THE STATE OF DATA-BREACH LITIGATION AND ENFORCEMENT: BEFORE THE 2013 MEGA BREACHES AND BEYOND

By Evan M. Wooten¹

Over the past year, data breach and security have come to dominate the privacy law landscape. High-profile breaches at numerous retailers leading into the 2013 holiday season brought widespread awareness to risks that businesses have been navigating for the better part of a decade, if not longer. Consumers awoke to the reality that electronic systems are under constant threat of intrusion from malware, hackers, and foreign states. Lawmakers reacted to consumer alarm and unrest with calls for accountability and reform. Industry groups, governmental entities, and information-sharing systems representing public and private bodies increased efforts to identify threats and enhance security. And, of course, litigation ensued.

After a brief overview, this article will explore (i) traditional data-breach litigation and public enforcement efforts; (ii) the state and federal response to recent high-profile breaches; and (iii) significant developments in case law and enforcement since the 2013 mega breaches. The 2014 holiday season brought more high profile breaches, bringing the issue back into focus and ensuring additional litigation. Data-breach lawsuits are nothing new, but there can be no question that the data-security landscape is changing. The question is, will changes in public perception and awareness auger different results in litigation and enforcement? Thus far, the answer has been mostly ‘no,’ but several developments warrant attention and bear watching in the future. Practitioners will want to familiarize themselves with existing law and keep close tabs on evolving issues.

DATA BREACH OVERVIEW

Corporate legal spending on data security in the United States increased from $1 billion in 2013 to $1.4 billion in 2014, and is expected to climb to $1.5 billion in 2015—a 7.9% increase that dwarfs the next highest practice area (2.7% for class actions).² The issue is firmly on the radar of attorneys, businesses, regulators, and legislators. But data breach is not a new phenomenon. As Senator Rockefeller of West Virginia has observed, "[f] or nearly a decade, we’ve had major data breaches at companies both large and small."³Companies in the United States have been hit particularly hard, at least financially speaking. In 2012, the United States "experienced the highest total average cost at more than $5.4 million" per data breach, or $188 per compromised record, costs that include detection, escalation, customer notification, remediation, and lost business, among other

[Page 229]

things.⁴ These figures do not include breaches of more than 100,000 consumer records— what the Ponemon Institute refers to as "mega" breaches—because those breaches had, in the past, been atypical.⁵ But mega breaches are becoming more common or, at least, more visible.

The mega breaches of 2013 and 2014 cast new light on data-breach litigation, but data-breach lawsuits are nothing new. The earliest examples of data breach—at least those that reached the courts—involved stolen or mislaid laptops and other hard assets. In a typical fact pattern, employees would leave laptop computers in cars or hotel rooms, and thieves would make off with the hard assets and any data they contained. Sometimes the thefts were the result of concerted criminal effort, other times the result of employee carelessness. Although it is tempting to view these scenarios as outdated and inconsequential by comparison to sophisticated cyber-attacks, recent data suggests that human error (35%) and system malfunction (29%) are nearly as common causes of data breach as malicious or criminal attacks (37%),⁶ and mislaid laptops are as common causes of litigation as malware, even in 2014. As discussed below, the context and cause of a breach could play an important role in judicial outcomes. Principles developed in the early data-breach cases continue to hold sway, for the most part, though several recent cases have departed from traditional views.

TRADITIONAL RULES OF PRIVATE DATA-BREACH LITIGATION

As discussed in greater detail below, there is no general data-security statute in the United States. Although some federal statutes, such as the Health Insurance Portability and Accountability Act ("HIPAA")⁷ and the Gramm—Leach—Bliley Act ("GLBA"),⁸ address data security in specific industries (health care and financial services, respectively) and most states have data-breach notification laws (which are expanding in scope), most data-breach lawsuits begin in state court, alleging causes of action under state common law.⁹

The basic allegation underlying most data-breach complaints is that companies took inadequate steps to safeguard consumer data, which resulted in or contributed to a breach. The particular breach could take many forms, e.g., malicious intrusion or probe into electronic systems, such as by malware or virus; compromise of point-of-sale technologies, such as credit-card readers or ATMs; rogue employees disclosing company records for profit or other impermissible motive; laptops and other company data left unsecured or unattended; or corporate espionage. Similarly, the breached data can take many forms: names, addresses, social security numbers, medical records, personal

[Page 230]

identification numbers ("PINs"), passwords, credit card numbers, and other personally identifiable information ("PII"). Consumers usually claim injuries in increased risk of identity theft and/or the diminution in value of their PII.

Although the basic allegations were essentially the same, early data-breach cases tested numerous theories of recovery, most commonly: (1) breach of contract, express or implied; (2) unjust enrichment; (3) invasion of privacy; (4) negligence; (5) misrepresentation (negligent or intentional); (6) infliction of emotional distress (negligent or intentional); and (7) violation of state consumer protection, unfair competition, and/or deceptive practices laws—analogues to the Federal Trade Commission Act ("FTCA"),¹⁰ such as California’s Unfair Competition Law ("UCL"),¹¹sometimes called "little" or "mini-FTC" acts. Courts have generally rejected each of these theories, using reasoning that can be summed up as follows: data-breach plaintiffs, who allege that their private information was compromised, cannot allege or establish that their data was actually purloined, disseminated, or misused.

Breach of contract allegations are generally dismissed for the simple reason that companies do not promise, as a matter of contract, to safeguard or protect consumer data from third-party intrusion.¹² Historically, courts have refused to construe generic statements on company websites or promotional materials—that consumer data was safe or protected by certain security measures, such as firewalls or encryption—as express contractual obligations, or to imply contracts from such statements or the customer relationship at large.¹³

Unjust enrichment, or "quasi contract" as it is known in some states, is an alternative to breach of contract: "a plaintiff may not recover for unjust enrichment where a ‘valid, express contract governing the subject matter of the dispute exists.’"¹⁴ In most data-breach cases, a valid contract or privacy policy exists (negating a quasi-contract claim), but does not promise to protect data from intrusion.

