Date: Mar 21, 2013
The United States Supreme Court's recent decision in Clapper v. Amnesty International USA, No. 11-1025 (Feb. 26, 2013), points to continued success in challenging most plaintiffs in data breach litigation. Clapper reiterated the necessity of demonstrating "injury in fact" in order to have standing to sue in federal court.
In Clapper, NGO's, news organizations, and individuals (collectively "respondents") sued to overturn a provision in the Foreign Intelligence Surveillance Act of 1978 that allows the government to acquire foreign intelligence information by authorizing the surveillance of individuals who are not "United States persons" and are reasonably believed to be located outside the United States. See 50 U.S.C. § 1881a. Respondents claimed that their work required them to engage in sensitive international communications with individuals who are likely targets of such surveillance, and that such surveillance may result in the respondents' communications being seized sometime in the future. The Supreme Court found that the respondents' claims were too speculative to satisfy the essential standing requirement that a threatened injury be "certainly impending." The court further found that the respondents' claims of present injury, specifically that they had taken costly and burdensome measures to protect their international communications, were ineffective because plaintiffs cannot "manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly pending."
The Clapper decision has wide-ranging application to data breach cases. In data breach lawsuits, plaintiffs must generally show that there is something more than the mere exposure of personal information in order for there to be sufficient harm to establish standing. For instance, where a plaintiff has actually suffered "identity theft" or other misuse of compromised information, the court found actual harm and held that standing existed. See Resnick v. Avmed, Inc., 693 F.3d 1317 (11th Cir. 2012). In Resnick, unencrypted laptops were stolen and sold to an individual with a history of dealing in stolen property and the plaintiffs subsequently were the victims of identity theft. The majority of plaintiffs bringing data breach lawsuits, however, cannot make such a claim. In those cases, standing has been a significant challenge and that challenge has gotten tougher.
First, a plaintiff would have to assert that his personal information was compromised. In some data breach cases, the universe of information taken (or lost) is known. In others, the data owner can only speculate as to the specific information that was taken. In such a case, any claim of injury arguably is speculative. Even if a plaintiff can reasonably assert that his personal information was compromised, the ability to claim that threatened injury is "certainly impending" would be daunting. Given the number of records that likely are compromised in any given data breach, the fact that not all information taken in a breach is by persons intent on identity theft, and the steps required to convert personal information into identity theft or some other harmful act, it is not likely that a plaintiff bringing such action can show that the injury is "certainly impending." Finally, a plaintiff's subscribing to services to identify identity theft or buying identity theft insurance likely will not be considered a present injury. As the Supreme Court noted in Clapper, plaintiffs cannot "manufacture standing by choosing to make expenditures based on hypothetical future harm that is not currently impending."
Like Clapper, plaintiffs in data breach cases have, and likely will continue to have, difficulty establishing standing. Clapper re-emphasized the need for plaintiffs to establish standing and strengthened data owners' challenges of such claims.
For more information on privacy issues, please contact:
Douglas J. Behr at +1 202.434.4213 or at firstname.lastname@example.org
Sheila A. Millar at +1 202.434.4143 or at email@example.com