Tech Tips

• Jurisdiction: United States,Federal
• Citation: Vol. 38 No. 3 Pg. 66
• Pages: 66
• Publication year: 2015

Tech Tips Vol. 38 No. 3 Pg. 66 Wyoming Bar Journal June, 2015

Blake A. Klinkner President, Young Lawyers Section.

Data Breach Lawsuits and Article III Standing: Will the United States Supreme Court Make It Easier for Identity Theft Victims to Have Their Day in Court?

In an earlier article this year, I discussed a rash of high profile data breaches involving a number of prominent businesses, several of which have resulted in the fling of class action lawsuits.^[1] Courts have started to issue rulings in these data breach cases, and so far, these rulings have been adverse to the plaintiffs. Indeed, the most recent rulings in these cases have been dismissals for lack of standing on the part of alleged victims of identity and data theft. However, the United States Supreme Court recently granted certiorari in a case which could potentially make it easier for plaintiffs in data breach class actions to survive challenges to standing.

Green v. eBay Inc.: The Most Recent Blow to Data Breach Class Action Lawsuits

In the most recent of these rulings, a class action lawsuit against eBay was dismissed pursuant to Federal Rule of Civil Procedure 12(b)(1), after the court found that the Plaintiff “failed to allege a cognizable Article III injury” and therefore lacked standing.^[2] In Green v. eBay Inc., Green fled a putative class action suit after eBay’s database was breached by unknown persons in early 2014 who gained access to data belonging to its 120 million users which included names, physical addresses, phone numbers, email addresses, dates of birth, and passwords.^[3] In his suit, Green asserted causes of action under several federal laws including the Stored Communications Act and the Fair Credit Reporting Act, as well as several state law causes of action.^[4] Green alleged that as a direct and proximate result of the data breach, he and the putative class members suffered “economic damages,” “actual identity theft,” “improper disclosures of their personal information,” “out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or identity fraud due to eBay’s failures,” “the value of their time spent mitigating identity theft and/or identity fraud, and/or the increased risk of identity theft and/or identity fraud,” and “deprivation of the value of their personal information.”^[5] eBay countered that the putative class action should be dismissed because Green never pled that his (or any of the putative class members’) personal information was actually used by unknown persons for any nefarious purpose, such as to fraudulently obtain lines of credit, and therefore Article III standing does not exist because of the absence of “any cognizable in-jury whatsoever.”^[6]

To begin its analysis of whether the case required dismissal, the Green court framed the issue before it as “whether the increased risk of future identity theft or identity fraud posed by a data security breach confers Article III standing on individuals whose information has been compromised by the data breach but whose information has not yet been misused.”^[7] The court then found that Green’s...