By Zachary L. Neal[1. Mr. Neal is a Senior Associate in Alston & Bird LLP’s Litigation and Trial Practice Group, and he is a member of Alston & Bird’s Security Incident Management and Response Team. He is a graduate of the University of Georgia and the University of Pennsylvania Law School. The opinions expressed in this article are Mr. Neal’s and do not necessarily reflect the views of Alston & Bird LLP or its potential or current clients.][pullquote][A]lthough Anderson will likely encourage even more data breach lawsuits, Anderson also underscores the difficulty plaintiffs will have in certifying classes even if they clear the other hurdles discussed in this article.[/pullquote]Companies and government entities gather and aggregate an ever-increasing amount of consumer data. This data runs the gamut from the seemingly innocuous – like shopping habits – to the sensitive – like social security numbers and account numbers. As these entities gather and store data for their legitimate purposes, instances of unplanned releases of this information – or data breaches – are on the rise. And with data breaches come lawsuits from plaintiffs – or putative classes of plaintiffs – who fear their personal information may have been compromised.
The United States Court of Appeals for the First Circuit’s recent decision in Anderson v. Hannaford Brothers Co.[2. 659 F.3d 151 (1st Cir. 2011).] discusses one important aspect of data breach litigation – whether plaintiffs can allege the necessary harm to survive a motion to dismiss. Anderson is one of the few instances where a court has concluded that the plaintiffs have alleged the necessary harm, meaning it is an important decision to consider in evaluating potential liability arising from a data breach.
Before discussing Anderson, this article first provides a general overview of how data breaches occur and why lawsuits tend to arise from them. This article then discusses another threshold issue – whether plaintiffs can establish Article III standing when suing in federal courts. If a plaintiff does not have standing, then the issues discussed in Anderson will not come into play. Finally, the article discusses Anderson in detail and explores its implications for future cases.
In sum, although Anderson will likely encourage even more data breach lawsuits, Anderson also underscores the difficulty plaintiffs will have in certifying classes even if they clear the other hurdles discussed in this article.
Data Breach Causes and Consequences
Data breaches may arise from a number of sources, including:
- Careless disposal of sensitive information (e.g., a company throws away sensitive information in a Dumpster);
- Inadvertent loss of sensitive information (e.g., an employee downloads sensitive information to some form of portable media and then misplaces that media);
- Theft of sensitive information (e.g., an employee’s laptop is stolen from his or her car); and
- Hacking to obtain sensitive information (e.g., a computer hacker breaches a company’s network and obtains sensitive information).
After a data breach occurs, forty-six states require businesses or government entities to report breaches to consumers in certain circumstances. If notification is required, the data breach will become public, which, at least in the case of large data breaches, often leads to extensive coverage in both the mainstream media and on the internet. This publicity, in turn, tends to generate lawsuits, which are often brought as class actions in federal court. These suits are likely attractive to plaintiffs’ lawyers because – at least in the case of large suits – there are potentially millions of class members. These class members are often sympathetic as almost everyone fears identity theft or other forms of fraud. And depending on the circumstances of the breach, plaintiffs have a number of claims to choose from, including negligence; breach of express or implied contract, State unfair and deceptive trade practices act statutes; State data breach notification laws; and the Fair Credit Reporting Act.
Article III Standing
A threshold issue in most data breach lawsuits is whether plaintiffs have standing to bring claims where they have not yet been the victim of identity theft or other fraudulent activity. In particular, courts have focused on whether plaintiffs have suffered an injury-in-fact where a data breach has occurred but the plaintiffs’ information has not been misused.[3. test Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142 (9th Cir. 2010).]
Circuit courts have split over whether plaintiffs have standing under such circumstances.[4. Compare Pisciotta, 499 F.3d at 634 (holding such plaintiffs had standing) and Krottner, 628 F.3d 1139, 1142-43 (holding such plaintiffs had standing) with Reilly v. Ceridian Corp., 664 F.3d 38, 43-46 (2011) (finding such plaintiffs did not have standing).] The Seventh and Ninth Circuits have been willing to find data breach plaintiffs have standing in certain circumstances even where they do not allege that they have been the victim of identity theft or other fraudulent activity.[5. Pisciotta, 499 F.3d at 634; Krottner, 628 F.3d 1139, 1142-43.] The Seventh Circuit, for instance, found data breach plaintiffs, who alleged the data breach arose from a sophisticated hacking attack, had standing where no misuse of data was alleged but the plaintiffs alleged “a threat of future harm” from potential misuse of their data.”[6. Pisciotta, 499 F.3d at 634.] Similarly, the Ninth Circuit concluded that plaintiffs had standing even though they did not allege data misuse. One plaintiff, the court found, had standing where she claimed “generalized anxiety and stress” as a result of a data breach; other plaintiffs had standing under the circumstances where they alleged an increased risk of identity theft.[7. Krottner, 628 F.3d 1139, 1142-43.]
