How Viable Is the Prospect of Enforcement of Privacy Rights in the Age of Big Data? an Overview of Trends and Developments in Consumer Privacy Class Actions

• Publication year: 2015
• Author: By Matthew George

HOW VIABLE IS THE PROSPECT OF ENFORCEMENT OF PRIVACY RIGHTS IN THE AGE OF BIG DATA? AN OVERVIEW OF TRENDS AND DEVELOPMENTS IN CONSUMER PRIVACY CLASS ACTIONS

By Matthew George¹

I. INTRODUCTION AND OVERVIEW

A nationwide retailer is hacked and account numbers for millions of customers hit the black market for criminals to use to commit fraud. A hospital leaks its patients' medical records on the Internet and reveals their diagnoses. Social media users learn companies are harvesting their private messages for data to sell them products. Each of these scenarios has become increasingly common news in the digital age of big data.

So where does that leave consumers when their personal information is exposed or misused? What recourse, if any, do they have in court when their privacy has been violated? While there are some laws that provide guidance on how personal information must be secured, many provide no private cause of action to consumers when their data is actually exposed. And, courts have dismissed many privacy cases at the pleading stage by rejecting plaintiffs' theories equating the loss or exposure of personal data with monetary harm—despite the undisputed fact that personal information is valuable to the companies that hold it and the criminals who want it.²

While difficult, private enforcement of consumer privacy in the age of big data is not a lost cause. As discussed below, plaintiffs have had some success testing the application of traditional legal principles (like standing) to this developing practice area and there are many state and federal statutes that can provide relief to consumers when their privacy is violated. This article explores some of the key claims and legal issues that have emerged in recent lawsuits brought over consumer privacy issues, particularly in the context of customer account data, medical information, and electronic communications.

II. GETTING THROUGH THE COURTHOUSE DOORS - ARTICLE III STANDING AND DATA BREACHES

One of the biggest hurdles plaintiffs face asserting claims arising from data breaches is demonstrating Article III standing. As a threshold issue, standing is an "indispensable part of a plaintiff's case" that requires plaintiffs to allege injury-in-fact, causation, and

[Page 195]

redressability tied to the defendant's conduct.³ Because many data breaches do not necessarily result in immediate financial damages, some plaintiffs have encountered difficulty pleading alternate injury theories that satisfy Article III.

A. Early Privacy Breach Cases Find the Loss of Personal Data Confers Standing

Given the lack of precedent in early data breach cases, courts were presented with the novel question of whether plaintiffs had standing when their account data was exposed. The Seventh and Ninth Circuits initially agreed that plaintiffs, whose personal data was stolen, could sufficiently allege injury-in-fact because of the threat of future harm from the exposure of their personal information.⁴ However, the courts still affirmed dismissals of plaintiffs' claims because they found their requests for credit monitoring or mitigation damages were insufficient to support the claims alleged.

The First Circuit viewed mitigation damages differently, finding that the purchase of credit monitoring services in response to a data breach was recoverable damage so long as it was reasonable.⁵ The First Circuit noted its finding was factually distinguishable from that of other courts because the plaintiffs before it had already experienced fraudulent charges as a result of the breach. In other cases where personal data has been lost or misplaced but not necessarily stolen or misused, mitigation damages have been deemed unreasonable because the courts found the threat of identity theft was too tenuous or unlikely.⁶

B. The Supreme Court's 2013 Clapper v. Amnesty International Decision Builds a New Barrier for Plaintiffs to Demonstrate Standing

The Supreme Court's 2013 examination of Article III standing in Clapper v. Amnesty International⁷ has provided defendants in privacy-related cases with new authority to defeat claims premised on the loss or misuse of personal information.