Common-law invasion of privacy claims require, among other things, that plaintiff information be "published," i.e., publicly disseminated or disclosed to an appreciable number of people. Traditionally, data-breach plaintiffs have been able to allege that their

[Page 231]

data was compromised, but not that the data was disseminated publicly. In such cases, courts have dismissed invasion of privacy claims for lack of publication.¹⁵

Similarly, courts have dismissed negligence, negligent misrepresentation, and negligent infliction of emotional distress claims, citing the "economic loss doctrine." Torts, including those sounding in negligence, can only be pursued to redress personal or property damage, as opposed to purely economic losses.¹⁶ To recover for economic losses, plaintiffs must sue in contract. But as discussed above, consumer contracts rarely impose data-security obligations.

And while unfair competition and deceptive practice claims are not subject to the economic loss rule, such state laws often only authorize injunctive relief or restitution, rather than compensatory damages for economic loss.¹⁷ Other consumer protection statutes authorize compensatory damage awards,¹⁸ but courts interpreting those statutes have traditionally held data-breach plaintiffs to a very high standard, one most plaintiffs cannot meet. A data breach is actionable under some state statutes, for example, only if the defendant was "systematically reckless," the breach was "aggravated by [a] failure to give prompt notice," and the breach resulted in "very widespread and serious harm to other companies and to innumerable consumers."¹⁹

In sum, early data-breach cases rarely survived motions to dismiss (or demurrers), primarily because plaintiffs could not allege a compensable injury. This rule has crystallized in a line of cases applying the "case" or "controversy" requirement of Article III of the U.S. Constitution to data-breach complaints, particularly since the Supreme Court’s 2013 decision in Clapper v. Amnesty International USA.²⁰ Article III limits the jurisdiction of federal courts to true cases or controversies: the plaintiff must have suffered "actual or imminent" injury as opposed to "hypothetical" or "conjectural" harm.²¹ To have standing to pursue any cause of action in federal court, a plaintiff must allege (1) a "concrete and particularized injury" that is (2) "fairly traceable" to the defendant’s conduct and which is also (3) likely redressed by the judicial resolution.²² The Supreme Court has referred to these requirements as the "irreducible constitutional minimum" of all lawsuits in U.S. federal court.²³

[Page 232]

Clapper was not a data-breach case. Rather, U.S. journalists reporting on foreign affairs sued to invalidate 2008 amendments to the Foreign Intelligence Surveillance Act ("FISA"), which relaxed warrant requirements for surveillance of non-U.S. persons located abroad.²⁴ The journalists feared their foreign communications would be surveilled, and some traveled long distances to meet personally with their contacts, incurring travel costs.²⁵ The Second Circuit Court of Appeals found these costs sufficient to satisfy Article III, but the Supreme Court disagreed. According to the Supreme Court, the threat of potential surveillance was not sufficiently imminent, i.e., "certainly impending."²⁶ Put another way, the "theory of future injury [was] too speculative to satisfy" Article III, resting on a chain of "highly attenuated" inferences, including that the government would target the journalists’ contacts, obtain a warrant, and in fact intercept the journalists’ communications.²⁷

The Supreme Court rejected the journalists’ challenge, even though they incurred actual, demonstrable costs to prevent potential surveillance. The fears the journalists paid to allay were still hypothetical or conjectural, and it has long been the rule that plaintiffs "cannot manufacture standing merely by inflicting harm on themselves."²⁸ Otherwise, a loophole would exist in the "irreducible constitutional minimum": standing would depend largely on what a plaintiff had done as opposed to what harm had been done to the plaintiff.

Although Clapper was not a data-breach case, courts and observers quickly saw the parallels between the Clapper facts and the data-breach context. Data-breach victims might perceive a threat of future identify theft and even incur costs to prevent that threat, e.g., purchasing credit monitoring services, obtaining new credit cards, conducting a private investigation, etc. But few data-breach plaintiffs can allege that their accounts or records have been accessed or misused.

Before Clapper, many courts dismissed data-breach complaints for lack of Article III standing,²⁹ but the results were not uniform.³⁰ Since Clapper, however, courts have generally dismissed data-breach complaints where the plaintiff could not allege data

[Page 233]

misuse or identity theft, a rule emerging as the "majority" view.³¹ And while Article III applies only in federal cases (including those alleging state-law causes of action), the standing defense is not limited to federal courts. State courts have held that data-breach plaintiffs cannot maintain actions without an imminent or "certainly impending" risk of data misuse, citing Clapper and similar federal decisions.³²

A recent decision of the D.C. District Court illustrates the prevailing view.³³ In September 2011, a thief broke into the car of an employee of a government contractor and stole the car stereo, GPS, and several backup tapes that contained personal and medical information about nearly five million U.S. military service members and their families.³⁴ The theft led to eight separate class actions across Texas, California, and the District of Columbia that ultimately were consolidated for trial.³⁵ All told, plaintiffs from twenty-four states collaborated on a consolidated complaint, alleging twenty causes of action, including negligence, breach of contract, and violation of various state consumer protection laws.³⁶ The plaintiffs asserted numerous injuries, including an increased risk of identity theft, expenses incurred to mitigate that risk, and diminished value of their PII.³⁷

While sympathizing with the plight of the service members and recognizing its ruling offered "cold comfort," the district court dismissed the consolidated complaint for lack of standing.³⁸ The plaintiffs’ fears were "rational," even "reasonable," but they were not "certainly impending."³⁹ Echoing the concerns of many courts, the district judge explained that the data tapes "could be uploaded onto [the thief’s] computer and fully deciphered, or they could be lying in a landfill somewhere in Texas because she trashed them after achieving her main goal of boosting the car stereo and GPS."⁴⁰ According

[Page 234]

to the district court, "there is simply no way to know" what becomes of breached data "until either the crook is apprehended or the data is actually used."⁴¹ And under Article III, courts cannot get involved unless and "until something untoward happens."⁴²

Put another way, every data breach theoretically increases the likelihood that consumers’ data will be accessed, disseminated, or misused. But "how much more likely [plaintiffs] are to become victims than the general public is not the same as . . . how likely they are to become victims."⁴³ Absent allegations that actual harm is imminent, courts generally dismiss data-breach complaints for lack of standing.

