Standing a Stumbling Block for Data Breach Cases
It seems we hear every day about a data breach somewhere. By now, it’s almost redundant to mention Target, Home Depot and Anthem as poster children for major data breaches. Here’s a discussion on the subject. Let me know if you recognize any of the voices.
But despite the frequency of the phenomenon, there’s not been as much news about big litigation wins in the area. And this recent case involving eBay may help explain why. The United States District Court for the Eastern District of Louisiana recently dismissed a case against eBay because the plaintiff couldn’t demonstrate any actual harm from the alleged data breach. As a result the plaintiff lacked “standing” and could not proceed with the class action.
According to the court, eBay has 120 million active users. In its normal course of business, eBay maintains personal information of its users, including: names, encrypted passwords, dates of birth, email addresses, physical addresses, and phone numbers. In February and March 2014, unknown persons accessed eBay’s files containing this user information (the “Data Breach”). On May 21, 2014, eBay notified its users of the Data Breach and recommended that users change their passwords. Although eBay also collects other information, including credit card and bank account information, there was no indication that any financial information was accessed or stolen during the Data Breach.
A plaintiff named Collin Green filed a 10-count consumer privacy putative class action against eBay on behalf of himself and all eBay users in the United States whose personal information was accessed during the Data Breach. Plaintiff alleges that as a direct and proximate result of eBay’s conduct, “Plaintiff and the putative class members have suffered economic damages,” “actual identity theft, as well as (i) improper disclosures of their personal information; (ii) out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or identity fraud due to eBay’s failures; (iii) the value of their time spent mitigating identity theft and/or identity fraud, and/or the increased risk of identity theft and/or identity fraud; (iv) and deprivation of the value of their personal information.”
In response, eBay filed a motion to dismiss for the fairly simple reason that Green failed to allege he’d suffered any actual harm. In eBay’s words: “[p]laintiff does not allege that he has been injured by misuse of the stolen information[,] . . . that anyone has used his password, or that anyone has even tried to commit identity fraud with his information—let alone that anyone has actually succeeded in doing so—and that he has thereby suffered harm.” Instead, according to eBay, “[p]laintiff relies on vague, speculative assertions of possible future injury—that maybe at some point in the future, he might be harmed. . . . But the speculative possibility of future injury does not constitute injury-in-fact.”
And the court agreed. It found Green not only failed to show actual harm, he failed to produce any evidence that any actual harm was even impending. According to the court, “[t]he potential injury in this case is far too hypothetical or speculative to meet . . . [the] certainly impending standard.” And this ruling is not merely a bump in the road for the plaintiff – it means as a matter of constitutional law, he and the class cannot proceed.
The practical lesson from this otherwise academic discussion is this. If your company gets hit with a data breach, it is in your interest to respond quickly. To the extent your company is able to contain the breach, and offer identity theft protection promptly, the better chance it has of depriving potential class action plaintiffs of any actual harm. And that may mean a quick dismissal. A desirable result under any circumstance.