[Page 196]

In Clapper, the plaintiffs claimed that their constitutional rights were violated by the government's activities under the Foreign Intelligence Surveillance Act. The plaintiffs were a group of lawyers, activists, and journalists who engaged in international communications with persons who could have potentially been targeted by government surveillance for national security reasons. As a result of the government's surveillance programs, plaintiffs alleged that the risk of surveillance was "so substantial that they ha[d] been forced to take costly and burdensome measures to protect the confidentiality of their international communications" and the threat of surveillance would force them to pay for unnecessary "travel abroad in order to have in-person conversations."⁸

The Supreme Court agreed with the government that plaintiffs had not demonstrated injury-in-fact to confer standing because the plaintiffs' "threatened injury" was not "certainly impending."⁹ The Court viewed the possible injuries as too attenuated, and declared that Article III standing is not "fanciful, paranoid, or otherwise unreasonable,"¹⁰ and that plaintiffs could not "manufacture standing merely by inflicting harm on themselves based on fears of hypothetical harm."¹¹ The Court's ruling effectively meant that plaintiffs would only have been able to demonstrate standing if in fact they could have shown their communications were under surveillance, or that their sources were specific targets of the government's spying—a burden that would be nearly impossible to show given the secrecy of the government's security program.

Although it was not a consumer privacy case, Clapper has influenced a number of federal courts considering standing issues in recent data breach cases. Following the Clapper decision, some courts have taken a harder stance that merely the risk of future harm arising from the loss or exposure of personal data is insufficient to allege injury-in-fact.

For example, in In re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation, personal information of U.S. military veterans had been stored on a computer that was stolen from a SAIC employee's car.¹² The plaintiffs argued they had suffered injury from the loss of privacy, the lost value of their personal and medical information, and the costs of monitoring their privacy. The court found these injuries too remote, stating that it was "highly unlikely that the crook even understood what the tapes were . . . [a]nd until Plaintiffs can aver that their records have been viewed (or certainly will be viewed), any harm to their privacy remains speculative."¹³ Because it appeared that the plaintiffs' information was not the target of the criminal activity, the court found the risk was not substantial enough absent proof of some unauthorized use.

[Page 197]

Several other courts have relied on Clapper to find that plaintiffs have no actionable injuries arising from privacy violations and data breaches.¹⁴ They generally state that plaintiffs must prove not only that their information has been compromised, but also that it has resulted in tangible, economic injuries, and mitigation costs (like credit monitoring) are not always recognized as sufficient.¹⁵ Courts have also disagreed with plaintiffs who argued they were damaged by having their data exposed through a diminution in value theory unless they also alleged that they planned to sell their personal data.¹⁶ One court also rejected plaintiffs' statistical evidence that a data breach increased their risk of identity fraud—the "[n]amed Plaintiffs have alleged less than a 20% chance of being victimized by identity theft, identity fraud, medical fraud, or phishing, which does not create a substantial risk given the uncertainties in third party action required to produce harm here."¹⁷ Without allegations of monetary damages, courts following Clapper have considered plaintiffs' fears of future identity theft as paranoid, unlikely, and "contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendant."¹⁸ Under this line of reasoning, proven identity theft or a fraudulent unreimbursed charge on a plaintiff's credit card may be the only harm some courts will deem sufficient to allege injury and confer standing.¹⁹

While Clapper is a powerful tool for defendants to successfully argue motions to dismiss for lack of standing, as explored below, some courts have distinguished Clapper and found alternate avenues for plaintiffs to move forward with their claims.

[Page 198]

C. Different Views of Standing in Data Breach Cases Emerge After Clapper

Prior to Clapper, a number of cases in the consumer privacy context, particularly those in the Ninth Circuit, held that plaintiffs had standing when their personal information had been wrongfully disclosed.²⁰ Since Clapper, additional opinions have rejected defendants' arguments that Clapper dooms plaintiffs' claims when their information privacy has been breached. For example, in In re Sony Gaming Networks and Customer Data Security Breach Litigation,²¹ hackers had obtained customers' personal information, including their addresses, dates of birth, credit card information, and login credentials, but the plaintiffs did not have unauthorized charges to their accounts. The court still found the exposure constituted sufficient injury-in-fact, and reasoned that the Clapper decision did not create a new threshold standard for Article III standing. The court stated:

[T]he Supreme Court's decision in Clapper did not set forth a new Article III framework, nor did the Supreme Court's decision overrule previous precedent requiring that the harm be "real and immediate." To the contrary, the Supreme Court's decision in Clapper simply reiterated an already well-established

...