TRADITIONAL OUTCOMES OF PUBLIC DATA-BREACH ENFORCEMENT ACTIONS

In addition to private litigation, public enforcement bodies have bought complaints in the wake of data breaches, particularly, the Federal Trade Commission ("FTC") and state attorneys general. The FTCA empowers the FTC to prevent "unfair or deceptive" acts and practices through administrative enforcement actions and other processes (e.g., rulemaking).⁴⁴ Likewise, most mini-FTC acts authorize state attorneys general and other public prosecutors (such as city and district attorneys) to sue for unfair competition or deceptive practices.⁴⁵ Unlike private litigants, who are sometimes limited to restitution and injunctive relief in unfair competition actions, public prosecutors generally can pursue additional monetary relief, such as civil penalties and attorneys’ fees.⁴⁶ The FTC, for example, may seek "redress" in a federal district court for any injury done to consumers, including damages and restitution,⁴⁷ after finding liability in an administrative trial. The FTC also may sue to recover civil penalties for knowing violations of a final agency order (including violations by third parties).⁴⁸

[Page 235]

Over the past decade, the FTC has brought and settled fifty data-breach complaints through its administrative process.⁴⁹ The FTCA does not specifically empower the FTC to investigate, regulate, or seek enforcement regarding data security, but the FTC has assumed authority in this and other privacy and technology-related fields, while at the same time calling for federal legislation.⁵⁰ The practice, which is not without criticism, has led observers to describe the FTC as America’s "technology cop" or the "Federal Technology Commission."⁵¹ Initially, the FTC brought data-breach complaints under the "deceptive" prong of its general enforcement authority, but now proceeds primarily under both the "deceptive" and the "unfairness" prongs.⁵²

Until recently, each of the FTC’s data-breach enforcement actions ended in settlement (memorialized in consent decrees), and no challenge to the FTC’s authority reached a court or resulted in a judicial decision. Moreover, the FTC has not promulgated any rules or regulations regarding data security, citing (among other things) the need for greater rulemaking authority and a desire to preserve and promote flexibility and technological advancement in data security.⁵³ Some have criticized the FTC for filing enforcement actions without first issuing standards to guide company compliance.⁵⁴ Nonetheless, a review of the FTC’s recent data-breach settlements reveals several common features, which may exemplify the FTC’s current view of acceptable best practices.

For example, the four data-breach settlements consummated in 2013 (there were no such settlements in 2014) each required that the settling companies: (1) designate dedicated personnel to be responsible for an "information security program"; (2) identify "material internal and external risks" to data security, particularly in connection with employee training and management, information systems, and threat detection; (3) implement "reasonable safeguards" to control and prevent such risks; (4) develop "reasonable steps" to select secure vendors who will have access to company data; and (5) evaluate, monitor,

[Page 236]

and adjust such measures regularly (over a twenty-year period in the consent decrees).⁵⁵ These requirements are largely process-based, rather than technological, in keeping with the FTC’s currently-stated aim to preserve flexibility and develop data-security standards through a common law case-specific approach.⁵⁶

State attorneys general also have pursued data-breach complaints, though not with the frequency of the FTC. Most states have data-breach notification laws on the books and have for some time.⁵⁷ These statutes typically require companies to give expedient notice (e.g., "without unreasonable delay") after learning of a data breach (e.g., upon reasonable belief of unauthorized acquisition of customer information).⁵⁸ Some statutes even set a deadline by which companies must notify consumers, though notice can be delayed in most cases for law enforcement purposes or to determine the scope of the breach and restore the integrity of information systems.⁵⁹

Many states also require that breached companies notify the state attorney general (or other state authority) of a data breach,⁶⁰ and attorneys general are authorized to bring suit to enforce the statutes.⁶¹ Several attorneys general have already done so. For example, in 2011, Indiana Attorney General Greg Zoeller brought and settled a suit alleging that health insurer WellPoint, Inc. waited too long (four months) to notify consumers of a breach and failed to notify the Attorney General’s office altogether.⁶² WellPoint paid $100,000 to the State and offered affected customers up to two years of credit-monitoring services to resolve the suit.⁶³ Similarly, in 2013, California Attorney General Kamala Harris filed and later settled a complaint alleging that Kaiser Foundation Health

[Page 237]

Plan, Inc. was slow to disclose a 2011 breach (again, four months).⁶⁴ Kaiser paid $150,000 to resolve the dispute and agreed to provide notice of future breaches on a rolling basis, rather than at the conclusion of the internal investigation.⁶⁵ As will be shown below, similar suits have been brought and settled since the 2013 mega breaches, while several states have revamped their data-breach notification laws.

THE LATE 2013 MEGA BREACHES

The discussion thus far has generally described the state of litigation and enforcement before the mega breaches of late 2013. Although the perception may be that the law only began to develop around that time, or has since undergone radical transformation, that is not the case. For the most part, the law remains the same, though there have been several notable developments since late 2013, with more almost certain to come.

THE FEDERAL LAW RESPONSE

A flurry of congressional activity followed the late 2013 mega breaches. Congress called representatives of breached companies to testify in open session, committees and subcommittees launched probes and authored reports, and lawmakers in both houses proposed legislation.⁶⁶ But legislators could not agree on a uniform approach to data security, and the majority of proposals languished and stalled. In late 2014, however, Congress passed, and the President signed into law, five bills addressing data security in federal agencies and systems. These bills marked the first major data-security legislation since 2002’s Federal Information Security Management Act ("FISMA"),⁶⁷ which required federal agencies to develop data-security measures and to certify their procedures annually with the Office of Management and Budget ("OMB").⁶⁸

The new bills include the following: (1) the Federal Information Security Modernization Act,⁶⁹ which amends FISMA and replaces the annual certification model (compliance checklists) with a requirement to "continuously monitor" information systems for data security; (2) the Cybersecurity Workforce Assessment Act,⁷⁰ which requires the Department of Homeland Security ("DHS") to enhance cybersecurity workforce readiness; (3) the Homeland Security Workforce Assessment Act,⁷¹ which establishes data-security positions within the DHS; (4) the National Cybersecurity Protection

[Page 238]

Act,⁷² which formalizes the National Cybersecurity and Communications Integration Center ("NCCIC"), the government’s data-security incident response center; and (5) the Cybersecurity Enhancement Act,⁷³ which authorizes the Commerce Department’s National Institute of Standards and Technology ("NIST") to develop voluntary data-security standards for critical infrastructure.⁷⁴

The new data-security bills only affect federal agencies, and any critical infrastructure standards promulgated by NIST will be voluntary. Congress has yet to address data security in the private sector or to set (or authorize) mandatory standards, but Congress could still act, and calls for federal data-security legislation continue. Indeed, in the lead up to the 2015 State of the Union and during the address itself, President Barack Obama urged Congress to enact national data-securities laws, including a uniform data-breach notification standard and liability protection for companies that share data-security information with the federal government.

