In the latest chapter in the Sony PlayStation Network (“PSN”) data breach saga, a decision that issued on January 21, 2014 permanently dismissed all but a handful of the class action claims advanced in a 51 count complaint. Plaintiffs, representing a putative nationwide class of PSN users, asserted dozens of state law consumer protection and common law claims arising from the alleged failure of Sony to take adequate measures to protect users’ personal and credit card information and purported misrepresentations concerning the adequacy of PSN’s data protection practices and capabilities. As previously reported in this blog, an earlier complaint in the action had been dismissed without prejudice in 2012, primarily due to the inability of the plaintiffs to allege that Sony’s purported negligence and misrepresentations caused them damage. The court allowed plaintiffs leave to amend, and defendants moved to dismiss the resulting amended complaint. This week’s decision shows that plaintiffs were unable to cure the deficiencies in their damages allegations that led to dismissal of their original complaint. Allegations that the privacy of plaintiffs’ information was compromised, without any allegation that private information was used in a manner that caused loss or injury, did not suffice. As a result, the court dismissed 45 separate claims for relief, with prejudice and without leave to amend.
Notably, the court did allow eight claims for relief to go forward. Claims for restitution under California consumer protection law survived dismissal, as the court construed California law to allow a consumer to seek restitution where an allegedly false or deceptive statement induced the consumer to purchase a product. Thus, plaintiffs’ claims on behalf of California consumers that misrepresentations concerning data security had induced the purchase of PlayStation 3 units or PSP personal gaming devices were allowed to go forward. Plaintiffs were also allowed to continue to pursue claims for injunctive relief under the consumer protection laws of Florida, Michigan, Missouri, New Hampshire and California, which permit equitable claims to rectify alleged violations, even where there has been no pecuniary loss or injury. Finally, the court allowed claims on behalf of participants in a settlement of PSN-related claims to bring claims for alleged breaches of that agreement. The survival of these claims vindicated a common plaintiff strategy of bringing dozens of counts, in hopes of increasing the odds that some claims will survive dismissal. The claims that were dismissed reinforced the increasingly well-developed principle that inability to plead or establish damages will be fatal to claims arising from a data breach.
One last noteworthy aspect of the most recent decision in the PSN case is the court’s rejection of defendants’ argument that plaintiffs’ inability to allege actionable damage deprived them of Article III standing to pursue their claims. Addressing the interplay between the Ninth Circuit’s decision in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), and the Supreme Court’s recent decision in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), the PSN court concluded that mere risk of disclosure does not confer standing in a data breach case, but that actual misuse is not required. Rather, the requirement for standing, the court concluded, is actual disclosure or misappropriation of an individual’s personal data. Nonetheless, as the balance of the court’s decision makes abundantly clear, standing is merely the first hurdle that a would-be litigant must surmount to maintain a data breach lawsuit. Even though damages are not require to establish Article III standing, inability to allege damages will often be fatal to a plaintiff’s data breach claims.