Standing in the Midst of a Data Breach Class Action.

• Author: Holt, Allison

IT'S among an in-house lawyer's greatest nightmares: a call from an employee in the company's information security department reporting anomalous and unauthorized activity in the company's databases. Over the next few days, the reality of the situation unspools quickly--often with inadvertent misinformation at several points along the way. The company has been attacked. Personally identifiable data of its customers or employees has been accessed and possibly exfiltrated by criminals.

Critical decisions must be made immediately, and those initial decisions may have severe implications for inevitable future class action lawsuits brought in response to the data breach or cyberattack. Should the company bring in outside forensic assistance? If so, which outside forensic firm offers the most credibility for the investigation? Should the company offer credit monitoring services? For how long? Through which provider? What mandated notice is required to regulators and affected individuals? How can the company minimize the P.R. damage? The list goes on and on.

Unfortunately, the scene above is playing out more and more frequently. Criminal cyberattacks are a very real danger for corporations (and even law firms). As a result, corporate counsel must grapple with an emerging new area of potential exposure for suits brought by individuals whose personal or financial data may have been affected.

A company's response in the immediate aftermath of a cyberattack or data breach, press releases, forensic investigations, notices to customers, offers of credit monitoring, and all the rest, is merely prelude. No matter how prompt and thorough a corporate victim's response to a data breach is, a breach of any discernible size will inevitably bring large-scale litigation. These cases nearly always take the form of a class action, where a handful of named plaintiffs seek to represent the interests of a purported class of alleged affected individuals seeking recovery for their personal or financial data potentially being compromised as a result of the breach.

As a threshold question, one might reasonably ask whether a cause of action even exists, given that the defendant corporations are, in nearly all cases, victims of a crime themselves. Indeed, in some cases, these cyberattacks are not merely crimes but acts of foreign espionage or foreign military conduct (1) Data breach cases thus create a conundrum where a company is both a victim and a defendant called to account in court for its victim status. Even so, corporations continue to face significant litigation following a cyberattack. Corporate counsel's first best chance to dispose of these cases is often by challenging plaintiffs' standing.

This article will thus focus primarily on Article III standing. There are numerous issues at play in data breach cases (discovery disputes, class certification, etc.), but the fight over standing is particularly salient because i) the landscape continues to mature and ii) a court's ruling on standing determines whether a case can proceed to the costly discovery and class certification stages. Moreover, despite nearly 15 of years of litigating this issue and two applicable Supreme Court rulings, the terrain remains uncertain.

I. Plaintiffs' Most Common Allegation in Support of Standing in Data Breach Litigation Is Heightened Risk of Future Harm

When purported data breach class action cases are filed in federal court the first battleground is likely to be whether the plaintiff class has standing to sue under Article III. Because the federal court system is one of limited jurisdiction, in order to sue in federal court Article III requires that plaintiffs have standing to be there. The constitutional minimum for standing contains three elements: a plaintiff must have suffered an injury-in-fact, the injury must be causally connected to the challenged action of the defendant, and the injury must be redressable by a favorable decision. (2) The law is clear that allegations of possible future injury will not satisfy the standing requirement. Rather, plaintiffs must allege injury that is "concrete and particularized" and "actual or imminent, not conjectural or hypothetical." (3)

1. Risk of Future Harm: The Early Years

   Historically, Article Ill's injury-in-fact requirement has been the biggest obstacle to plaintiffs' pursuit of class action litigation in the wake of a data breach. The most common theory of harm on which plaintiffs attempt to support such cases is the allegation that they suffer an increased risk of future identity theft or fraudulent charges by virtue of their personally identifying information ("PII") being compromised. Most early courts to face this issue held that plaintiffs' alleged increased "risk of future harm" was not sufficient to support standing. (4)

   In Reilly v. Cehdian, for instance, plaintiffs brought a putative class action against a payroll processing firm when an attacker infiltrated its system and potentially gained access to financial information for 27,000 employees at 1,900 companies. On appeal, the Third Circuit upheld the District Court's dismissal for lack of standing, explaining that the alleged increased risk of injury did not constitute actual injury because:

   [W]e cannot describe how the Appellants will be injured in this case without beginning our explanation with the word 'if': If the hacker read, copied, and understood the hacked information, and If the hacker attempts to use the information, and if he does so successfully, only then will Appellants have suffered an injury.... The present test is actuality, not hypothetical speculations concerning the possibility of future injury. (5) But not all circuits followed this early trend. In 2007, the Seventh Circuit found standing in Pisciotta v. Old National Bancorp., in which plaintiffs brought a class action against a bank after its website had been breached, alleging that the bank failed to adequately secure the personal information (including PII) it solicited on its website. (6) Plaintiffs' rested their theory of injury entirely on increased risk that their personal data would be misused in the future; they did not allege "any completed direct financial loss to their accounts" nor that they "already had been the victim of identity theft as a result of the breach." (7) In finding standing, the court surveyed cases in toxic substance, medical monitoring and environmental tort contexts, and concluded, "the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions." (8)

   The Ninth Circuit made a similar finding a few years later in Krottner v. Starbucks Corp. (9) In Krottner, a laptop containing the names, addresses and social security numbers of 97,000 Starbucks employees was stolen. The court concluded that the plaintiffs had standing to pursue their case because they "alleged a credible threat of real and immediate harm." (10)

   1. The Supreme Court Weighs In: Clapper v. Amnesty International, USA

      Against the backdrop of this circuit split, the Supreme Court decided Clapper v. Amnesty International, USA, in which it considered whether risk of future injury satisfies the injury-in-fact requirement for standing under Article III. (11) Clapper is not a data breach case per se, but many practitioners speculated that its holding would nonetheless bring clarity to the standing requirements in the data breach context.

      Clapper involved a constitutional challenge to government surveillance of suspected terrorists under the Foreign Intelligence Surveillance Act...