations of possible future injury are not sufficient.” See Green v eBay Inc., 2015 WL 2066531 at *3 (E.D.La. May 4th, 2015) (citing Clapper at 1147) (alteration omitted) (internal quotation marks and citations omitted).
As you will see in the below highlighted cases, many data breach class action lawsuits were not able to meet the stringent burden of showing actual or immediately-pressing injury without knowing when or if they would suffer the Clapper-required injuries.
Threat of Fraudulent Activity Does Not Establish Standing
In 2012, Barnes & Noble announced 63 of its stores across nine states were targeted by hackers. Credit and debit card information was skimmed from register PIN pads over at least a six week period. Barnes & Noble then delayed notifying the public, and potential affected victims, of the breach. In re Barnes & Noble Pin Pad Litigation, 2013 WL 4759588 (N.D.Ill. Sept. 3, 2013). A consolidated class action was filed in the Northern District of Illinois and Judge Darrah ordered the case dismissed, as the plaintiffs weren’t able to meet the Clapper standing standard. The court held that Barnes & Nobles’ failure in notifying the plaintiff’s did not sufficiently warrant standing – nor did allegations of identity theft or fraud. Id. at *3. “Nothing in the [c]omplaint indicates [p]laintiffs have suffered either a ‘certainly impending’ injury or a ‘substantial risk’ of an injury, and therefore, the increased risk is insufficient to establish standing.” Id.
Paytime, Inc., was the recipient of a cyber attack on April 2014, where over 230,000 client files containing PII was “misappropriated.” Storm v Paytime, Inc., 2015 WL 1119724, at *3 (M.D.Pa., March 13, 2015). Class action lawsuits were filled, consolidated, and ultimately dismissed under the “high bar” established by Clapper in the (12)(b)(1) Article III standing analysis. Id. at *4. The court in Storm looked to Third Circuit caselaw for further guidance, finding it “require[d] its district courts to dismiss data breach cases for lack of standing unless plaintiffs allege actual misuse of the hacked data or specifically allege how such misuse is certainly impending. Allegations of increased risk of identity theft are insufficient to allege a harm.” Id. at *5 (citing Reilly v Ceridian Corp., 664 F.3d 38, 43 (3d Cir. 2011)). The court found that there were insufficient facts to establish a third party hacked their information or that there was any actual or imminent “misuse” of the data, which is a requirement under the Reilly standard. Id. at *5-6.
Shortly following Storm, In re Horizon Healthcare Services Inc. Data Breach Litigation, 2015 WL 1472483 (D.N.J. March 31, 2015) would use a similar analysis, supplementing Clapper with Reilly to dismiss plaintiff’s multiples claims for insufficient standing. The health services company had two employees’ encrypted laptops stolen, cumulatively leading to the theft of over 800,000 clients’ PII and PHI. Horizon investigated the incident, then notified authorities and those affected within days of the theft. Id. at *1. The court found most of plaintiffs’ allegations were “generalized” injuries and relied on common law and statutory damages to establish their injuries. Id. at *4. The plaintiffs were unable to establish imminent injury under the Reilly standard, “hav[ing] not alleged any post-breach misuse of compromised data.” Id. at *6. To further drive home the point, the court illustrated that the alleged “future injuries stem from conjectural conduct of a third party and are therefore inadequate to confer standing.” Id. (citations omitted). One plaintiff who did suffer from identity theft following the breach still had his claims dismissed by the court, as he was not able to establish that the theft was caused by the breach at issue. Id. at *7-9.
Names, encrypted passwords, dates of birth, email addresses, and phone numbers of over 120 million eBay customers were potentially compromised when the company was hacked in February and March of 2014. eBay notified all of its users two months later about the breach, recommending that they change their passwords. eBay, Inc., at *1. Once again, a district court dismissed the matter before the bench, applying the Clapper standard. Judge Morgan acknowledged “[i]n most data breach cases, the complaints allege sensitive information was stolen…. In such cases, courts nonetheless have found that the mere risk of identity theft is insufficient to confer standing, even in cases where there were actual attempts to use the stolen information.” Id. at *4 (citations omitted). The threat of identity theft was too tenuous of a connection to establish standing for this court.
Sea Change – Reading Clapper in a New Light
While many courts took a stern approach to the Clapper ruling, other courts began to push the interpretation of that Supreme Court case in the context of data breach matters.
