Does Clapper Silence Data Breach Litigation? A Two-Year Retrospective

This February 26, 2015, marks the two-year anniversary of the U.S. Supreme Court’s decision in Clapper v. Amnesty International USA,[1] which required plaintiffs to allege that a threatened injury is “certainly impending” in order to constitute an injury-in-fact sufficient to convey Article III standing. In this time, federal district courts in at least twelve data breach cases have applied Clapper.[2] While the majority of these courts have concluded that Clapper mandates dismissal for a lack of standing, some courts have found that standing exists. This article provides an overview of these cases and highlights certain considerations that impacted the courts’ analysis in determining whether standing exists.

The Clapper Decision

Clapper addressed the standing requirements under Article III of the U.S. constitution.[3] In the case, the Supreme Court made a number of statements that district courts have found relevant to data breach cases. However, Clapper itself was completely unrelated to a data breach – the case involved a challenge to the constitutionality of amendments to the Foreign Intelligence Surveillance Act of 1978 (“FISA”) that permit the government to engage in certain surveillance activities. US attorneys, human rights organizations, and other entities who believed their sensitive international communications would be subject to surveillance under the amendment sued for a declaration that the amendment was unconstitutional.

The Supreme Court declined to address the constitutionality of the amendments because it concluded that the Clapper plaintiffs lacked standing. The Court stated that a “threatened injury must be certainly impending to constitute injury in fact,” and that “allegations of possible future injury” are not sufficient.[4] The Clapper plaintiffs did not meet this standard. The Court considered the plaintiffs’ fear of government monitoring pursuant to the new statutes to be “highly speculative” and dependent upon “a highly attenuated chain of possibilities.”[5] According to the Court, this mere fear is insufficient to convey standing. Further, the Court explained that the plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending” – i.e., that alleged costs and burdens incurred in response to their fear of surveillance (e.g., travel costs to have in-person meetings) do not create standing because the harm they seek to avoid is not certainly impending.[6] The Supreme Court reversed and remanded. Defense attorneys and courts have applied this language from Clapper to data breach cases.

Types of Data Breaches

The types of data breaches at issue in the cases citing Clapper can be classified into three broad categories:

• Hacking: Hacking is by far the most common type of data breach at issue in the cases citing Clapper, accounting for seven of the twelve cases. Galaria v. Nationwide Mutual Insurance Co.,[7] Strautins v. Trustwave Holdings, Inc.,[8] In re Sony Gaming Networks and Customer Data Security (“Sony”),[9] Remijas v. Neiman Marcus Group, LLC,[10] Lewert v. P.F. Chang's China Bistro, Inc.,[11] Peters v. St. Joseph Servs. Corp,[12] and In re Adobe Sys. Privacy Litig. (“Adobe”),[13] all involved hackers accessing a network and stealing personal information. In these cases, various types of information were exposed or stolen, ranging from general PII, to Social Security Numbers, payment card data, medical information, and tax records. Only two of these cases – Sony and Adobe, both from California federal courts – survived a Clapper challenge.

• Physical Theft: Polanco v. Omnicell, Inc.,[14] In re Science Applications International Corp. (SAIC) Backup Tape Data Theft Litigation,[15] and Tierney v. Advocate Health & Hosps. Corp.[16] involved physical theft. In Polanco, an unencrypted laptop was stolen; in Tierney, four desktop computers; and in SAIC, backup tapes containing unencrypted data. Only some of the Tierney plaintiffs’ claims survived a Clapper attack.
• Point of Sale Attacks: In re Barnes & Noble PIN Pad Litigation (“B&N”)[17] and Moyer v. Michaels Stores, Inc.[18] involved attacks at a retail point-of-sale – through credit card skimmers in B&N and through malware in Moyer. Moyer survived a Clapper challenge.

Because the focus of an article III standing analysis is on a plaintiff’s injury, the form of the attack itself is not dispositive of whether standing will be found. However, in finding standing, the Adobe court, for example, found significance in certain allegations surrounding the attack – e.g., that “hackers deliberately targeted Adobe's servers and spent several weeks collecting names, usernames, passwords, email addresses, phone numbers, mailing addresses, and credit card numbers and expiration dates” and used Adobe’s own systems to decrypt credit card numbers.”[19] Partly because of the hackers’ alleged behavior, the court was willing to conclude that there was an “immediate and very real” risk of harm. However, information is “deliberately targeted” in many data breach cases – for example, in B&N, thieves used credit card skimmers – a deliberate action targeting payment card data, but the court did not find standing. Future data breach cases may further explore whether, and how, the specifics of a criminal’s acts affect the standing analysis.