Obviously, enactment of any federal legislation would greatly impact data-breach litigation and enforcement. Congress could clarify whether the FTC has authority to regulate data breach: it could expand that authority, remove it (to the extent it exists), or repose regulatory authority in some other body—even a new regulatory entity created specifically to oversee data security or other privacy or technology issues. Congress itself could set data-security standards or delegate the task to regulators or entities such as NIST or the NCCIC. The standards could be as broad as "reasonable" security and "continuous monitoring" or be composed of specific, technological requirements.

Federal legislation could preempt state laws, in whole or in part, or preempt less restrictive state laws while permitting more stringent state pronouncements, as with HIPAA. Importantly, federal legislation could create a private right of action for aggrieved individuals, which could preempt state-law causes of action or complement such claims. Even if a statute does not expressly provide a private right of action, the right could be implied if courts conclude Congress "intended to create the private remedy,"⁷⁵as with Rule 10b-5 of the Security Exchange Commission. And even if federal statutes and regulations do not provide a private right of action, they could still inform the duties imposed in common-law negligence actions. In the HIPAA context, for example, state courts have begun to hold that HIPAA regulations may inform the duty of care in state-

[Page 239]

law actions for negligent breach of patient confidentiality, even though HIPAA provides no private right of action and preempts contrary state laws.⁷⁶

Potential legislation is also important for another, less obvious reason, as a result of recent developments in certain federal circuits. Statutes establishing private rights of action often set statutory damages amounts, which a plaintiff can claim irrespective of actual harm. In establishing a private right of action for damages, Congress can delineate what a plaintiff must plead to pursue and recover statutory damages, i.e., statutory standing. But, historically, Congress cannot confer Article III standing, and statutory standing is no substitute for constitutional standing. Put another way, "[i]n no event … may Congress abrogate the [irreducible] Art. III minima."⁷⁷ As such, even if Congress establishes (or courts imply) a private right of action for data-breach victims, plaintiffs would still have to satisfy Article III to bring suit—something plaintiffs have traditionally found difficult to do.

Several federal appellate decisions, however, have cast uncertainty on the rule that a mere statutory violation (without actual injury) can confer Article III standing. Courts in the Sixth and Ninth Circuits have allowed plaintiffs to pursue statutory violations and damages under the Fair Credit Reporting Act ("FCRA")⁷⁸ and the Real Estate Settlement Procedures Act ("RESPA")⁷⁹ without alleging actual injury.⁸⁰ And dicta from a Seventh Circuit decision⁸¹ has led district courts in that circuit to find Article III satisfied "without proof of injury" under statutes such as FCRA.⁸² Courts in the Second

[Page 240]

and Fourth Circuits, meanwhile, have held to the traditional view that actual injury must be established even in statutory-damage cases,⁸³ while the Third Circuit itself is split.⁸⁴

Courts have generally rejected efforts to ground data-breach claims in federal statutes such as FCRA and the Stored Communications Act ("SCA"),⁸⁵ which prohibits electronic communications services and remote computing services from divulging customer information.⁸⁶ Until that changes, the confusion surrounding constitutional standing in the statutory damages context should not greatly affect data-breach complaints. But if Congress enacts data-security legislation and fixes statutory damages, the debate would become highly relevant. Removing or undermining the actual injury bar could lead to a significant increase in actionable data-breach complaints.

THE STATE LAW RESPONSE

As discussed, most states had data-breach notification laws on the books before the late 2013 mega breaches. Since that time, more states have passed breach-notification laws,⁸⁷ while other states have made significant amendments to their existing statutes. Florida, for example, amended its statute in July 2014, reducing the breach-notification deadline to thirty days and requiring breached companies to provide data-security policies and a "computer forensics report" to the state attorney general in the event of a breach.⁸⁸ California, on the other hand, expanded its requirement of "reasonable security" measures—which used to apply only to companies that "own or license" customer information—to all businesses that "maintain" the personal information of California residents.⁸⁹ Under the new law, any company that maintains personal information on California residents will have to employ reasonable security measures or potentially face suit from the California Attorney General. These changes could foreshadow amendments in other states or lead to increased enforcement efforts by public prosecutors. State attorneys general continue to file and settle data-breach complaints. In November 2014, for example, Massachusetts Attorney General Martha Coakley settled a

[Page 241]

data-breach complaint against a Boston hospital resulting from the 2012 theft of a doctor’s unencrypted laptop,⁹⁰ the state’s fourth such settlement since 2012.

NOTABLE DEVELOPMENTS IN LITIGATION AND ENFORCEMENT

Perhaps the most significant decision since the late 2013 mega breaches was reached in the regulatory context. While most FTC enforcement actions have ended in settlement, two companies have challenged the FTC’s authority over data security and one challenge resulted in a decision on the merits by a district court.

