A circuit split on whether actual misuse of personal data is required to have standing to assert data breach claims remains unresolved. Last week the Supreme Court rejected a petition to review that issue in CareFirst v. Attias. In CareFirst, the D.C. Circuit joined several other circuits in holding that the threat of misuse of data, in and of itself, gives rise to standing. Other circuits require more concrete harm in the form of actual misuse of data. Until the Supreme Court settles the issue, companies will remain susceptible to data breach lawsuits in jurisdictions adhering to the liberal standard endorsed in CareFirst.
Kevin McGinty is a Member in the firm’s Boston office whose practice is concentrated in complex corporate, health care and class action litigation. Kevin co-chairs the firm's Class Action Working Group and has extensive experience defending consumer, privacy, antitrust, unfair trade practice, contract, mass tort, and employment class actions. Kevin has also handled numerous commercial and class action disputes for insurers (life, auto, and casualty companies), retailers, manufacturers, private equity firms, banks and accounting firms.
This week’s disclosure that a 2013 data breach may have affected all 3 billion Yahoo accounts then in existence could alter the scope of the consolidated data breach cases currently pending against Yahoo in the federal court in San Francisco. In the wake of the court’s August 30 order denying Yahoo’s motion to dismiss the case, the parties have been in the process of negotiating a schedule for discovery and motion practice. The parties had been due to make their joint scheduling submission to the Court today. However, just last night, Judge Lucy Koh issued an order postponing the submission deadline in order to allow the parties to address the impact of Yahoo’s recent disclosure. The court ordered Yahoo to “disclose to Plaintiffs available information regarding the recent data breach disclosure by October 6, 2017, so that the Joint Case Management Statement can propose a realistic amended case schedule.” The court also directed that Yahoo “expedite its production of discovery regarding the recent data breach disclosure and include a proposal to do so” in the parties’ joint scheduling submission, which is now due to be submitted on October 11, 2017.
Despite some courts’ evident confusion about the impact of payment card theft on consumer cardholders, other courts are getting it right. Just this week, a judge in the Northern District of Illinois issued an order dismissing the second amended complaint filed by consumer cardholders in In re Barnes & Noble Pin Pad Litig. (N.D. Ill.). This order marked the third time that the court had dismissed the consumer cardholder claims due to lack of injury. Here, as in every theft of credit or debit card data, the fact that consumers are held harmless for fraudulent charges on their cards means that such losses – which are borne by the issuing banks – do not result in injury to consumers sufficient to confer statutory or constitutional standing. This leaves plaintiffs, like those in Barnes & Noble, to argue that they sustained actionable injury because of inconvenience (cards are replaced, accounts are temporarily frozen) or apprehension of potential future harm (future adverse credit impact). The court in Barnes & Noble held the former to be insufficiently significant to allow claims under statutes requiring proof of loss, while the latter was deemed too speculative to permit standing. Even though plaintiffs could show that they purchased credit monitoring services after the breach, the court held that money spent on attempts to mitigate future fraud are not injury that may be redressed under state unfair competition law.
Having dismissed three separate attempts to plead an actionable claim, the court dismissed the second amended complaint in Barnes & Noble with prejudice. With this ruling, the court has provided additional support for defendants resisting consumer claims arising from theft of payment card data.