Cases Applying Clapper to Dismiss Data Breach Cases

Several courts have dismissed data breach claims, at least based in part on Clapper.[20] Although a full analysis of each of these opinions is beyond the scope of this article, some observations can be distilled from these the opinions:

• These courts were generally hostile to the notion that a mere risk of identity theft is sufficient to establish standing. The B&N court explained that an alleged “risk to Plaintiffs of suffering some actual injury due to the security breach” – such as identity theft – is insufficient to convey standing.[21] The Galaria court explained that “an increased risk of identity theft, identity fraud, medical fraud or phishing is not itself an injury-in-fact” without allegations or facts suggesting that this harm is “certainly impending.”[22] The Polanco court similarly concluded that the mere threat of a possible future injury is insufficient to convey standing. These holdings demonstrate the high bar that plaintiffs face in establishing standing, particularly when there is a rush to the courthouse. Actual harm from a data breach may not materialize or become known until months or years after the breach, which suggests that a case that would survive a Clapper attack may need to be brought much later than current cases have been filed. However, the fact that it may take months or years for injury to surface may also make it difficult to prove causation.

• Some courts determined that actual fraudulent charges – but ones that the plaintiffs were not held financially responsible for paying – were not concrete injuries sufficient to convey standing. The Remijas and Lewert courts both reached this conclusion. The Remijas court also considered it a “leap too far” to conclude that individuals who actually had fraudulent charges on their credit cards were “also at a certainly impending risk of identity theft.”[23] Thus, the Remijas court drew an important distinction between fraudulent charges and identity theft – an issue that courts sometimes gloss over. While fraudulent charges can be reversed and credit cards can be reissued, actual identity theft, involving the fraudulent use of personal information to open new accounts and incur debts, likely poses much more harm to a plaintiff.

• Some data breach claims are very hypothetical or speculative. The Peters court took the plaintiff to task for her inability to “describe how she will be injured without beginning the explanation with the word 'if'" – the plaintiff “might be able to demonstrate harm if third parties become aware of her exposed information and reveal their interest in it; if they form an intent to misuse her information; and if they take steps to acquire and actually use her information to her detriment.”[24] Similarly, the Strautins court provided a hypothetical chain of events that would need to occur for Plaintiffs to suffer harm that would confer standing in an attempt to demonstrate just how attenuated the risk of identity theft actually is: for plaintiffs to become victims of identity theft, (a) their data would actually need to have been taken, (b) subsequently sold or otherwise transferred, (c) attempted to have been used, and then (d) successfully used by an acquirer.[25] The court considered the harm alleged by the plaintiff to be “contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendant.”[26] The Strautins court was also skeptical that the complaint, which was filed a mere three weeks after the data breach was announced, provided “no basis to believe that any of these events have come to pass or are imminent.”[27] This example demonstrates well just how many intervening acts are necessary for actual harm to befall a potential plaintiff in many data breach cases.

• Attempting to quantify an increased risk – even with big numbers – doesn’t necessarily make that risk any more relevant for purposes of standing. The plaintiffs in both Galaria and SAIC claimed that they were 9.5 times more likely than the general public to become victims of theft or fraud as a result of the lost data; however, both courts concluded that these allegations are immaterial. The SAIC court explained: “The degree by which the risk of harm has increased is irrelevant—instead, the question is whether the harm is certainly impending.”[28] The Galaria court stated: “a factual allegation as to how much more likely they are to become victims than the general public is not the same as a factual allegation showing how likely they are to become victims.”[29] For example, if the baseline risk of becoming a victim of some type of harm is 0.01%, then a ten-fold, or even perhaps 100- or 1,000-fold increase in that risk (resulting in an actual risk of 0.1%, 1% or 10%, respectively) may not mean that the increased risk is “certainly impending.” What matters is the actual risk of becoming a victim – not the multiplier.