On April 7, 2014, a New Jersey district court denied a motion to dismiss a FTC complaint stemming from multiple hacks of the Wyndham hotel chain from 2008 through 2010.⁹¹ Wyndham and numerous amici argued that the FTC lacked statutory authority over data security, citing the existence of more specific legislation (such as HIPAA and GLBA), ongoing debate about the need for new legislation, and the FTC’s failure to set clear data-security standards.⁹² But the district court took the opposite approach, declining to "carve out" a data-security exception to what it viewed as broad FTC "unfairness" authority.⁹³ The court found no conflict with existing data-security legislation (only complementary authority) and concluded that "the FTC does not necessarily need to formally publish rules and regulations" before bringing suit for alleged data-security violations.⁹⁴

The court was clear that its decision had no bearing on Wyndham’s potential liability under the FTCA and did not represent a "blank check" for the FTC to bring suit "against every business that has [ever] been hacked."⁹⁵ But the court offered no indication of what limits might surround the FTC’s authority or what circumstances might warrant dismissal of an FTC complaint, other than to say its decision was limited to the facts alleged in the Wyndham complaint.⁹⁶ The court recognized, however, the "importance of data security" and the issues posed by data-breach lawsuits.⁹⁷ As such, the court certified an immediate interlocutory appeal to the Third Circuit,⁹⁸ which remains

[Page 242]

pending. Assuming the case does not resolve beforehand, the Third Circuit’s ruling will almost certainly be one of the biggest privacy law developments of 2015.⁹⁹

On the private litigation side, case law developments have been more subtle. While many courts continue to apply traditional principles to dismiss data-breach complaints,¹⁰⁰several courts have reached different results by applying the same or slightly modified principles. In early 2014, two California district courts dismissed the bulk of two data-breach lawsuits, but left intact claims for misrepresentation under California consumer protection laws.

In In re LinkedIn User Privacy Litigation, the court allowed a California Unfair Competition Law ("UCL") claim to proceed after LinkedIn represented in its User Agreement that customer data would "be protected with industry standard protocols and technology."¹⁰¹ The court found that the plaintiff had standing under Article III and the UCL because she purchased LinkedIn’s premium service in reliance on the representation.¹⁰² The "critical distinction" between the plaintiff’s theory of economic injury and traditional data-breach cases was the allegation that the plaintiff’s "payment or overpayment was caused by LinkedIn’s alleged misrepresentations."¹⁰³ The court dismissed the plaintiff’s breach of contract and additional UCL claims, which had been the subject of a prior dismissal,¹⁰⁴ with prejudice, for lack of standing.¹⁰⁵

Similarly, in In re Sony Gaming Networks & Customer Data Security Breach Litigation, the court dismissed forty-five of the plaintiffs’ fifty-three causes of action under the laws of nine different states and the FCRA, but let stand claims under California’s UCL, False Advertising Act,¹⁰⁶ Consumer Legal Remedies Act,¹⁰⁷ and breach-notification statute;¹⁰⁸ as well as claims under the Florida, Michigan, Missouri, and New Hampshire mini-FTC acts and for breach of the implied covenant of good faith and fair dealing

[Page 243]

under California law.¹⁰⁹ As in Linkedln, the surviving causes of action were predicated in commitments to "take ‘reasonable steps’ to secure" customer data and "use industry-standard encryption to prevent unauthorized access to sensitive financial information" in the defendant’s privacy policy and terms of use.¹¹⁰

But the Sony Gaming court went a step further than Linkedln. The court accepted the plaintiffs’ allegation that the data breach posed a "credible threat" of harm, a formulation of the Article III standard drawn from Krottner v. Starbucks Corporation,¹¹¹ a pre-Clapper decision by the Ninth Circuit Court of Appeals.¹¹² The Sony Gaming defendants argued that Clapper "tightened" the Article III standard, but the district court disagreed, finding no conflict between its ruling and Clapper.¹¹³ According to the court, "although the Supreme Court’s word choice in Clapper differed from the Ninth Circuit’s word choice in Krottner," "credible threat" versus "certainly impending," "Clapper did not set forth a new Article III framework" or overrule Krottner.¹¹⁴ The court thus allowed a limited subset of claims to survive, even though the plaintiffs did not allege data misuse or identity theft.

The California district court in In re Adobe Systems, Inc. Privacy Litigation¹¹⁵ went yet a step further, holding that even if Clapper overruled Krottner, plaintiffs still had Article III standing to sue for data breach.¹¹⁶ The plaintiffs had alleged that "hackers deliberately targeted Adobe’s servers and spent several weeks collecting" customers’ PII, including plaintiffs’.¹¹⁷ The court contrasted the situation to In re SAIC, where the court wondered whether data lifted from a contractor’s laptop was lying in a landfill somewhere.¹¹⁸ The Adobe plaintiffs alleged that "[s]ome of the stolen data has already surfaced on the Internet, and other hackers ha[d] . . . misused it to discover vulnerabilities in Adobe’s products."¹¹⁹ The court thus found that "the risk that plaintiffs’ personal data [would] be misused by the hackers who breached Adobe’s network [was] immediate and very real"—sufficient to satisfy Article III.¹²⁰

The contrast between SAIC and Adobe represents a subtle, but potentially significant shift in data-breach jurisprudence. Before—in the context of laptop theft, when less was known about sophisticated rings of hackers and targeted intrusion software—courts assumed that plaintiff data had not been misused, absent allegations to the contrary. More

[Page 244]

recently, in the context of deliberate, targeted hacks by organized hackers, courts are more willing to assume that data will be accessed or misused. As Judge Lucy H. Koh put it in the Adobe decision, "why would hackers target and steal personal customer data if not to misuse it?"¹²¹ In this way, the context—even the publicity—surrounding a data breach may play a significant role in the judicial outcome. But it is important to note that LinkedIn and Sony Gaming involved specific representations to safeguard consumer data, while Adobe included some allegations of actual data misuse. Most courts, faced with complaints that do not involve specific representations or actual misuse, continue to dismiss data-breach complaints, applying fundamental principles of constitutional law.

As Judge Salas noted in the Wyndham decision, "we live in a digital age that is rapidly evolving," where "maintaining privacy is, perhaps, an ongoing struggle": data security "undoubtedly raises a variety of thorny legal issues that Congress and the courts will continue to grapple with for the foreseeable future."¹²² As they do, businesses and practitioners should pay close attention, alert to major changes and subtle trends.

[Page 245]

——–

Notes:

^1. Evan Wooten is an associate at Mayer Brown LLP, a member of Mayer Brown’s consumer class action and commercial law groups, and co-editor of Mayer Brown’s Privacy and Security publications and newsletter. This article reflects the views of the author and not necessarily those of Mayer Brown LLP, its attorneys, or its clients.

