Following the Supreme Court’s ruling in Spokeo v. Robins, which held that federal plaintiffs alleging a statutory violation must have suffered a real, concrete injury in order to have Article III standing, many defendants began to assert lack of standing as a defense in data breach class actions in federal court. Data breach cases are particularly good candidates for Article III standing arguments, because data breach plaintiffs often allege a risk of future injury, but do not allege that the breach has caused them any immediate harm. Nevertheless, some courts have found that the threat of future injury is a sufficiently concrete injury under Article III. Even when defendants succeed with a Spokeo standing argument, the result may simply be that the case gets litigated in (an often less friendly) state court. This is the “Spokeo trap” we have addressed before.
Instead of attacking standing, defendants may be better off attacking a plaintiff’s lack of damages through a Rule 12(b)(6) motion. After all, most data breach claims at least include state law negligence claims that require plaintiffs to prove actual damages in order to recover. Although there is definitely overlap between the damages element of a tort claim and the injury-in-fact requirement of Article III, many courts have drawn a distinction between the two and dismissed cases for failing to allege the former—and not on mere jurisdictional grounds that create problems for defendants down the road.
The prime example is a case that the plaintiffs’ bar considered one of its early successes: Pisciotta v. Old National Bancorp. That case disagreed with the district court’s jurisdictional analysis and concluded that the plaintiffs’ allegations of future injury gave them Article III standing—but the court still affirmed the district court’s dismissal of the case because the plaintiffs could not satisfy the actual damages element of their negligence claim.
Other more recent cases have followed in this line. Attias v. CareFirst, Inc., a case out of D.C., saw the district court initially dismiss a data breach class action because the plaintiffs could not establish Article III standing on the alleged risk of future harm (such as an increased risk of identity theft). The D.C. Circuit reversed. On remand, the defendant focused on its 12(b)(6) arguments, and the district court dismissed with prejudice, finding that “while plaintiffs’ alleged injuries may be enough to establish standing at the pleading stage of the case, they are largely insufficient to satisfy the ‘actual damages’ element of nine of their state-law causes of action.”
The defendant in a District of Minnesota case, In re: SuperValu, Inc., Customer Data Security Breach Litigation, was met with a similar scenario after the Eighth Circuit reversed the district court’s order granting dismissal without prejudice on standing grounds. Following remand, the defendant renewed its 12(b)(6) motion, arguing that the plaintiffs failed to allege actual damages. The district court granted the motion and dismissed the negligence claims––with prejudice, no less.
Focusing on 12(b)(6) motions instead of standing arguments under 12(b)(1) can, in some instances, save time and money for defendants—and not just in data breach class actions, but in any statutory class action. In the data breach context, that strategy also can avoid a budding circuit split as to whether a future risk of identity theft confers Article III standing in data breach cases. Presently, the D.C. Circuit, and the Sixth, Seventh, and Ninth Circuits have all said it does, while the First, Third, Fourth, and Eighth Circuits have said it doesn’t. The issue is before the Eleventh Circuit now in I Tan Tsao v. Captiva MVP Restaurant Partners, LLC.
As a matter of doctrine, we agree that many data breach theories should not confer Article III standing, and we believe that it is often appropriate to challenge standing in data breach cases. Indeed, the Supreme Court may be addressing that very question soon. But, as courts continue to wrestle with jurisdictional questions, some data-breach defendants can take a practical approach and bypass the standing arguments in favor of attacking the elements of the plaintiff’s claims instead of the court’s jurisdiction.