• Plaintiffs may not be able to recover their actual expenditures that were incurred based on their fear of harm. Some of these decisions focused on the “manufacture[d] standing” concept from Clapper to reject alleged costs incurred to guard against a future hypothetical harm that is “not certainly impending.”[30] The SAIC court explained: “There is . . . nothing unreasonable about monitoring your credit after a data breach . . . [but] proactive measures based on fears of future harm that is not certainly impending do not create an injury in fact, even where such fears are not unfounded.” [31] In Polanco, where the plaintiff later sought medical treatment at a hospital that was not affected by the data breach, the alleged expenses did not create standing because they were “based entirely on her speculative belief” that the plaintiff’s personal or health information would be lost again by the defendants.[32] The language from these cases sets a high bar for plaintiffs to recover their expenditures based on their own fear, even if that fear is reasonable.

Cases Concluding that Clapper Does Not Mandate Dismissal

A small number of courts have concluded that some data breach cases sufficiently allege article III standing:

• The Clapper standing analysis may be too rigorous for cases not involving national security or constitutional questions. The Moyer court concluded that the plaintiffs had standing, creating a split of authority within the Northern District of Illinois. The Moyer court noted that Clapper analyzed imminence in an “especially rigorous” manner to avoid ruling on the constitutionality of the FISA amendments and questioned whether the same rigorousness was necessary in a case that did not present national security or constitutional issues. The Moyer court also noted that in a subsequent non-national security case,[33] the Supreme Court subsequently described the imminence requirement in a “less demanding” manner than in Clapper. Accordingly, the Moyer court concluded that “a credible, non-speculative risk of future harm” remained sufficient to confer standing, consistent with the Seventh Circuit’s prior decision in Pisciotta v. Old Nat’l Bancorp.[34] However, the court dismissed the case in whole for failure to state a claim. In contrast, the Strautins court concluded that Clapper superseded Pisciotta.

• District courts may be reluctant to conclude that Clapper impliedly overruled their earlier circuit precedent. The Sony court concluded that the Supreme Court did not set forth a new Article III framework in Clapper or overrule previous precedent requiring only that harm be “real and immediate.”[35] Therefore, both Clapper and the Ninth Circuit’s earlier decision in Krottner Starbucks Corp.,[36] which found standing based on a “credible threat of harm” that was “both real and immediate, not conjectural or hypothetical,” controlled the outcome of the case. The Sony court explained that there was no need for allegations that personal information was actually accessed by a third party; and that because the plaintiffs alleged a “credible threat of impending harm” based on the disclosure of their PII following the breach, the plaintiffs had standing. Nevertheless, the court proceeded to dismiss the majority of the counts for failure to state a claim.

• Hacking that deliberately targets personal information, and which results in that information being posted on the internet, may create a sufficient risk to convey standing. The court in Adobe court also concluded that Krottner remained viable, but it found standing independently of that determination. The Adobe court determined that there was an “immediate and very real” risk of harm based on the plaintiffs’ allegations that “hackers deliberately targeted Adobe's servers and spent several weeks collecting names, usernames, passwords, email addresses, phone numbers, mailing addresses, and credit card numbers and expiration dates,” used Adobe’s own systems to decrypt credit card numbers, and because some of the stolen data had already surfaced on the internet.[37]

Conclusion

As data breach litigation does not look like it will be stopping any time soon,[38] a body of district court case law applying Clapper will continue to develop. The first circuit court case law applying Clapper to data breach cases may be issued this year, as several decisions discussed above are already on appeal.[39] To the extent that conflicting appellate precedent develops, a data breach case may even reach the Supreme Court in the years ahead. Although Clapper is proving to be a useful tool for many data breach defendants, cases decided under Clapper in the past two years demonstrate that the decision will not likely end all data breach litigation. Cases where the plaintiffs state a credible injury will still be permitted to proceed – but these cases appear to be the exception. In addition, because Clapper only addresses the question of standing in federal courts, data breach litigation may be able to proceed in state court. Companies defending against data breach claims will likely want to be on the lookout for appellate opinions applying Clapper and to monitor district court cases applying Clapper.

This article was also published on February 25, 2015, in Law360 with the title "2 Years Of Clapper: Takeaways From 12 Data Breach Cases."

[1] 133 S. Ct. 1138 (2013).