Adobe’s servers were hacked in July 2013 into September, where the hackers were able to access customer PII and Adobe product source code repositories. Upon confirmation of the breach, Adobe announced the news in early October. In re Adobe Systems, Inc. Privacy Litigation, 66 F.Supp3d 1197, 1206 (N.D.Ca., September 4, 2014). Multiple lawsuits were filed and ultimately funneled into a consolidated class action. The court in Adobe dug deep into the Clapper majority in its finding that there was standing: “Clapper did not change the law governing Article III standing . . . . [but] merely held that the Second Circuit had strayed from these well-established standing principles by accepting a too-speculative theory of future injury. . . . [T]he Court is reluctant to conclude that Clapper represents the sea change that Adobe represents.” Id. at 1214. The court went on to distinguish Adobe by pointing out Clapper’s underlying sensitive issues, which required a more rigorous standing analysis. Id. To further dig into the argument, Judge Koh found the alleged harm was “sufficiently concrete and imminent” to satisfy Clapper. Id. The nature of the attack, the type of information harvested, and evidence of some breached data made available on the internet sufficiently met these demands. Id. at 1214-15.
The Sony breach of late 2014 was reported in the news on a daily basis. It couldn’t have been a surprise that the employees affected by the 100 terabyte breach later filed a class action lawsuit for redress due to released PII and PHI. Corona, et al v Sony Pictures Entertainment, Inc., 2015 U.S. Dist. LEXIS 85865 at *1-2 (C.D.Ca. June 6, 2015). The standing analysis in Sony provided by the court was succinct. Referencing Clapper and its impending certainty standard, the court found there was Article III standing with minimal fuss, pointing to the resulting posting of the breached data onto file-sharing websites and the subsequent alleged subsequent physical threats made to employees and their family members. Id. at *5-6.
The Neiman Marcus case is the most recent of those included, with a reversal on a lower case dismissal ordered by the Seventh Circuit in July 2015. The underlying case stems from a data breach that occurred at Neiman Marcus between July and October 2013 from a malware attack Neiman discovered in December 2013 and announced to the public in January 2014. Remijas v Neiman Marcus Group, LLC, 2015 WL 4394814 at *1 (7th Cir. 2015). During that time, PII including 350,000 cards were potentially threatened with 9,200 cards confirmed as fraudulently used. Id. Class action lawsuits were soon filed and ultimately consolidated in June 2014. Id. at *2. The district court dismissed the class action suit for standing, relying on Clapper. Id. at *4. The circuit court distinguished the Neiman Marcus plaintiffs from those in Clapper, stating that the majority decision “did not jettison the ‘substantial risk’ standard…[nor did] it require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about.” Id. (citing Clapper at 1150 n.5).
The circuit court goes further by cautioning “not to overread Clapper.” Id. at *5. Pointing to the initial breach and subsequent credit card monitoring services, this pushed the plaintiffs beyond the limitations found in Clapper. Id. Previous causation arguments were overcome by this court, finding that Neiman Marcus’ admitting to the breach and exposed cards sufficiently addressed this concern. Even if some of the affected customers were similarly affected by the Target breach, this potential dual exposure does not prevent plaintiff’s standing. Id. at *7.
Closing Comment
Target is closing the circle on its multi-year fallout from its data breach. Reports indicate a settlement with Master Card will closely follow the Visa settlement and a $10 Million settlement was reached earlier in the year with the class action lawsuit plaintiffs<href=”#_ftn12″ name=”_ftnref12″>[12]. Adobe recently settled its class action lawsuit for an undisclosed amount to the plaintiffs and $1.2 Million in legal fees. Lawsuits were recently filed in Canada and the US against Ashley Madison’s parent company. The recent far-reaching OPM breach also had its first round of lawsuits filed. The stakes are high in these cases. It will be worth watching to see if these and future lawsuits swing towards the strict or soft side of Clapper.</href=”#_ftn12″>
Interested in Cybersecurity? If so, read Driven’s article by Yohance Bowden, The Changing Threat Posed by Recent Cyber Attacks, which focuses on the 2014 Sony breach and offers a 7 step roadmap to assist corporations in implementing a data security plan.