^2. BTI Consulting Group, Inc., BTI Legal Spending Outlook 2015: Changes, Trends and Opportunities for Law Firms (2014).

^3. Protecting Personal Consumer Information from Cyber Attacks and Data Breaches: Hearing Before the S. Comm. on Commerce, Sci. & Transp., 113th Congress (2014) (statement of Sen. John D. "Jay" Rockefeller IV, Chairman, S. Comm. on Commerce, Sci. & Transp.).

^4. Ponemon Institute, 2013 Cost of Data Breach Study: Global Analysis 1, 5 (2013), available at http://www.ponemon.org/local/upload/file/2013%20Report%20GLOBAL%20CODB%20FINAL%205-2.pdf.

^5. Id. at 3.

^6. Id. at 7.

^7. 29 U.S.C. § 1181 et seq.

^8. 15 U.S.C. § 6801 et seq.

^9. This article does not address data-security lawsuits in contexts subject to specific legislation, such as HIPAA or the GLBA.

^10. 15 U.S.C. § 41 et seq.

^11. Cal. Bus. & Prof. Code § 17200 et seq.

^12. See, e.g., In re Zappos.com, Inc., No. 3:12-cv-00325-RCJ-VPC, 2013 WL 4830497, at *3 (D. Nev. Sept. 9, 2013) ("Plaintiffs allege that [defendant] breached a contract to safeguard their data. But there is no allegation of any express or implied contract.").

^13. Id. ("[S]tatements on [defendant’s] website . . . that its servers were protected by a secure firewall and that customers’ data was safe . . . do not create any contractual obligations.").

^14. In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 984 (S.D. Cal. 2014) (describing Florida, Massachusetts, Michigan, Missouri, New Hampshire, New York, Ohio, and Texas law).

^15. See, e.g., Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 661-63 (S.D. Ohio 2014) (dismissing invasion of privacy claims that failed to allege that defendant "publicized" or "disclosed" plaintiff PII "to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge").

^16. See, e.g., Zappos.com, 2013 WL 4830497, at *3-4.

^17. See, e.g., Cal. Bus. & Prof. Code §§ 17203-04.

^18. See, e.g., 815 Ill. Comp. Stat. Ann. 505/10a(a); Mass. Gen. Laws Ann. ch. 93A, § 9.

^19. In re Michaels Stores Pin Pad Litig., 830 F. Supp. 2d 518, 526 (N.D. Ill. 2011) (applying the Illinois Consumer Fraud and Deceptive Business Practices Act) (alteration in original); see also In re TJX Cos. Retail Sec. Breach Litig., 564 F.3d 489(1st Cir. 2009) (applying the Massachusetts Consumer Protection Law).

^20. 133 S. Ct. 1138 (2013).

^21. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992).

^22. Id.

^23. Id.

^24. Clapper, 133 S. Ct. at 1142.

^25. Id. at 1145-46.

^26. Id. at 1143.

^27. Id. at 1143, 1148 (emphasis in original).

^28. Id. at 1151.

^29. See, e.g., Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011) (finding no standing for customers of payroll processing firm absent proof hacker "read, copied, and understood" their data).

^30. Cf. Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (finding standing for bank customers due to "increased risk" of future harm following data hack).

^31. U.S. Hotel & Resort Mgmt, Inc. v. Onity, Inc., No. CIV. 13-1499 SRN/FLN, 2014 WL 3748639, at *5 (D. Minn. July 30, 2014) ("In the ‘lost data’ context, where the courts have split somewhat on the question of standing, it now appears that a majority of the courts to have addressed the ‘lost data’ issue hold that plaintiffs whose confidential data has been exposed, or possibly exposed, by theft or a breach of an inadequate computer security system, but who have not yet had their identity stolen or their data otherwise actually abused, lack standing to sue the party who failed to protect their data."); see also In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., Misc. Action No. 12-347 (JEB), MDL No. 2360, 2014 WL 1858458, at *8 (D.D.C. May 9, 2014) ("[S]ince Clapper was handed down last year, courts have been even more emphatic in rejecting ‘increased risk’ as a theory of standing in data-breach cases.").

^32. See, e.g., Vides v. Advocate Health & Hosps. Corp., No. 13-CH-2701 (Ill. 19th Judicial Cir. May 27, 2014) (finding that because threat of identity theft depended on "chain of attenuated and hypothetical events" including "whether [patient] data was actually taken after the removal, whether it was subsequently sold or otherwise transferred, whether anyone who obtained the data attempted to use it, and whether or not they succeeded," it thus was not "imminent" or "certainly impending").

^33. In re SAIC, 2014 WL 1858458.

^34. Id. at *1.

^35. Id. at *1-3.

^36. Id.

^37. Id. at *3.

^38. Id. at *6-7.

^39. Id.

^40. Id. at *6.

^41. Id.

^42. Id. at *7.

^43. Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 654 (S.D. Ohio 2014) (emphasis in original).

^44. 15 U.S.C. § 45.

^45. See, e.g., Cal. Bus. & Prof. Code §§ 17204, 17206; 815 Ill. Comp. Stat. Ann. 505/10; Mass. Gen. Laws Ann. 93A § 4.

^46. See, e.g., Cal. Bus. & Prof. Code § 17206 (authorizing courts to impose a civil penalty not to exceed $2,500 for each violation of the statute in actions brought by California public prosecutors); 815 Ill. Comp. Stat. Ann. 505/7 ("Court may impose a civil penalty in a sum not to exceed $50,000 against any person found by the Court to have engaged in any method, act or practice declared unlawful under this Act" in actions by the Illinois attorney general or state’s attorney); Mass. Gen. Laws Ann. 93A § 4 (authorizing a civil penalty of not more than $5,000 for knowing violations as well as reasonable costs of investigation and litigation, including attorneys’ fees, in actions by the Massachusetts attorney general).

^47. 15 U.S.C. § 57b (authorizing courts to award relief necessary to redress consumer injury, including but not limited to refunds and damages); F.T.C. v. Nat’l Bus. Consultants, Inc., 781 F. Supp. 1136, 1141 (E.D. La. 1991) (noting that courts’ authority includes ability to order restitution).