Conversely, the Third Circuit has refused to find plaintiffs have standing where their information has not yet been misused.[8. Reilly v. Ceridian Corp., 664 F.3d 38 (2011).] The Third Circuit found that before information accessed in a data breach is misused any harm is speculative because whether harm will ever occur depends on the potential future actions of (at least in that case) an unknown party.[9. Id. at 42.] What must be shown to establish standing, the court found, are not allegations of hypothetical future harm, but allegations of actual or imminent harm.[10. Id. at 43.] The Third Circuit distinguished the Seventh and Ninth Circuit cases discussed above by finding that the allegations in both cases suggested more imminent harm.[11. Id. at 44.] The Seventh Circuit case, the court found, involved allegations of a “sophisticated, intentional and malicious” hacking attack.[12. Id.] And in the Ninth Circuit case someone had attempted – but failed – to steal one plaintiff’s identity.[13. Id.] More importantly, however, neither the Seventh nor Ninth Circuit decisions, the Third Circuit found, fully considered constitutional standing requirements as they applied to data breach claims. The Third Circuit thus found the Seventh and Ninth Circuit cases unpersuasive.[14. Id.; cf. Katz v. Pershing, LLC, --- F.3d ----, 2012 WL 612793 (1st Cir. Feb. 28, 2012) (finding plaintiff lacked standing where she alleged only that a data breach could occur, not that one actually had occurred).]
Thus, at least in some cases, plaintiffs will be able to allege enough facts to establish standing. Either they will be able to allege actual harm, such as if they have already been defrauded, or their allegations will be enough to establish, at least in some court’s view, a great enough threat of future harm to establish standing.
Actual Harm and Anderson v. Hannaford Brothers Co.
Even where plaintiffs can establish standing, they will still be left with the tall task of surviving a motion to dismiss their claims based on the argument that they have not alleged sufficient actual harm or damages under their substantive claims. For instance, in both the Seventh and Ninth Circuit cases discussed above, both courts found the plaintiffs had not alleged sufficient actual harm or damages to survive a motion to dismiss.[15. Pisciotta, 499 F.3d at 634 (finding Indiana law “would not permit recovery for credit monitoring costs” under plaintiffs’ negligence and breach of implied contract claims); Krottner v. Starbucks Corp., 406 F. App’x 129 (9th Cir. 2010) (holding that plaintiffs had not alleged the necessary actual loss or damage to sustain a negligence claim under Washington law because plaintiffs alleged only the possibility of future harm).]
In a departure from most other courts, however, the United States Court of Appeals for the First Circuit, in Anderson v. Hannaford Brothers Co.,[16. 659 F.3d 151 (1st Cir. 2011).] concluded that Maine law allows plaintiffs to recover certain damages arising from a data breach. In Anderson, the plaintiffs brought a class action complaint against Hannaford Brothers Company alleging several causes of actions arising from a data breach.[17. Id. at 153.] The data breach arose out of hackers accessing Hannaford’s credit and debit card processing system.[18. Id.] The hackers allegedly stole credit and debit card numbers of 4.2 million Hannaford customers, leading to over 1,800 cases of fraud.[19. Id.]
Reviewing the trial court’s decision partially granting and partially denying Hannaford’s motion to dismiss, the First Circuit concluded that the plaintiffs had stated two causes of action under Maine law – breach of implied contract and negligence – and could likewise properly claim certain damages under those causes of action.[20. Id.] In analyzing the damage issue, the court focused on so-called “mitigation” damages.[21. Id. at 162.] The court first found under Maine law that damages must be “reasonably foreseeable.”[22. Id.] The court then found that a plaintiff may “recover for costs and harms incurred during a reasonable effort to mitigate” harm.[23. Id.] “To recover mitigation damages, plaintiffs need only show that the efforts to mitigate were reasonable, and that those efforts constitute a legal injury, such as actual money lost, rather than time or effort expended.”[24. Id.]
In deciding the plaintiffs had taken reasonable steps to mitigate their potential damages, including paying card replacement fees and buying credit insurance, the court focused on the fact that the case involved a sophisticated hacking attack that allegedly led to many fraud cases.[25. Id. at 164-65.] The court went to great lengths to distinguish data breach cases where no subsequent fraud had occurred or where there was no allegation that the data theft was anything other than incidental to the “theft of expensive computer equipment.”[26. Id. at 165.] Instead, the court found, in this case, some people had already allegedly been fraud victims. It was thus foreseeable “that a customer, knowing that her credit or debit card data had been compromised and that thousands of fraudulent charges had resulted from the same security breach” would take steps to mitigate her potential damages.[27. Id. at 164.]
Although Anderson will likely encourage plaintiffs to file data breach lawsuits, Anderson also underscores the difficulty plaintiffs will likely have certifying a class for such claims, particularly a nationwide class. In Anderson, the First Circuit had to engage in extensive analysis of unsettled state law before concluding plaintiffs had properly alleged damages under a single state’s law. The task of deciding whether multiple states’ laws would allow for damages given the particular facts of a case will likely prevent plaintiffs from satisfying Federal Rule of Civil Procedure 23(b)(3)’s predominance requirement. Under the predominance requirement, plaintiffs must show through extensive analysis that any differences in state law are manageable.[28. Sacred Heart Health Sys., Inc. v. Humana Military Healthcare Servs., Inc., 601 F.3d 1159, 1180 (11th Cir. 2010).] This will likely prove to be a hard – if not impossible – task where more than a few states’ laws are at issue, especially where the law in many states is an issue of first impression or in flux.[27. See, e.g., Sacred Heart, 601 F.3d at 1180-83 (district court abused its discretion in certifying a six-state class because the court had not engaged in a rigorous analysis to determine what state law variations existed); Kirkpatrick v. J.C. Bradford & Co., 827 F.2d 718, 725 (11th Cir. 1987) (affirming district court’s denial of a Rule 23(b)(3) multi-state class involving various state statutory and common law claims because “the differing standards of liability required by the laws of the various states would render class action treatment unmanageable”).]