DEFENDING WITH CLAPPER: APPLYING THE SUPREME COURT'S ARTICLE III STANDING INTERPRETATION TO DATA BREACH LAWSUITS.

• Author: McSweeney, Conor L.

1. Introduction

   Massive amounts of personal data are collected, analyzed, and stored in today's digital economy. (1) United States citizens are more susceptible to threats in the cyber-security landscape than ever before, and historical notions of personal privacy have significantly eroded. (2) By purchasing just one song on i Tunes, creating a single social media account, or signing up for online banking, a consumer invariably increases the risk of their personal information being stolen and put up for sale on the Darknet. (3) While consumer participation in the digital economy evolved from convenient to mandatory, the chances of an unauthorized breach of personal data have increased from possible to likely. (4) Despite strict protections under federal law, the healthcare industry's adoption of modern digital practices have made our medical records vulnerable to fraud like all other content on the Internet. (5) Swiping your credit card at a brick and mortar retail store like Target, Inc. could result in the exploitation of cardholder data by identity thieves hacking through a backdoor to the computer network. (6)

   There are countless examples just over the last few years where corporations proved to be incapable of protecting their client's personal information. (7) Sony Entertainment, Yahoo, Target, and EBay all have been subject to data breaches in recent years, and there does not appear to be any relief in sight. (8) In the aftermath of any data breach, a class-action lawsuit of affected persons typically follows in an attempt to hold the corporation accountable for violation of its duty to adequately protect its customers' personal information. (9) In order to overcome the initial hurdle necessary to sue the corporation, that is, to acquire Article III standing, a plaintiff must prove they experienced an injury-in-fact, such as identity theft or fraud. (10) While consumers do not always experience these harms immediately following a data breach, they are arguably at an increased risk of identity theft due to the public exposure of their sensitive personal information. (11) The Supreme Court most recently provided guidance on Article III standing analysis in Clapper v. Amnesty International. (12) While most circuits now refer to Clapper as the precedent for standing analysis in the corporate data breach context, some circuits disagree as to its applicability. (13)

   Part II of this note traces the historical background of the Constitutional limitations on courts to hear cases and controversies when a plaintiff lacks standing. (14) Then, I will analyze standing in the data breach context, showing different examples of how the Seventh and Ninth circuits dealt with data breach class-actions in the pre-Clapper environment, along with a brief outline of the circumstances relevant to the Clapper decision. Part III will analyze the Supreme Court's decision in Clapper and its impact on the various circuit courts' standing analysis. (15) By highlighting the need for business certainty that Clapper brings to the issue of standing, Part IV of this note will defend Clapper's assertion of the firm injury-in-fact requirement. (16) Part IV will also assert that Clapper offers the most realistic guidance to the courts when participation in the digital economy backfires and a corporation experiences a data breach. (17) Part V will advocate that the Supreme Court hear a case regarding a data breach and hold the same result with respect to its earlier Clapper decision. (18) Businesses face unprecedented exposure to litigation in the digital economy and they simply cannot withstand the dangerous exposure to a lower standing threshold than was intended under the Constitution. (19)

1. History

   1. Constitutional Basis for Standing

      The framers of the Constitution granted federal courts limited jurisdiction to hear cases and controversies. (20) Standing law is associated with the Constitutional theory of separation of powers, and is intended to prevent litigants from using the judicial process to usurp the powers of the legislative and executive branches. (21) American case law over time developed three essential elements to determine whether a plaintiff acquired standing, which is the minimum threshold that must be met by a plaintiff before for the merits of a case or controversy may be heard in a court of law. (22) First, the plaintiff must establish they suffered an "injury-in-fact," which means the plaintiff experienced "an invasion of a legally protected interest" that is (a) concrete and particularized, and (b) "actual or imminent, not conjectural or hypothetical." (23) Secondly, there must be a causal connection between the injury and the conduct complained of, such that it is reasonably traceable to the challenged action of the defendant. (24) Finally, it must be considered likely that the injury will be redressed favorably in court. (25) If a plaintiff does not have Article III standing in the eyes of the court, then there is no federal subject matter jurisdiction over the lawsuit and the case is dismissed. (26) The standing requirement is necessary to ensure the federal courts are not over-burdened by litigation that falls outside their constitutional authority. (27) While plaintiffs would undoubtedly prefer to jump straight to the litigation of a suit on its merits, the test for standing has endured to play its proper role in filtering out disputes. (28)