Snatching victory of a sort from the jaws of defeat, shareholders who brought a derivative action alleging that the 2014 Home Depot data breach resulted from officers’ and directors’ breaches of fiduciary duties have reached a settlement of those claims. As previously reported in this blog, that derivative action was dismissed on November 30, 2016. That dismissal followed on the heels of dismissals of derivative actions alleging management breaches of fiduciary duties in connection with the Wyndham and Target data breaches. Despite that discouraging precedent, the Home Depot shareholder plaintiffs noticed an appeal from the trial court’s order of dismissal. The parties subsequently resumed settlement discussions that had broken off in the fall of 2016, on the eve of argument and decision of Home Depot’s motion to dismiss. On April 28, 2017, the parties submitted a joint motion disclosing and seeking preliminary approval of the proposed settlement. If approved, the proposed settlement would result in dismissal of the shareholders’ appeal and an exchange of mutual releases, thereby terminating the fiduciary claims arising from the Home Depot data breach. Continue Reading Appeal in Home Depot Data Breach Derivative Action Results in Settlement of Corporate Governance Claims
When data thieves steal payment card data, consumers suffer no legally cognizable injuries. Card issuers absorb the fraudulent charges and replace the affected cards. Because fraudulent charges are not billed to consumers, they do not show up on consumers’ credit reports or otherwise affect their credit ratings. Moreover, because the thieves end up possessing terminated and useless payment card numbers, they cannot inflict any future harm. Thus, consumers have no need for credit monitoring services – whether for free or otherwise – in the wake of a payment card data breach. With no out of pocket losses, no risk of future losses, and no reasonable basis to expend resources on credit monitoring, a consumer whose payment card data has been stolen has no standing to bring suit in federal court. Continue Reading Kimpton Data Breach Decision Highlights Lingering Confusion on Standing Issues
Counsel for a class of card-issuing banks filed a settlement agreement on March 8 proposing a class settlement to resolve claims arising from the 2014 theft of payment card data from Home Depot point-of-sale terminals. The contemplated $27.25 million class settlement follows in the wake of over $140 million already paid by Home Depot to settle issuer bank claims through card association settlement processes. The revelation that Home Depot was able to use private means to settle the vast majority of the bank claims outside of the class action raises significant questions about whether the proposed settlement class satisfies the requirement under Rule 23(b)(3) that a class action provide a superior means to resolve class members’ claims. Continue Reading Does Class Settlement Of Bank Claims In Home Depot Data Breach Litigation Pass The “Superiority” Test?
When hackers steal consumer data, injury to consumers is not a foregone conclusion. This is particularly so where credit and debit card numbers are stolen. Banks, not consumers, bear the cost of fraudulent charges. Consumers’ credit ratings are unaffected by such charges, and stolen payment card numbers cannot be used to steal consumers’ identities. As a result, it can be difficult for consumers in payment card data breach cases to prove damages or injury. Continue Reading Ruling Vacating Target Consumer Class Settlement Highlights The Problem Of Standing In Data Breach Cases
An old saw defines insanity as doing the same thing over and over again and expecting a different result. Wendy’s shareholders recently flouted that maxim by filing a derivative action this week against officers and directors of the fast-food chain seeking recovery on behalf of the corporation for damages arising from a data breach that affected over 1,000 franchise locations between October 2015 and June 2016. Based on the results in prior data breach derivative actions, the prospects for the Wendy’s derivative claim appear dim.
Dismissal Of Home Depot Derivative Action Extends Shareholder Losing Streak
An attempt to impose liability on corporate officers and directors for data breach-related losses has once again failed. On November 30, 2016, a federal judge in Atlanta issued a 30 page decision dismissing a shareholder derivative action arising out of the September 2014 theft of customer credit card data from point-of-sale terminals in Home Depot stores. The dismissal of the Home Depot derivative action follows earlier dismissals of derivative actions arising from data breaches perpetrated against Wyndham and Target. Continue Reading A Failed Strategy: Another Derivative Action In A Data Breach Case Goes Down To Defeat
In the wake of the Supreme Court’s decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), lower courts have begun to address whether alleged violations of statutes intended to protect privacy suffice, in the absence of any further alleged injury, to establish Article III standing. In Matera v. Google Inc. No. 15-cv-04062-LHK (Sept. 23 2015) Judge Lucy Koh of the Northern District of California ruled that a complaint alleging violations of the federal Wiretap Act, 18 U.S.C. § 2511(a)(1), and the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 631, without more, pleads sufficient injury to satisfy the requirements for Article III standing as set forth in Spokeo. In so ruling, the court concluded that Spokeo did not overrule prior authority finding Article III standing to sue for Wiretap Act and CIPA violations.