[2] In the post-Clapper environment, other data breach cases have also been decided without explicit reliance on Clapper. See, e.g., In re Target Corp. Customer Data Sec. Breach Litig., 2014 U.S. Dist. LEXIS 175768, at *6-7 (D. Minn. Dec. 18, 2014) (finding standing); Burton v. MAPCO Express, Inc., 2014 U.S. Dist. LEXIS 127870, at *15 (N.D. Ala. Sept. 12, 2014) (finding no standing). This article does not address those cases.

[3] The concept of “standing” is based on Article III of the U.S. constitution, which limits the federal judicial power to certain “cases” and “controversies.” In order for a lawsuit to be heard in federal court, “standing” must exist. This means that only lawsuits alleging a particular type of injury may be heard in federal court – those alleging an injury that is “concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.” Clapper, 133 S. Ct. at 1147 (quoting Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139 (2010). Cases that do not meet this requirement may not be heard in federal court because no “case” or “controversy” is present.

[4] 133 S. Ct. at 1147.

[5] Id. at 1148.

[6] Id. at 1151.

[7] 998 F. Supp. 2d 646 (S.D. Ohio 2014).

[8] 27 F. Supp. 3d 871 (N.D. Ill. 2014).

[9] 996 F. Supp. 2d 942 (S.D. Cal. 2014).

[10] No. 14 C 1735, 2014 U.S. Dist. LEXIS 129574 (N.D. Ill. Sep. 16, 2014)

[11] No. 14-cv-4787, 2014 U.S. Dist. LEXIS 171142 (N.D. Ill. Dec. 10, 2014)

[12] No. 14-CV-2872, 2015 U.S. Dist. LEXIS 16451 (S.D. Tex. Feb. 11, 2015)

[13] No. 13-CV-05226, 2014 U.S. Dist. LEXIS 124126(N.D. Cal. Sep. 4, 2014)

[14] 988 F.Supp.2d 451 (D.N.J. 2013).

[15] No. MDL 2360, 2014 U.S. Dist. LEXIS 64125 (D.D.C. May 9, 2014).

[16] No. 13 CV 6237, 2014 U.S. Dist. LEXIS 158750 (N.D. Ill. Sep. 4, 2014)

[17] No. 12-CV-8617, 2013 U.S. Dist. LEXIS 125730 (N.D. Ill. Sept. 3, 2013).

[18] No. 14 C 561, 2014 U.S. Dist. LEXIS 96588 (N.D. Ill. July 14, 2014).

[19] 2014 U.S. Dist. LEXIS 124126, at *27-28.

[20] Barnes & Noble, Polanco, Galaria, Strautins, SAIC, Remijas, Lewert, Peters, and Tierney courts all dismissed data breach claims, at least in part based on Clapper.

[21] 2013 U.S. Dist. LEXIS 125730, at *8.

[22] 998 F. Supp. 2d at 654.

[23] 2014 U.S. Dist. LEXIS 129574, at *10.

[24] 2015 U.S. Dist. LEXIS 16451, at *14.

[25] 27 F. Supp. 3d at 876.

[26] Id.

[27] Id.

[28] 2014 U.S. Dist. LEXIS 64125, at *22.

[29] 998 F. Supp. 2d at 654.

[30] See, e.g., Galaria, 998 F. Supp. 2d at 657. See also B&N, 2013 U.S. Dist. LEXIS 125730 (because plaintiffs have not alleged that their data was actually stolen, they cannot plead that any harm is imminent; and therefore costs incurred to address these risks do not confer standing).

[31] 2014 U.S. Dist. LEXIS 64125, at *25-26 (internal citation, quotation marks, brackets, and ellipses omitted).

[32] 988 F.Supp.2d at 470.

[33] Susan B. Anthony List v. Driehaus, 134 S.Ct. 2334 (2014).

[34] 499 F.3d 629 (2007).

[35] 996 F. Supp. 2d at 961.

[36] 628 F.3d 1139 (9th Cir. 2010).

[37] 2014 U.S. Dist. LEXIS 124126, at *27-28.

[38] See, e.g., Daniel J. Solove, Why Do Lawsuits for Data Breaches Continue Even Though the Law Is Against Plaintiffs?, https://www.teachprivacy.com/lawsuits-data-breaches-continue-even-though-law-plaintiffs/.

[39] For example, Remijas, Lewert, and Tierney are currently pending before the Seventh Circuit.