As the saying goes, “You never really know what you’ve got ’til it’s gone.” For class plaintiffs seeking redress for the unauthorized collection of their personal information (PI), it’s their claims that courts have allowed to go by the wayside. In recent months, companies such as LinkedIn, Apple, Facebook and Google have been faced with consumer data privacy and data breach class action lawsuits alleging violations of their privacy policies and failure to protect consumer’s PI from the unauthorized access, distribution and potential use by third parties.
These data privacy and data breach cases continue a trend in class action lawsuits in recent years. Unfortunately for plaintiffs’ attorneys, their efforts have been largely ineffective as courts have routinely dismissed plaintiffs’ claims at the pleading stage. While the nature and extent of the data privacy invasions and data breaches differ across the putative classes, the outcome in all the cases turn on one common flaw: the plaintiffs’ inability to sufficiently allege injury in fact in order to maintain Article III standing, or actual injury to state a claim on which relief can be granted. Recently, however, courts have shown signs of coming around and finding ways to allow plaintiffs’ claims to survive. Companies should beware, and prepare.
In the Batter’s Box
The technology that controls us daily—smartphones, laptops, search engines, and consumer and social media websites—constantly collects and stores our PI, which has great utility to advertisers, businesses and criminals. The collection of PI, such as names, addresses and web-surfing habits, fuels the $70 billion web advertising industry while bank account information and Social Security numbers line the pockets of identity thieves. PI has obvious value that consumers naturally want to control and protect.
LinkedIn moved to dismiss the representative plaintiff’s class claims under Rule 12(b)(1) for failure to allege injury in fact for Article III standing and under Rule 12(b)(6) for failure to state any claims on which relief can be granted. Initially, the Low court dismissed the complaint for lack of Article III standing. The court rejected the representative plaintiff’s claims that he suffered emotional and economic harm, finding that he had not alleged any details regarding the specific transmission of his PI nor how third parties had specifically inferred his identity. The Low court noted that the representative plaintiff failed to establish injury in fact because the unauthorized collection of PI, by itself, does not create an economic loss and the representative plaintiff did not allege how he was foreclosed from capitalizing on the value of his PI.
The representative plaintiff amended his complaint and added another representative plaintiff. Based on the amended complaint, the Low court found that, together, the plaintiffs satisfied the Article III standing requirement that established an injury in fact that is concrete and particularized, and actual or imminent. The court held that because the named plaintiffs had alleged that their web-browsing history and URL were disclosed to third parties when they visited the LinkedIn site, they had sufficiently articulated, with particularity, injury to themselves for purposes of Article III standing.
However, despite finding Article III standing, the Low court dismissed plaintiffs’ claims, holding, among other things, that the plaintiffs generally were unable to establish actual injury to themselves —for example, that their anonymity was lost due to the disclosure or actual loss of property due to the disclosure. The court noted that the plaintiffs’ PI and browsing history are not considered “property” and that disclosure of PI to third parties was not a sufficiently offensive invasion of privacy to warrant recovery.
While LinkedIn escaped claims for data privacy violations in the Low litigation, the company currently finds itself right back in the same court facing a consumer class action lawsuit over a data breach due to the hacking and posting of more than 6.5 million user passwords. In In re LinkedIn User Privacy Litigation, No. 12-cv-03088-EJD (N.D.Cal. Sept. 19, 2012) (User Privacy Litigation), plaintiffs assert state common law and statutory claims alleging that LinkedIn used inadequate encryption methods to protect the login credentials of its users. Plaintiffs allege that disclosure of their login credentials allowed access to other personal information and that their injury extended to other online accounts since many people use the same login credential across multiple websites.