   2. Applying Standing to the Data Breach Context

      1. Focus on the First Element

         The most important element of the Article III standing rule in the data breach context is the injury-in-fact requirement. (29) In order for a plaintiff to establish injury-in-fact, they must allege an injury has actually occurred, or is imminent, and such injury is "distinct and palpable as opposed to merely abstract." (30) Typically, this is met through actual direct injury following a data breach, like when a person experiences identity theft or the fraudulent misuse of their financial information after their personal information is exposed. (31) In one rare data breach case, the court allowed a plaintiffs stress and anxiety associated with knowledge that their personal information was exposed to qualify as direct injury. (32) Inclusion of the concept of "imminence" leaves open a flexible interpretation by the courts that a plaintiff need not immediately experience the injury, as long as they are likely to be harmed in the near-future. (33) The Supreme Court held on numerous occasions that usage of the term "imminent" means the injury asserted must be "certainly impending." (34) Meanwhile, a new concept of "future injury" emerged in the Ninth Circuit where an individual acquired standing for direct injury due to the future expectation of a harmful conduct. (35) The courts have struggled for uniformity in addressing how far removed the threat of future harm may be from the conduct in order to satisfy the injury-in-fact element. (36)

      2. Seventh and Ninth Circuit Pre-Clapper Determinations

         The Seventh Circuit first implemented the looser injury-in-fact test for data breach cases in Pisciotta v. Old Nat'l Bancorp (31) In Pisciotta, the court sustained the plaintiff's argument of heightened threat of future harm after thousands of bank customers had their personal data stolen by a computer hacker. (38) A class action lawsuit soon followed where plaintiffs sought to obtain economic and emotional damages for the compromise of their personal data entrusted to the bank. (39) The plaintiff's specifically sought the remedy of reimbursement costs for credit monitoring since they were more susceptible to future identity theft and fraud as a result of the hack. (40) In their complaint, the plaintiffs did not allege they experienced any direct financial harm as a result of the exposure of their personal information, only that they were at greater risk of future harm due to the breach. (41) The Pisciotta court elected to follow precedent from its sister circuits that allowed the injury-in-fact requirement to be satisfied because there was a threat of future harm, however the specific cases cited were for toxic torts and environmental damage claims. (42) Meanwhile, the Pisciotta Court disregarded cases from other jurisdictions where the injury-in-fact requirement was tested against similar cases of personal data exposure. (43)

         The Ninth Circuit maintained a similar viewpoint with respect to the increased threat of future harm theory of standing in Krottner v. Starbucks Corporation (44) The plaintiffs in Krottner did not allege a theft actually occurred, but similar to Pisciotta, they wanted the corporation to be responsible for guarding them against future identity theft. (45) In its decision, Krottner specifically referenced the Pisciotta holding as a prime example of other circuits sustaining the increased threat of future harm argument to satisfy the injury-in-fact element and confer Article III standing. (46) The Krottner court ultimately ruled that the injury-in-fact requirement necessary to confer standing in the data breach context could be met by establishing a "credible threat of real and immediate harm" in the future. (47)

      3. A Primer on Clapper

         After the decision in Krottner, there were two clear precedential decisions in two different circuits that advanced the theory that plaintiffs could acquire standing following a data breach if the court was satisfied that the plaintiff was credibly at an increased risk of future harm. (48) The Court in Clapper, however, did not set out to resolve the circuit-split that existed in the Seventh and Ninth circuits. (49) Clapper was brought to the attention of the Supreme Court following Congressional enactment of the Foreign Intelligsence Surveillance Act (FISA) Amendments Act of 2008 ("FISA Amendment") to allow foreign intelligence surveillance monitoring of communications of non-US citizens abroad as long as the government first established probable...