Why (most) consumer data breach class actions vs Target are doomed

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blogs.reuters.com/alison-frankel/2014/01/13/why-most-consumer-data-breach-class-actions-vs-target-are-doomed/

Who doesn’t empathize with the 70 million Target customers whose private
information was supposedly hacked? No one likes to worry about identity
theft and impaired credit ratings, the odds of which, according to Reuters,
drastically increase for data breach victims. But that doesn’t mean Target
customers have a cause of action in federal court. I don’t see how the vast
majority of hacked Target shoppers can get past the threshold
constitutional requirement that they show an actual injury, at least under
the U.S. Supreme Court’s 2013 definition of injury in Clapper v. Amnesty
International.

I’m not saying Target faces no litigation exposure for the data breach.
Some of the new cases against the company are class actions by financial
institutions that had to bear the cost of notifying customers about
compromised debit cards, closing customer accounts and reissuing new cards.
Those cases involve real-money claims that will be tough for the company to
fend off with threshold defenses. So too will be suits by state attorneys
general making claims in state court under state consumer protection laws
(assuming, of course, that the Supreme Court does not hold that state AG
suits have to be litigated in federal court in this term’s Mississippi v.
AU Optronics case). And depending on the facts that emerge about Target’s
disclosure decisions, Target shareholders may have viable class action
claims that the company engaged in misrepresentation-by-omission.

Customers, however, are a different story, thanks to what I predict will be
a fatal intersection between the 2013 Clapper decision and the Class Action
Fairness Act.

CAFA, as the class action law is known, requires that class actions
involving more than 100 people and claims of more than $5 million be
litigated in federal court, even if they assert only state laws. Target
will almost certainly be able to remove all of the consumer class actions
stemming from the data breach to federal court. It’s also a near certainty
that the suits will be consolidated into a multidistrict litigation, in
which a single federal judge will decide pretrial motions. Target’s first
substantive motion in the consolidated litigation, you can be sure, will be
an argument that the privacy breach cases must be dismissed because
consumers do not have standing, under Article III of the U.S. Constitution,
to sue in federal court because they can’t show they’ve been injured.

That’s where the Clapper decision comes in. As I’ve explained in previous
blog posts, the Clapper case involved allegations by human rights groups
and public interest lawyers claiming that the National Security Agency’s
warrantless wiretapping program violated their First and Fourth Amendment
rights. The Supreme Court held that the human rights advocates did not have
standing because they couldn’t show their communications with terrorism
suspects were actually intercepted, only that they might have been. (That
finding came before Edward Snowden’s revelations about the extent of NSA
wiretapping.) The majority opinion in Clapper, written by Justice Samuel
Alito, said that standing requirements can be met only by showing actual
harm or “certainly impending” injury. Alito also said that plaintiffs can’t
establish standing by spending money to ward off a feared injury. “If the
law were otherwise, an enterprising plaintiff would be able to secure a
lower standard for Article III standing simply by making an expenditure
based on a non-paranoid fear,” he wrote. “(Plaintiffs) cannot manufacture
standing merely by inflicting harm on themselves based on their fears of
hypothetical future harm that is not certainly impending.”

Soon after the Clapper decision came down, defense lawyers in privacy
breach cases realized that the ruling’s definition of standing would be
useful to them as well. (Kudos to the privacy team atRopes & Gray, which
was, I believe, the first to make a connection between Clapper and data
breach class actions.) Under Clapper, the defense argument goes, consumers
can’t establish standing based on either the possibility that their
personal information may be misused or the costs they’ve incurred to
monitor their credit reports for unauthorized charges. So far, federal
trial judges have been receptive to these arguments in privacy breach
litigation. I told you last September about the first two decisions that
tossed privacy cases based on Clapper, one a case stemming from the breach
of Barnes & Noble customer data, the other a class action accusing Sam’s
Club of failing to institute adequate data protection protocols. The third
Clappper-based dismissal of a privacy breach class action came late in
December, when U.S. District Judge Noel Hillman of New Jersey tossed a case
against several healthcare providers and a company that provides them with
pharmaceutical dispensary software.

According to Judy Selby of Baker & Hostetler, whose firm represented one of
the defendants in the New Jersey case (and who blogged about the ruling
last week), no federal judge has so far rejected Clapper standing arguments
in a privacy class action. “Without a real injury, there’s nothing
(consumers) can do,” Selby told me. “Without jurisdiction, you’re done.”
Especially because Target has already pledged to offer a year of
credit-monitoring services to customers whose information was hacked, Selby
said, consumers will have a very, very hard time showing enough of an
injury to establish their right to sue in federal court.

There are still two live federal circuit court decisions to the contrary.
In 2011, the 1st Circuit Court of Appeals held in Anderson v. Hannaford
that grocery store customers could show they were injured by a data breach
through the credit-monitoring costs they incurred. The following year, the
11th Circuit Court of Appeals found standing under somewhat distinct
circumstances in Resnick v. Avmed. But both of those rulings predated
Clapper, which would certainly seem to contradict the 1st Circuit’s
reasoning on standing and mitigation costs. Whether the 1st and 11th
Circuit decisions are still good law after Clapper is very much an open
questions.

There could well be some consumers victimized by identity theft after their
personal information was stolen from Target, and perhaps they can show a
strong enough link between the Target hacking and injuries they suffered
from identity theft to establish Target’s liability. There may even be a
class of identity theft victims with viable claims. The rest of Target’s
customers, though, should be excluded from recovery – especially because
Target has already promised to pay for credit-monitoring services for them.

I hope Target’s defense lawyers – including the privacy team at Ropes that
first realized the impact in these cases of the Supreme Court’s holding in
Clapper – stand firm and litigate the standing question, rather than caving
in the face of a 70 million-member putative class. Retailers everywhere are
watching, said data privacy lawyer Al Saikali of Shook, Hardy & Bacon, who
has also blogged about the Target cases. Saikali said precedent is heavily
in Target’s favor and the complaints against the company seem so far to be
based on speculation. But if Target is forced to settle, he told me, every
company that does business on the Internet should be worried. “Target is a
very large company that undoubtedly had in place complex and sophisticated
safeguards to protect against this type of a data breach, and from what we
know so far, they notified affected individuals very quickly,” Saikali
wrote at his blog. “If there is anything less than a dismissal or summary
judgment entered in all of these cases, then the proverbial blood will be
in the water and we can expect the floodgates of data breach litigation to
open.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Risk Based Security offers security intelligence, risk management services and customized security solutions. The 
YourCISO portal gives decision makers access to tools for evaluating their security posture and prioritizing risk 
mitigation strategies. Cyber Risk Analytics offers actionable threat information and breach analysis.