Federal District Court Allows Data Breach Class Action to Proceed Based On Risk Of Future Harm


On October 11, the U.S. District Court for the Southern District of California held that the plaintiffs in a consolidated data breach class action have plead sufficient harm to satisfy Article III’s injury-in-fact requirement despite having not suffered any actual harm to date. In re Sony Gaming Networks & Customer Data Security Breach Litig., No. 11-md-2258, 2012 WL 4849054 (S.D. Cal. Oct. 11, 2012). The plaintiffs allege on behalf of a putative class that Sony Computer Entertainment America and a group of related entities (collectively Sony) failed to implement industry-standard practices to protect customers’ personal information. The plaintiffs claim that as a result of Sony’s failings they suffered an increased risk of future harm following a criminal theft of personal information from Sony’s PlayStation computer network. The defendants moved to dismiss the plaintiffs’ numerous claims, including on the grounds that the plaintiffs have suffered no real injury and therefore do not have standing to pursue the case. The court agreed with the plaintiffs that their claims are analogous to those sustained by the Ninth Circuit in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). As in Krottner, the court held that although none of the plaintiffs have suffered any actual loss, the increased threat of future injury is sufficient for standing and the plaintiffs sufficiently allege that such increased risk is causally connected to Sony’s actions. However, the court held that plaintiffs’ allegations do not show any cognizable injury necessary to sustain their claim of negligence under California law. The court dismissed the plaintiffs’ negligence and other claims with leave to amend, and dismissed certain other claims with prejudice.