Sticking with the playbook, LinkedIn moved for 12(b)(1) and 12(b)(6) dismissals in the User Privacy Litigaiton, arguing that plaintiffs have not alleged that their login credentials were actually retrieved by the hackers, nor that any injury is imminent. As a result, LinkedIn argues plaintiffs’ claims are speculative and insufficient to establish injury in fact for Article III standing. LinkedIn further argues that plaintiffs have not shown how any LinkedIn data breach has resulted in any misuse of their PI, or otherwise caused them actual injury. While the court has yet to rule on LinkedIn’s motion, the plaintiffs’ allegations indicate that they are likely destined to suffer the same fate as prior class plaintiffs who were unable to sufficiently allege actual injury: dismissal.
Nothing Lasts Forever
The data privacy and data breach claims asserted in the LinkedIn litigations are not unique, but do reflect the diversity of claims regarding PI that companies may be subject to at any given moment. The litigations also illustrate the difficulty plaintiffs face in showing actual injury and the ease by which companies have dispensed with consumer data class action lawsuits. Plaintiffs who are able to survive the standing hurdle are typically unable to allege actual injury sufficient to maintain their claims. Companies have enjoyed the benefit of the court’s approach for the past few years. However, the party may soon be over.
First, the U.S. Supreme Court took up the issue of Article III standing in Clapper v. Amnesty Int’l USA, in its last session. In that case, the Second Circuit Court of Appeals determined that the plaintiffs had standing to challenge the constitutionality of a federal surveillance statute based on an objectively reasonable fear that their communications would be monitored. The court held that the plaintiffs’ reasonable fear of being monitored was sufficient to establish an injury in fact to confer Article III standing. Amnesty Int’l USA v. Clapper, 638 F.3d 118 (2nd Cir. 2011). However the Supreme Court issued a decision this week reversing the Second Circuit, finding respondents’ fear of injury was too speculative and did not meet the Court’s requirement that a threatened injury be “certainly impending” to confer Article III standing. Clapper v. Amnesty Int’l USA, No. 11-1025, (February 26, 2013). While this ruling deals a blow to a plaintiff’s ability to establish standing based on a speculative fear, the Second Circuit’s initial novel recognition of an injury in fact based on an objective reasonable fear suggests that the lower courts may be open to other arguments advanced by plaintiffs as they attempt to find ways to establish Article III standing in data breach and data privacy cases.
Second, a plaintiff’s inability to show immediate harm from a data breach does not necessarily mean that the harm will not occur. Rather, there is a real likelihood of a latent use of that information, and the occurrence of the very injuries that plaintiffs fear. And in those cases, courts have recently shown that they are willing to allow plaintiffs’ claims to proceed past the pleading stage despite a less than clear nexus between the injury and the defendant’s actions. For example, in Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012), the court reversed a 12(b)(6) dismissal of class plaintiffs’ claims of identity theft that occurred 10 months after the theft of two laptops containing the PI of 1.2 million customers of defendants. The court found a sufficient nexus had been established where information used to open bank accounts in the plaintiffs’ names was identical to information stored on the stolen laptops.
Finally, as the Amnesty and Resnick decisions suggest, the law may catch up with technology. Part of the difficulty plaintiffs face in countering 12(b)(6) motions is that many courts don’t seem to understand the dynamics between consumers, companies and third parties when it comes to consumer data. In large part, the courts fail to recognize an injury in: 1) the value lost by consumers in the unauthorized and undetected collection of PI by third parties in data privacy cases; and 2) the danger posed to consumers by the potential for latent, future use of PI in data breach cases. In both cases the ultimate use (or misuse) of this information by third parties may not occur for some time and may go undetected, which could prevent plaintiffs from ever recovering. If courts continue to evolve and begin to recognize the unauthorized and undetected collection of PI as an actual injury, then plaintiffs’ class actions claims may begin to gain firm footing to proceed in court.
With change in the air, and cyberattacks on the rise, companies would do well to improve their data security measures, and shore up their data management practices to protect consumers’ PI. This month alone, Microsoft, Facebook and Google each reported data breaches from cyberattacks, signaling that lawsuits regarding consumer data are likely to persist. Taking a proactive approach to data security can mitigate potential exposure to data privacy claims and data breaches down the road.