^48. 15 U.S.C. § 45(m).

^49. Protecting Personal Consumer Information from Cyber Attacks and Data Breaches, Before the S. Comm. on Commerce, Sci. & Transp., 113th Congress 4 (2014) (prepared statement of the Federal Trade Commission), available at http://www.ftc.gov/system/files/documents/public_statements/293861/140326datasecurity.pdf.

^50. See id. at 10-12.

^51. Brian Fung, The FTC Was Built 100 Years Ago to Fight Monopolists. Now, It’s Washington’s Most Powerful Technology Cop, Wash. Post, Sept. 25, 2014, http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/25/the-ftc-was-built-100-years-ago-to-fight-monopolists-now-its-washingtons-most-powerful-technology-cop/ (quoting Geoffrey Manne, Executive Director of the International Center for Law and Economics).

^52. See, e.g., F.t.C. v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 607 (D.N.J. Apr. 7, 2014) (asserting both prongs), motion to certify appeal granted ( June 23, 2014).

^53. Andrew Scurria, FTC Wants Rulemaking Power For Cybersecurity Reforms, Law360, Mar. 26, 2014 ("It’s critically important that there be flexibility embedded in any legislation to allow the FTC to adapt any rule to emerging and evolving technology.") (quoting Edith Ramirez, FTC Chairwoman, in remarks to the Senate Commerce Committee at a March 26, 2014 hearing).

^54. Wyndham, 10 F. Supp. 3d at 616.

^55. See, e.g., Agreement Containing Consent Order, CBR Systs., Inc., File No. 112 3120 (Jan. 28, 2013), available at http://www.ftc.gov/sites/default/files/documents/cases/2013/01/130128cbragree.pdf; Agreement Containing Consent Order, TRENDnet, Inc., File No. 122 3090 (Sept. 4, 2013), available at http://www.ftc.gov/sites/default/files/documents/cases/2013/09/130903trendnetorder.pdf; Agreement Containing Consent Order, Compete, Inc., File No. 102 3155 (Oct. 22, 2012), available at http://www.ftc.gov/sites/default/files/documents/cases/2012/10/121022competeincagreeorder.pdf (approved Feb. 25, 2013); Agreement Containing Consent Order, Accretive Health, Inc., File No. 122 3077 (Dec. 31, 2013), available at http://www.ftc.gov/sites/default/files/documents/cases/131231accretivehealthorder_0.pdf.

^56. The recent consent decrees did not contain an express monetary component, though the costs of compliance could be significant.

^57. Alabama, New Mexico, and South Dakota have not yet passed data-breach notification laws.

^58. See, e.g., 815 Ill. Comp. Stat. §§ 530/10; Mass. Gen. Laws Ann. 93H § 3; N.Y. Gen. Bus. La § 899-aa.

^59. See, e.g., Me. Rev. Stat. tit. 10, § 1348 (seven business days after required investigation); Ohio Rev. Code § 1347.12 (no later than forty-five days after discovery); Vt. Stat. Ann. tit. 9, § 2435 (same); Wis. Stat. § 134.98 (same).

^60. See, e.g., Ind. Code Ann. § 24-4.9-3-1 (notice to the attorney general); Mass. Gen. Laws Ann. 93H § 3 (notice to the attorney general and the director of consumer affairs and business regulation).

^61. See, e.g., Ind. Code Ann. § 24-4.9-4-2; Mass. Gen. Laws Ann. 93H § 6.

^62. See Press Release, Office of the Indiana Attorney General, Attorney General Reaches Settlement With WellPoint in Consumer Data Breach ( July 5, 2011), available at http://www.in.gov/portal/news_events/71252.htm.

^63. See id.

^64. See Allison Grande, Calif. AG Puts A Clock on Data-Breach Reporting, Law360, Feb. 3, 2014.

^65. See id.

^66. See, e.g., Juan Carlos Rodriguez, Senate Dems Target Cybercrime With Data Security Bill, Law360, Jan. 31, 2014 (discussing the Data Security and Breach Notification Act introduced by Sens. Dianne Feinstein, D-Calif.; John Rockefeller, D-W.Va.; Mark Pryor, D-Ark.; and Bill Nelson, D-Fla).

^67. 44 U.S.C. § 3541, et seq.

^68. See generally Eric Chabrow, Obama Signs 5 Cybersecurity Bills, Gov Info Security, Dec. 18, 2014, http://www.govinfosecurity.com/obama-signs-5-cybersecurity-bills-a-7697.

^69. Federal Information Security Modernization Act of 2014, Pub. L. No. 113-283, 128 Stat. 3073.

^70. Cybersecurity Workforce Assessment Act, Pub. L. No. 113-246, 128 Stat. 2880 (2014) (codified at 6 U.S.C. § 146).

^71. Border Patrol Agent Pay Reform Act of 2014, Pub. L. No. 113-277, 128 Stat. 2995 (codified at 6 U.S.C. § 146.

^72. National Cybersecurity Protection Act of 2014, Pub. L. No. 113-282, 128 Stat. 3066 (codified at 6 U.S.C. § 148.

^73. Cybersecurity Enhancement Act of 2014, Pub. L. No. 113-274, 128 Stat. 2971.

^74. Pursuant to Executive Order 13636 (Feb. 12, 2013), NIST released the first version of its Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014. See National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (2014), available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.

^75. Transamerica Mortg. Advisors, Inc. (TAMA) v. Lewis, 444 U.S. 11, 15-16 (1979).

^76. See, e.g., Byrne v. Avery Ctr. for Obstetrics & Gynecology, P.C., 102 A.3d 32, 41-43 (Conn. 2014); Bonney v. Stephens Mem’l Hosp., 17 A.3d 123, 128 (Me. 2011); Fanean v. Rite Aid Corp. of Delaware, Inc., 984 A.2d 812, 823 (Del. Super. Ct. 2009); Young v. Carran, 289 S.W.3d 586 (Ky. Ct. App. 2008); Acosta v. Byrum, 638 S.E. 2d 246, 253 (N.C. Ct. App. 2006).

