Litigation: Data breach class actions stymied by recent Supreme Court decisions
Data breaches typically involve lots of people, making them prime targets for class actions.
August 15, 2013 at 07:44 AM
9 minute read
The original version of this story was published on Law.com
Data breaches typically involve lots of people, making them prime targets for class actions. Most cases have not gotten to the class certification stage because they have been dismissed on standing grounds, and when they have reached the class phase, certification has been denied because of the predominance of individualized issues. Two recent Supreme Court decisions, Clapper v. Amnesty International USA, in which the court held that actions based on speculative injury cannot proceed due to lack of standing, and Comcast Corp. v. Behrend, an antitrust case in which the court held that when damages are individualized, a class cannot be certified, reinforce these trends. While neither case involves a data breach, both have significant ramifications in the data breach context.
Many cases have been dismissed on standing grounds, such as Hammond v. The Bank of New York Mellon and Randolph v. ING Life Insurance and Annuity Company. A number of circuit courts have recognized standing, but nevertheless have dismissed the action for lack of a compensable injury. For example, see Pisciotta v. Old National Bancorp from the 7th Circuit in 2007 and Ruiz v. GAP, Inc. from the 9th Circuit in 2010.
However, in 2011, the 1st Circuit allowed a case to proceed, Anderson v. Hannaford Bros.Co., holding that reasonable out-of-pocket expenses necessary to mitigate future harm are recoverable, and that such steps are a reasonably foreseeable consequence of a data breach. In addition to common law claims, plaintiffs often bring statutory claims. But, like common law claims, there is a question on whether there is standing or damages for these claims. For example, in Sterk v. Best Buy Stores, a Video Privacy Protection Act case, the district court held that “Congress cannot erase Article III's standing requirement by statutorily granting the right to sue to a plaintiff who would not otherwise have standing.”
The Supreme Court's Clapper decision now makes it clear that actual injury is required for a plaintiff to proceed under Article III in any context. Clapper was brought under the Foreign Intelligence Surveillance Act (FISA). Plaintiffs alleged that an amendment to FISA that permitted the government to intercept their foreign transmissions without probable cause was unconstitutional, and having to take measures to protect their communications from surveillance had harmed them. The Supreme Court held that Article III standing — and not standing under FISA in particular—requires actual injury, and that speculative injury is insufficient to create standing: “We have repeatedly reiterated that 'threatened injury must be certainly impending to constitute injury in fact,' and '[a]llegations of possible future injury' are not sufficient.” The court further cautioned against standing based on self-inflicted injury: A plaintiff “cannot manufacture standing merely by inflicting harm based on fears of hypothetical future harm that is not certainly impending.” Indeed, “If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”
While not many cases have proceeded to the class certification stage, those that have gotten that far generally have been dismissed because of the predominance of individualized issues. Most recently, in In re Hannaford Bros. Co. Customer Data Security Breach Litig. discussed above, the 1st Circuit affirmed standing but denied class certification. The court recognized that damages would differ among class members, depending on whether they had incurred fraudulent charges and took steps to mitigate harm.
The Supreme Court's Comcast decision, decided shortly after Hannaford, makes it clear that the existence of individualized damages precludes class certification. Comcast was brought by Philadelphia cable subscribers alleging that Comcast had violated the Sherman Act by monopolizing Philadelphia's cable market. The Supreme Court ruled that when damages are so individualized that they outweigh any common elements of the case, a class may not be certified under the predominance requirement of Rule 23(b)(3): “Questions of individual damage calculations will inevitably overwhelm questions common to the class.”
Plaintiffs will try to confine Clapper and Comcast to their specific facts. But the decisions are not so limited. Thus, the battles will continue, and the predominance of individualized issues can still be expected to be the battleground for most data breach class actions that manage to proceed to class certification.
Data breaches typically involve lots of people, making them prime targets for class actions. Most cases have not gotten to the class certification stage because they have been dismissed on standing grounds, and when they have reached the class phase, certification has been denied because of the predominance of individualized issues. Two recent Supreme Court decisions, Clapper v. Amnesty International USA, in which the court held that actions based on speculative injury cannot proceed due to lack of standing, and
Many cases have been dismissed on standing grounds, such as Hammond v.
However, in 2011, the 1st Circuit allowed a case to proceed, Anderson v. Hannaford Bros.Co., holding that reasonable out-of-pocket expenses necessary to mitigate future harm are recoverable, and that such steps are a reasonably foreseeable consequence of a data breach. In addition to common law claims, plaintiffs often bring statutory claims. But, like common law claims, there is a question on whether there is standing or damages for these claims. For example, in Sterk v.
The Supreme Court's Clapper decision now makes it clear that actual injury is required for a plaintiff to proceed under Article III in any context. Clapper was brought under the Foreign Intelligence Surveillance Act (FISA). Plaintiffs alleged that an amendment to FISA that permitted the government to intercept their foreign transmissions without probable cause was unconstitutional, and having to take measures to protect their communications from surveillance had harmed them. The Supreme Court held that Article III standing — and not standing under FISA in particular—requires actual injury, and that speculative injury is insufficient to create standing: “We have repeatedly reiterated that 'threatened injury must be certainly impending to constitute injury in fact,' and '[a]llegations of possible future injury' are not sufficient.” The court further cautioned against standing based on self-inflicted injury: A plaintiff “cannot manufacture standing merely by inflicting harm based on fears of hypothetical future harm that is not certainly impending.” Indeed, “If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”
While not many cases have proceeded to the class certification stage, those that have gotten that far generally have been dismissed because of the predominance of individualized issues. Most recently, in In re Hannaford Bros. Co. Customer Data Security Breach Litig. discussed above, the 1st Circuit affirmed standing but denied class certification. The court recognized that damages would differ among class members, depending on whether they had incurred fraudulent charges and took steps to mitigate harm.
The Supreme Court's
Plaintiffs will try to confine Clapper and
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllLululemon Faces Legal Fire Over Its DEI Program After Bias Complaints Surface
3 minute readOld Laws, New Tricks: Lawyers Using Patchwork of Creative Legal Theories to Target New Tech
Lawsuit Against Amazon Could Reshape E-Commerce Landscape
Trending Stories
- 1Dog Gone It, Target: Provider of Retailer's Mascot Dog Sues Over Contract Cancellation
- 2Lululemon Faces Legal Fire Over Its DEI Program After Bias Complaints Surface
- 3Plaintiff Gets $500K Policy Limit Without Surgery
- 4Philadelphia Bar Association Executive Director Announces Retirement
- 5SEC Chair Gary Gensler to Resign on Trump's Inauguration Day
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250