In what may be a sign of an evolving judicial atmosphere and approach concerning data breach lawsuits, a Federal judge in the Northern District of California recently refused to dismiss various causes of action related to a data breach involving RockYou. In particular, the Court explored the issue of whether the plaintiff sufficiently alleged "damages" arising out of the data breach, and ultimately ruled that damages were properly alleged for four claims. This blog post takes a look the highlights of the Court’s decision, and speculates about its impact.
Like many of the data breach lawsuits that have been filed in the past, the RockYou lawsuit appeared to be following a familiar pattern: class action filed after data breach, defendants file a motion to dismiss and case dismissed based on a failure to adequately allege a legally cognizable harm. However, the RockYou Court deviated from this pattern by denying the defendant’s motion to dismiss on the harm issue for some of the plaintiff’s claims.
Standing under Article III
The Court first explored whether the plaintiff failed to allege an "injury in fact" for purposes of Article III standing. To support the injury in fact argument (as well as their arguments for harm under various legal claims), the plaintiff offered the following argument (as summarized by the Court):
Plaintiff generally alleges that defendant’s customers, including plaintiff, “pay” for the products and services they “buy” from defendant by providing their PII, and that the PII constitutes valuable property that is exchanged not only for defendant’s products and services, but also in exchange for defendant’s promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant’s role in allegedly contributing to the breach of plaintiff’s PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data.
Most regular readers of this blog will recognize that this argument for harm varies significantly from those used in the past that focused on items such as cost of credit monitoring, the costs of lost time and effort to monitor for identify theft and emotional distress. Rather, under this theory, the focus is the implied quid pro quo that exists throughout the Internet when users access free content and services in exchange for access to personal information and the ability to advertise to individuals. So what did the Court have to say about this?
On balance, the court declines to hold at this juncture that, as a matter of law, plaintiff has failed to allege an injury in fact sufficient to support Article III standing. Not only is there a paucity of controlling authority regarding the legal sufficiency of plaintiff’s damages theory, but the court also takes note that the context in which plaintiff’s theory arises – i.e., the unauthorized disclosure of personal information via the Internet – is itself relatively new, and therefore more likely to raise issues of law not yet settled in the courts. For that reason, and although the court has doubts about plaintiff’s ultimate ability to prove his damages theory in this case, the court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact. If it becomes apparent, through discovery, that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of personal information, the court will dismiss plaintiff’s claims for lack of standing at the dispositive motion stage.
The Court then turned to the issue of whether damages were properly alleged for the plaintiff’s breach of contract and negligence-oriented claims.
Damages Alleged for Substantive Claims
In its motion to dismiss, the defendant argued that the plaintiff failed to allege damages for its breach of contract, breach of implied contract, negligence and negligence per se claims. Specifically the defendant argued that dismissal was warranted as follows:
Specifically, defendant asserts that plaintiff has failed to allege that the value of his PII has diminished as a result of defendant’s actions, how the breach of his PII affects him, or any loss whatsoever.
The Court, however, disagreed. It referred to the same reasoning it employed for the defendant’s lack of standing argument:
For the reasons already noted at the outset, therefore, the court concludes that at the present pleading stage, plaintiff has sufficiently alleged a general basis for harm by alleging that the breach of his PII has caused him to lose some ascertainable but unidentified “value” and/or property right inherent in the PII. As such, the court declines to dismiss plaintiff’s breach claims on grounds that plaintiff has failed to allege damages or harm as a matter of law.
As such, these four claims were allowed to proceed forward.
So what are the implications of the Court’s decision? One could argue that the decision signals a new willingness of courts (at least California Federal Northern District Courts) to allow for a more thorough judicial review of the claims alleged by data breach plaintiffs. We saw a similar holding in the Ruiz v. Gap case (also heard in the Northern District of California). That said, like the Ruiz court, it appears that the RockYou Court has some doubts as to whether the plaintiff will be able to establish damages going forward:
For that reason, and although the court has doubts about plaintiff’s ultimate ability to prove his damages theory in this case, the court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact. If it becomes apparent, through discovery, that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of personal information, the court will dismiss plaintiff’s claims for lack of standing at the dispositive motion stage.
If the Northern District approach does represent a new approach ("As California Goes, So Goes the Nation") to analyzing these cases it could provide plaintiffs with additional litigation leverage. The next bite at the apple for the defendants will likely be a motion for summary judgment after discovery has occurred (and most likely some expert testimony). The risk of an adverse ruling on motion for summary judgment might induce settlement of some of these cases, which could attract more plaintiffs’ lawyers to file data breach suits.
In this case the actual harm theory is also interesting, and if personal information is viewed as property having traditional monetary value, it could also increase litigation risk. For example, if this theory is accepted by the Court, it could be used in cases involving data privacy. Beyond litigation risk, treating personal information in the same manner as real property could significantly impact the current quid pro quo of the Internet, and how information is collected, used and transferred. It will be interesting to follow this case through the next round of discovery and motion practice. We will keep you informed.