^77. Gladstone Realtors v. Vill. of Bellwood, 441 U.S. 91, 100 (1979); see also Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992) (describing the "irreducible constitutional minimum" of standing).

^78. 15 U.S.C. § 1681 et seq.

^79. 12 U.S.C. § 2607.

^80. Edwards v. First Am. Corp., 610 F.3d 514, 517 (9th Cir. 2010) (writing in a RESPA case that "injury required by Article III can exist solely by virtue of statutes creating legal rights, invasion of which creates standing") (internal quotations omitted) (citation omitted); Beaudry v. TeleCheck Servs., Inc., 579 F.3d 702, 707 (6th Cir. 2009) (writing in a FCRA case that Congress "has the power to create new legal rights, including rights of action whose only injury-in-fact involves the violation of that statutory right") (internal quotations omitted) (citation omitted).

^81. Murray v. GMAC Mortg. Corp., 434 F.3d 948, 953 (7th Cir. 2006).

^82. See, e.g., Armes v. Sogro, Inc, 932 F. Supp. 2d 931, 937-38 (E.D. Wis. 2013) ("[B]ecause the FCRA provides for awards of statutory damages where a violation is willful, ‘actual damages are not necessarily a precondition for suit.’") (quoting Killingsworth v. HSBC Bank Nev., N.A., 507 F.3d 614, 622 (7th Cir. 2007)).

^83. David v. Alphin, 704 F.3d 327, 338 (4th Cir. 2013) (writing that federal courts have jurisdiction "only where [plaintiffs] have both statutory and constitutional standing"); Kendall v. Emp. Ret. Plan of Avon Prods., 561 F.3d 112, 119 (2d Cir. 2009) (writing that plaintiffs "must allege some injury or deprivation of a right, even if right is statutorily created").

^84. Compare Alston v. Countrywide Fin. Corp., 585 F.3d 753, 763 (3d Cir. 2009) ("[P]laintiff need not demonstrate that he or she suffered actual monetary damages" to have Article III standing to sue under RESPA) with Fair Hous. Council of Suburban Philadelphia v. Main Line Times, 141 F.3d 439, 443-44 (3d Cir. 1998) ("[A] violation of the [statute] does not automatically confer standing on any plaintiff.").

^85. 18 U.S.C. § 2702.

^86. See, e.g., In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 1011-12 (S.D. Cal. 2014) (dismissing FCRA claims because breached company was not a credit reporting agency); Burrows v. Purchasing Power, LLC, No. 1:12-CV-22800-UU, 2012 WL 9391827, at *4-5 (S.D. Fla. Oct. 18, 2012) (dismissing SCA claims because breached company did not qualify as an electronic communications or remote computing service).

^87. In April 2014, Kentucky passed its data-breach notification bill, becoming the forty-seventh state to do so. See Ky. Rev. Stat. Ann. § 365.732.

^88. Fla. Stat. Ann. § 501.171.

^89. A.B. 1710, 2014 Cal. Legis. Serv. Ch. 855 (eff. Jan. 1, 2015) (amending Cal. Civ. Code §§ 1798.81.5, 1798.82, 1798.85).

^90. See Press Release, Office of the Massachusetts Attorney General, Beth Israel Deaconess Medical Center to Pay $100,000 Over Data Breach Allegations (Nov. 21, 2011), available at http://www.mass. gov/ago/news-and-updates/press-releases/2014/2014-11-21-beth-israel-data-breach.html.

^91. F.T.C. v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 608 (D.N.J. Apr. 7, 2014).

^92. Id. at 610-12.

^93. Id. at 612.

^94. Id. at 613 -19 (emphasis in original).

^95. Id. at 610.

^96. Id.

^97. Id. at 609-10.

^98. Id. at 633-36.

^99. In addition to the FTC, the Federal Communications Commission ("FCC") entered the data-breach fray in October 2014, fining two telecommunications companies a combined $10 million for allegedly storing customer data on unsecured internet servers. See Press Release, Federal Communications Commission, FCC Plans $10M Fine For Carriers That Breached Consumer Privacy (Oct. 24, 2014), available at http://www.fcc.gov/document/10m-fine-proposed-against-terracom-and-yourtel-privacy-breaches. The FCC grounded its authority in the statutory directive to ensure " just and reasonable" charges for communications services, 42 U.S.C. § 201(b), an approach that is likely to draw challenges similar to those levied against the FTC.

^100. See, e.g., S. Hotel & Resort Mgmt., Inc. v. Onity, Inc., No. CIV. 13-1499 SRN/FLN, 2014 WL 3748639 (D. Minn. July 30, 2014); In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., Misc. Action No. 12-347 (JEB), MDL No. 2360, 2014 WL 1858458 (D.D.C. May 9, 2014); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 646 (S.D. Ohio 2014).

^101. No. 5:12-CV-03088-EJD, 2014 WL 1323713, at *1, *6 (N.D. Cal. Mar. 28, 2014).

^102. Id. at *5-6.

^103. Id. at *5.

^104. In re LinkedIn User Privacy Litig., 932 F. Supp. 2d 1089, 1092-95 (N.D. Cal. 2013).

^105. In re LinkedIn User Privacy Litigation, No. 5:12-CV-03088-EJD, 2014 WL 1323713, at *9 (N.D. Cal. Mar. 28, 2014).

^106. Cal. Bus. & Prof. Code § 17500 et seq.

^107. Cal. Civ. Code § 1770 et seq.

^108. Cal. Civ. Code § 1798.80 et seq.

^109. In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 1013-14 (S.D. Cal. 2014)

^110. Id. at 990.

^111. 628 F.3d 1139, 1142 (9th Cir. 2010).

^112. In re Sony Gaming, 996 F. Supp. 2d at 961.

^113. Id.

^114. Id.

^115. No. 13-CV-05226-LHK, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014).

^116. Id. at *8.

^117. Id.

^118. Id. at *9.

^119. Id. at *8.

^120. Id.

^121. Id. at *9.

^122. F.T.C. v. Wyndham Worldwide Corp., 10 F. Supp. 3d 602, 609-10 (D.N.J. Apr. 7, 2014).