By Darryl Drevna, Rodney Lewis and George Kostel
On May 4, 2015, a US District Court judge in the Eastern District of Louisiana dismissed a class action lawsuit that sought damages from eBay based on the “threat of future harm” stemming from the online retailer’s 2014 data breach (Green v. eBay, Inc.) (2015 U.S. Dist. LEXIS 58047). Between February and March 2014 eBay was the target of a cyber-attack that compromised the encrypted passwords and personal information, including mailing addresses, phone numbers and dates of birth, for 145 million users. eBay notified its users and advised them to change their passwords. The lawsuit alleged that the breach subjected eBay users to economic damages, identify theft and damages for having to take preventative measures due to an increased risk of identity theft. In dismissing the suit, the court ruled that the plaintiffs did not have standing because their complaint was based on the threat of future harm and not ongoing or past harm. The ruling comes after the Supreme Court on April 27 agreed to hear a case recently decided by the 9th Circuit (Spokeo, Inc. v. Robins) that turns on whether Congress can confer Article III standing on a plaintiff that does not suffer concrete harm, by authorizing a private right of action based on a bare violation of a federal law.
The eBay court based its decision to dismiss the case on Article III standing as established in the 2013 Supreme Court case Clapper v. Amnesty International USA, which requires plaintiffs to prove they suffered an actual or threatened injury. In Clapper, the Supreme Court found that a group of journalists and lawyers lacked standing to challenge the 2008 Foreign Intelligence Surveillance Act. The Court found that plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly implanting.” Echoing that concern here, US District Court Judge Susie Morgan held that the “mere fact that plaintiff’s information was accessed during the data breach is insufficient to establish injury in-fact.” She added that “the potential threat” of identity theft or identity fraud does not establish standing to seek damages in federal court, and the plaintiff made claims of damages “without any allegation of actual incidents of identity theft.”
While most of the federal courts have applied Clapper’s standing requirements to data breach cases that involved hacking, physical theft, or point of sale attacks, some courts have found that standing exists based purely on threats of future harm. For example, in Moyer v. Michael Stores, which involved a retail point-of-sale attack, a judge in the Northern District of Illinois ruled that a “credible, non-speculative risk of future harm” can confer standing. In addition, a district court judge allowed several cases against Target to proceed, also based on the threat of future harm, after the massive data breach it suffered in 2013. Target has agreed to a provisional settlement in one of those cases.
Beyond the possible legal ramifications of the data breach, companies must be aware of the possibility of increased political scrutiny. For example, after eBay’s data breach, Rep. Joe Barton (R-TX) and Rep. Bobby Rush (R-IL), members of the House of Representative’s Bi-Partisan Privacy Caucus, sent a letter to eBay CEO John Donahoe requesting information on how the company was responding to the breach, details on its privacy policies, a history of past major security breaches, and what the company was doing to assess its data security protocols. In addition, several members of Congress have introduced legislation that would create a federal standard for how and when companies must notify their customers following a breach.
Members of the healthcare industry must be prepared to protect against cyber-attacks and respond to the legal and political fallout in the event of a data breach. For example, a new Ponemon Institute study found that cyber-attacks on healthcare organizations increased 125 percent over the last five years. The study estimated that medical files are worth up to $70 each on the black market and that 45 percent of healthcare organizations reported they were victims of a deliberate cyber attack.
With evolving legislative and judicial expectations, companies should routinely monitor and update their data security and breach notification policies accordingly. As these cases indicate, plaintiffs are willing to litigate and courts are willing to hear their arguments in the wake of a data breech. Beyond the cost of the litigation, companies also must protect their reputations and brands, which can be damaged by successful cyber-attacks.