<href=”#_ftnref1″ name=”_ftn1″>[1] Shannon Pettypiece and Elizabeth Dexheimer, Target reaches $67 million agreement with Visa over breach, Bloomberg Business, (August 18, 2015, 11:53 AM), http://www.bloomberg.com/news/articles/2015-08-18/target-says-it-has-reached-settlement-with-visa-over-data-breach.</href=”#_ftnref1″> <href=”#_ftnref2″ name=”_ftn2″>[2] Peter Conney and Supriya Kurane, Target agrees to pay $10 million to settle lawsuit from data breach, Reuters, (March 19, 2015, 11:42 AM), http://www.reuters.com/article/2015/03/19/us-target-settlement-idUSKBN0MF04K20150319.</href=”#_ftnref2″> <href=”#_ftnref3″ name=”_ftn3″>[3] Kim Zetter, Hackers finally post stolen Ashley Madison data, Wired, (August 18, 2015, 5:55 PM), http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/?mbid=social_fb.</href=”#_ftnref3″> <href=”#_ftnref4″ name=”_ftn4″>[4] Laura Blasey and Mike King, 309,079 UMD Social Security numbers compromised, The Diamondback, (February 19, 2014, 6:01 PM), http://www.diamondbackonline.com/news/article_b8236dea-99b6-11e3-92eb-0017a43b2370.html.</href=”#_ftnref4″> <href=”#_ftnref5″ name=”_ftn5″>[5] Ed Silverstein, IRS admits data breach worse than initially reported, Legaltech News, (August 17, 2015), http://www.legaltechnews.com/id=1202734951002/IRS-Admits-Data-Breach-Worse-Than-Initially-Reported?kw=IRS%20Admits%20Data%20Breach%20Worse%20Than%20Initially%20Reported&cn=20150818&pt=Afternoon%20Update&src=EMC-Email&et=editorial&bu=Law%20Technology%20News.</href=”#_ftnref5″> <href=”#_ftnref6″ name=”_ftn6″>[6] Joe Davidson, New OPM data breach numbers leave federal employees anguished, outraged, The Washington Post, (July 9, 2015), http://www.washingtonpost.com/blogs/federal-eye/wp/2015/07/09/new-opm-data-breach-numbers-leave-federal-employees-anguished-outraged/.</href=”#_ftnref6″> <href=”#_ftnref7″ name=”_ftn7″>[7] Supriya Kurane, JPMorgan data breach entry point identified: NYT, Reuters, (December 22, 2015, 10:09 PM), http://www.reuters.com/article/2014/12/23/us-jpmorgan-cybersecurity-idUSKBN0K105R20141223.</href=”#_ftnref7″> <href=”#_ftnref8″ name=”_ftn8″>[8] Anna Wilde Matthews and Danny Yadron, Health insurer Anthem hit by hackers, The Wall Street Journal, (February 4, 2015, 9:39 PM), http://www.wsj.com/articles/health-insurer-anthem-hit-by-hackers-1423103720.</href=”#_ftnref8″> <href=”#_ftnref9″ name=”_ftn9″>[9] Kim Zetter, Hackers finally post stolen Ashley Madison data, Wired, (August 18, 2015, 5:55 PM), http://www.wired.com/2015/08/happened-hackers-posted-stolen-ashley-madison-data/?mbid=social_fb.</href=”#_ftnref9″> <href=”#_ftnref10″ name=”_ftn10″>[10] Tim Green, Anthem Hack: Personal Data Stolen Sells for 10X Price of Stolen Credit Card Numbers, CIO, (February 6, 2015, 5:40 PM), http://www.cio.com/article/2881112/data-breach/anthem-hack-personal-data-stolen-sells-for-10x-price-of-stolen-credit-card-numbers.html.</href=”#_ftnref10″> <href=”#_ftnref11″ name=”_ftn11″>[11] See Fed. R. Civ. P. 12(b)(1). See Green v eBay Inc., 2015 WL 2066531 (E.D.La. May 4th, 2015) (citing Superior MRI Servs., Inc. v. Alliance Healthcare Servs., Inc., 778 F.3rd 502, 504 (5th Cir. 2015).</href=”#_ftnref11″> <href=”#_ftnref12″ name=”_ftn12″>[12] Shannon Pettypiece and Elizabeth Dexheimer, Target reaches $67 million agreement with Visa over breach, Bloomberg Business, (August 18, 2015, 11:53 AM), http://www.bloomberg.com/news/articles/2015-08-18/target-says-it-has-reached-settlement-with-visa-over-data-breach</href=”#_ftnref12″>
