Data breaches catch all by surprise. The data breach itself stifles the entity that had the breach. But to anyone outside that wonders if they have been affected, their opportunity to claim is not that easy to depict. Standing is an issue that has to be overcome. The compromise of personal identifiable information (PII) has been in the news all too often. The reasons for its occurrence becomes everyone’s project. No matter if the compromised data was due to a company’s or agency’s disgruntled former employee, an unidentified hacker, or a nefariously loaded email, the concern is the same. The internal or external manner of intrusion cause is nevertheless and intrusion to acquire PII of hundreds of not thousands of individuals. The consternation that lingers is not to be weighed by the courts as having value. This is despite the apparent value of PII in the open illicit market for social security, birthdate, and credit/debit card numbers. The claim that by the simple fact of the misappropriation of PII there is a harm and that the PII has value to the plaintiff has historically not swayed courts to conclude that Article III criteria are met.
Article III of the U.S. Constitution establishes the case and controversy requirement for anyone to have “standing” in a case. An injury-in-fact must be presented. Many reacted to the Facebook investigation thinking that they too had a chance to sue Facebook. Often over overlooked was if they had been harmed and if so to what extent. That calculus is ignored by many soon to be plaintiffs. The factor of injury-in-fact must be supported by actual or imminent injury and cannot be out of conjecture.[1] A data breach event presents different circumstances that courts have had to adjust to in order to assess the element of incurred harm by plaintiffs’.
In Clapper, the Supreme Court set a standard regarding the injury claimed to have been incurred to be ‘certainly impending’. The Court stated that it was not enough to make the conclusion that by virtue of the act to acquire PII one cannot make the logical conclusion that harm has occurred or that there is a likelihood or ability of the intruders to read the data and misuse it. The Court also stated that the nature of the data requires assessment as well in order to ascertain the criticality of the data in unauthorized hands, especially the accessibility of Social Security and credit card numbers with the date of birth data. In Spokeo, despite there being a claimed violation of the D.C. Consumer Protection Procedures Acts, the Court determined that plaintiffs did not demonstrate a concrete harm to substantiate the determination of standing. In Remijas, the Seventh Circuit assessed the possibilities of events from a data breach. In its analysis, it considered the loss of value of the time the plaintiffs incurred in all their involved efforts to address the breach and circumstances that arose out of the breach that required plaintiff’s action. The Remijas court seriously considered the costs of time from work and effort by the plaintiff to deal with credit card companies, law enforcement, investigators, and governmental agencies regarding their misappropriated PII. As the court assessed that the plaintiffs experienced the bother and torment of dealing with the circumstance of their PII being misappropriated.
The element of financial impact has been considered by the Minnesota District Court in In re Target Corp to substantiate the element of standing by virtue of demonstrated financial injuries, including charges, impaired bank account access, the impairment to pay bills, and incurred late payment charges and fees. In determining the financial impact incurred by plaintiffs, the courts are peering into assessing if the costs were indeed incurred or if there were reimbursable costs. In P.F. Chang’s case, the court assessed if the claimed financial harm would uphold the requirement of standing when there were nonmonetary damages. The court decided that actual injury cannot coexist with a reimbursable cost and it denied the plaintiff’s claims for the risk of identity theft and those associated with mitigation of damages.
In In re Zappos.com case, the court shed light on the guessing that is involved in predicting the time and actions unidentified assailant[s] and their capacities to interpret and use the data. The noted that it is not absolutely clear that the stolen data would be misused or that it can be used to construe the event of harm to the plaintiff. Such analysis could be attributed to the Anthem case determination in its second round where the court gave import to the value of PII in the open market and that the disclosure of that information has imputed economic injury. That economic injury, however, was incurred by the merchants and not the plaintiffs.
Causation leading to harm will always be a fundamental criteria to determine standing even in data breach cases. It is crucial to analyze the origin of the breach and its extent that touches on all factors of causation involving the what and when and how of each occurrence. The question of value of harm is alwys a thorn along with its future effect.
[1] See, Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992).
Lorenzo Law Firm is “Working to Protect your Business, Ideas, and Property on the Web.” Copyright 2018, all rights reserved Lorenzo Law Firm, P.A.
