Target Decision Provides Outline for Consumer Plaintiff Data Breach Litigation
"There are two kinds of companies. Those that have been hacked, and those that have been hacked but don’t know it yet.” -Congressman Mike Rogers, Chairman of the House Intelligence Committee, 2011
Sony. Target. AT&T. Neiman Marcus. Michaels. J.P. Morgan Chase. Home Depot. What do these companies all have in common?
They, along with countless others, have been the subject of a cyber-attack or data breach. And consumers are taking these matters to court. As evidenced by the court’s ruling in In re Target Corporation Customer Data Security Breach Litigation, No. MDL 14-2522 (PAM/JJK), 2014 WL 7192478 (D. Minn. Dec. 18, 2014), courts are increasingly inclined to permit putative class actions to proceed beyond the motion to dismiss stage. Understanding the backdrop to the Target decision is important.
In Clapper v. Amnesty International USA, the U.S. Supreme Court held that plaintiffs did not have Article III standing to challenge the Foreign Intelligence Surveillance Act of 1978, where they argued that there was a reasonable likelihood that their communications would be acquired in the future.[1] In addition, plaintiffs’ argument that they had standing because the surveillance has forced them to take “costly and burdensome measures to protect the confidentiality of their international communications” likewise did not confer standing because plaintiffs “cannot manufacture standing by incurring costs in anticipation of non-imminent harm.” Similarly, many data breach cases raise the same issue—Plaintiffs allege a hypothetical, future harm, not actual injury-in-fact.
Thus, post-Clapper, many courts have determined that alleging potential future harm from the data breach or increased monitoring costs of personal information is too speculative to support Article III standing.[2]
While the Fifth Circuit has not yet applied Clapper to a data breach case, defense practitioners in the Fifth Circuit should be aware of its significance when arguing against standing in a data breach case. Despite Clapper, however, the court in In re Target Corporation Customer Data Security Breach Litigation (“In re Target”) permitted Plaintiffs to survive a motion to dismiss, noting that generally, Plaintiffs plausibly pleaded injury-in-fact.
In re Target is a putative class action on behalf of consumers, alleging various causes of action against Target, arising out of the massive data breach in December 2013, which affected as many as 110 million Target customers. In the litigation, Target brought a motion to dismiss the class action, asserting that the plaintiffs lacked standing for the majority of the claims in the suit because plaintiffs failed to establish any injury. While the court ultimately dismissed a small portion of the state law claims, the court denied the bulk of the motion to dismiss, concluding that plaintiffs “plausibly allege that they suffered injuries that are ‘fairly traceable’ to Target’s conduct,” including “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.” Significantly, the court determined that “at the motion-to-dismiss stage, Plaintiffs need only plausibly allege that they can establish the elements of standing.”
Thus, for cyber security class actions, In re Target will be the foundational case for class action plaintiffs to assert standing, providing a roadmap for future claims. And should plaintiffs survive a motion to dismiss in a putative class action for a data breach case, the costs of litigation and the costs of settlement significantly increase. So, what can businesses do?
Certainly your businesses must invoke all reasonable prophylactic security measures to protect your customers’ data. But does your company have a data breach response plan? Of course, you should always engage informed counsel to guide your data breach response.
[1] Clapper v. Amnesty Intern. USA, 568 U.S. 398, 133 S. Ct. 1138, 185 L. Ed. 2d 264 (2013).
[2] See, e.g., In re Science Applications International Corp., No. 12-347 (JEB), 2014 WL 185458, at *8-9 (D.D.C. May 9, 2014) (“Indeed, since Clapper was handed down last year, courts have been even more emphatic in rejecting ‘increased risk’ as a theory of standing in data-breach cases.”).