It seems that hardly a day goes by without mention of a large-scale data breach. (1) These breaches typically involve the disclosure of vast amounts of personally identifiable information (PII). (2) In fact, a Pew Research Center survey released in early 2017 concluded that more than half of United States citizens already have experienced a data breach. (3) Additionally, according to a report issued by the Identity Theft Resource Center, more than 1,200 new data breaches occurred in 2018 alone, exposing at least 446,515,334 records of individuals. (4) With more than half of U.S. citizens having already been victimized by at least one data breach, and hundreds if not thousands of other breaches occurring each year, it is increasingly likely that someone will have their PII compromised by multiple data breaches. Consequently, a critical issue for courts grappling with data-breach litigation is whether the plaintiff can prove that the harm allegedly suffered was caused by the data breach that is the subject of the case in question, versus another prior data breach that also exposed that plaintiff's PII. Proving causation in data-breach litigation naturally will become an increasingly difficult task as additional data breaches occur and more individuals become the victims of multiple cyber breaches. Indeed, we are perilously close to reaching a causation "tipping point" where it is virtually impossible to determine whether a particular data breach was the proximate cause of subsequent related harm if the claimant's PII was previously disclosed in one or more other data breaches. Lest data breach litigation devolve into some form of strict liability, courts are beginning to require more than mere "time and sequence" allegations and proof (i.e., that a data breach occurred and then some harm consistent with a data breach followed) to determine whether plaintiffs have sufficiently pled, and ultimately can prove, that a particular data breach was the cause of their harm.
This crucial causation question can arise in a variety of contexts in a data-breach case. For instance, defendants in federal cases often file motions challenging whether plaintiffs have sufficiently alleged causation for Article III standing purposes, whether plaintiffs' proximate cause allegations are adequate, and whether plaintiffs have properly alleged damages for their substantive claims. In class-action litigation, defendants frequently argue that class plaintiffs have failed to sufficiently plead causation for the putative class as a whole, and that class certification is inappropriate because plaintiffs cannot establish that all putative class members share common facts and claims relating to causation. If these causation challenges fail, plaintiffs still must prove that the relevant data breach was the proximate cause of plaintiffs' harm to prevail on many of the substantive claims that plaintiffs typically assert in data-breach cases.
Moreover, there is a risk that victims of multiple data breaches might seek and obtain double recovery for a single data breach injury if courts do not require plaintiffs to prove which specific data breach actually caused plaintiffs' harm. In short, causation is likely to be one of the most hotly contested and challenging issues for litigants and the courts in future data-breach litigation.
Causation at the Pleading Stage
Causation issues are often raised as early as the pleading stage in data breach cases. In federal cases, defendants often challenge whether plaintiffs possess the requisite Article III standing to even bring a data-breach case. To establish Article III standing, plaintiffs must allege that "(1) [plaintiffs have] suffered an 'injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." (5) Additionally, defendants usually contend that plaintiffs have failed to adequately allege proximate causation for their substantive claims because most (but not all) claims commonly asserted by plaintiffs in databreach litigation require a showing that the relevant data breaches proximately caused the damages claimed by plaintiffs. (6)
To survive defendants' common standing and proximate cause challenges, plaintiffs must allege enough to show a causal connection between plaintiffs' harm and the relevant data breach for both standing and proximate cause purposes. However, as discussed below, pleading Article III standing is much less burdensome than alleging proximate causation. Consequently, complaints that sufficiently allege causation for standing purposes do not also automatically satisfy the more onerous proximate cause pleading standard. Unfortunately, however, courts sometimes create confusion at the pleading stage by conflating the differential causation needed to establish an "injury in fact" for standing purposes versus that needed to establish "proximate causation" as an element of a claim.
* Pleading Article III Standing--While many of the initial challenges in data-breach lawsuits have focused on the plaintiffs' ability to establish they have suffered an "injury in fact" (e.g., is an increased risk of identity theft sufficient), the Article III standing analysis includes a causation element--whether the injury is "fairly traceable" to an alleged data breach--that has not yet received the same level of judicial scrutiny as the "injury in fact" assessment. (7) However, as more courts issue decisions staking out the contours of a sufficiently pled "injury in fact" and as a consensus slowly emerges, the analysis likely will shift to the corresponding causation requirement.
To determine whether plaintiffs possess the requisite Article III standing to pursue data-breach claims in federal court, the relevant causation inquiry turns on whether plaintiffs' alleged harm is "fairly traceable" to defendants' conduct. (8) The showing required to establish that an alleged injury is "fairly traceable" to the actions of defendants is not burdensome, and requires less than the showing required to establish proximate cause. (9) Indeed, courts often conclude at the pleading stage that even general allegations that harm resulted from defendants' conduct suffice to demonstrate standing. (10) Thus, when considering the Article III standing question, courts need not (and should not) consider whether plaintiffs have sufficiently alleged proximate causation for their substantive claims. (11)
For instance, in Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012), the court found that plaintiffs adequately established Article III standing merely by alleging that 1) defendant failed to secure plaintiffs' information on company laptops, 2) the laptops were subsequently stolen, and 3) plaintiffs became victims of identity theft after the laptops were stolen despite plaintiffs' personal habits of securing their sensitive information. (12) Similarly, in Smith, allegations that 1) plaintiffs entrusted their PII to defendant, 2) defendant did not secure it, 3) a data breach resulted in which plaintiffs' information was stolen, and 4) the stolen information was utilized to file fraudulent tax returns were deemed sufficient to show that plaintiffs' alleged injuries were fairly traceable to defendant's actions. (13)
In short, plaintiffs do not need to plead detailed "causation" facts to overcome preliminary challenges to their Article III standing to maintain data breach claims. In fact, cases like Resnick and Smith suggest that mere "time and sequence" allegations might even be enough to plead Article III standing. But the causation inquiry does not end there.
* Pleading Proximate Cause as an Element of a Claim--In contrast to the "fairly traceable" test used to determine whether Article III standing has been adequately pled, Fed. R. Civ. P. 8(a) and 12(b)(6) present "higher hurdles" for plaintiffs attempting to plead proximate cause. To establish proximate cause at the pleading stage, plaintiffs must allege facts sufficient to raise a right to relief above the speculative level. (14) Indeed, courts are increasingly finding that general or conclusory proximate cause allegations are insufficient to support data-breach claims that require a showing of proximate cause.
For example, after initially concluding that plaintiffs had pled enough to demonstrate...