Courts Split Over Impact of Supreme Court Decision
The Southern District of California last month let 8 out of 51 claims survive in a putative class action arising out of the 2011 breach of the Sony PlayStation network. In re Sony Gaming Networks & Customer Data Sec. Breach Litig., MDL 11MD2258 AJB MDD, 2014 WL 223677 (S.D. Cal. Jan. 21, 2014) (Sony II). In doing so, the court contradicted widespread expectations, and developing law from other circuits (including a Feb. 10 decision from the Southern District of Ohio in the Nationwide Insurance breach litigation), in finding that plaintiffs alleging only the possibility of future harm had standing in light of the U.S. Supreme Court’s recent decision in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013). The court determined that the Sony Plaintiffs had standing merely because they alleged that their information had been wrongfully disclosed, without an allegation that it had been misused. In contrast, less than three weeks after the Sony decision, the District Court for the Southern District of Ohio determined that plaintiffs in the Nationwide Insurance breach litigation did not have standing when all they could allege was a unauthorized disclosure of their information, a holding it based explicitly on Clapper, and declined to follow the reasoning employed by the Ninth Circuit.
This update first summarizes the Sony case, as it may well serve as a magnet to draw data breach and other consumer class action litigation into courts within the Ninth Circuit. It then briefly discusses the Nationwide case as the most recent application of post-Clapper law.
Sony Litigation Background
The Sony breach was widely reported in 2011 and involved a criminal attack on servers used for online services that connected to Sony’s PlayStation consoles. Hackers accessed Sony’s network, stealing the personal information of millions of customers, including credit card information. Sony shut the PlayStation network down for several weeks, during which time customers were unable to access Sony services or various third-party services available through the network (such as Netflix). Multiple lawsuits quickly followed in the wake of the breach, alleging misrepresentations regarding Sony’s security as well as the circumstances of the breach and injuries flowing from the loss of online services, overpayment for the consoles in light of Sony’s misrepresentations, and likely identity theft resulting from the unauthorized disclosure of personal information.
The lawsuits were consolidated through the MDL process before the Southern District of California. The original consolidated class action complaint raised seven claims on behalf of five named plaintiffs. The court dismissed that complaint in October 2012 in its entirety—finding standing based on likelihood of future harm, though plaintiffs did not allege sufficient injury. In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012). Plaintiffs filed a greatly expanded amended complaint in December 2012, raising 51 claims on behalf of 11 named plaintiffs. The new claims largely involved state law claims for the nine different states comprising the homes of the proposed named plaintiffs.
The 51 claims in the amended complaint in Sony II can be broke down into 9 claim categories: (1) negligence; (2) negligent misrepresentation; (3) breach of express warranty; (4) breach of implied warranty; (5) unjust enrichment; (6) violation of state consumer protection statutes; (7) violation of the California Database Breach Act; (8) violation of the federal Fair Credit Reporting Act; and (9) partial performance/breach of the covenant of good faith and fair dealing. (This last one also survived because it deals with factual issues regarding a settlement agreement between the parties.)
Although most of these claims failed for lack of sufficiently concrete injury, some claims based on unfair competition survived Sony’s motion to dismiss—including some claims for damages.
Sony was successful in getting 43 claims dismissed using a variety of strategies:
Most of the negligence and negligent misrepresentation claims, as well as the consumer protection claims seeking damages, were unsuccessful because of failure to allege injury caused by the breach. Either the timing was wrong (plaintiffs could not have seen most of the disclosures before purchasing their consoles, so could not claim the price of the console as damages), the injury was insufficient (loss of free services, for example) or simply not alleged. The economic loss doctrine also barred claims in California and Massachusetts, even where the pleading was more specific.
Breach of Warranty claims were dismissed because they were made under the laws of states other than California, while still explicitly based on Sony’s user agreements, which require interpretation under California law.
Unjust Enrichment claims were dismissed because an express contract covered the subject matter.
The Fair Credit Reporting Act claim was dismissed because Sony is not a credit reporting agency or otherwise subject to the Act.
Many of the claims were dismissed with prejudice because the court found that the new allegations were not materially different from those alleged in the original complaint that was dismissed for insufficient injury.
Most of the surviving claims are state unfair competition claims. In many states, actual monetary injury is not required for injunctive relief, and those claims thus survived, unless a state law was incompatible with plaintiffs’ basic argument regarding whether Sony’s behavior qualified as unfair. In particular, the California claims survived based on the allegations that (1) plaintiffs would not have purchased a Sony Playstation if the true facts regarding Sony’s security had been disclosed; and (2) Sony fraudulently claimed reasonable security measures and “industry-standard encryption.”
In addition, monetary claims can be made based on omissions in some states. Those damages claims also survived based on the theory that Sony failed to provide appropriate disclosures before the purchase of the PS console.
One data breach notification claim survived because, according to the court, notice within 10 days is not necessarily reasonable but is instead a factual question not appropriate for a motion to dismiss. Accordingly, although the damages claim was dismissed for failure to allege actual damages caused by a delay in notice, the injunctive claim survived, because it is available when a business “violates or proposes to violate” the data breach notification statute. If plaintiffs ultimately prevail on this claim for injunctive relief, Sony will presumably be subject to a court order to provide more expedient notice in the event of a future breach, and plaintiffs will be statutorily entitled to attorneys’ fees.
Standing and the Split in the Federal Courts
In its 2012 opinion, the Sony court held that plaintiffs had standing because the allegations that their “sensitive Personal Information [was] wrongfully disseminated, thereby increasing the risk of future harm” sufficiently alleged the “injury-in-fact” required for Article III standing. This was consistent with existing Ninth Circuit precedent in Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 2010). Even though plaintiffs’ standing allegations in their Amended Complaint were not materially different from those alleged in 2012, Sony urged the court to reconsider its earlier analysis in light of the U.S. Supreme Court’s 2013 Clapper decision. The Clapper Court had analyzed the injury-in-fact requirement in the context of plaintiffs who alleged that the government might at some future point eavesdrop on their communications with foreign individuals, and that they had accordingly taken costly measures to protect the confidentiality of their sources. The Court held that plaintiffs lacked standing because they had not shown that their threatened injury was “certainly impending.” The Clapper Court also held that Article III standing cannot be based on costs incurred to avoid a harm that is not itself a basis for standing—plaintiffs could otherwise “manufacture standing.” 133 S. Ct. at 1150-51.
Prior to Clapper, the Ninth Circuit had held that Article III standing must be based on a “real and immediate” threat of harm. Krottner, 628 F.3d at 1143. Contrary to the expectation of many commentators, Sony II held that the Clapper “real and immediate” test and the Krottner “certainly impending” test are the same, and that therefore Clapper did not change the law. Accordingly, within the Ninth Circuit, allegations that information was wrongfully disclosed as a result of a data breach incident, causing a threat of future harm, remain sufficient to show standing.
The Sony II decision is also important because it was the second decision in a data breach case to interpret Clapper. The first such decision was in the Barnes & Noble security breach litigation, in which plaintiffs claimed only that they had used credit cards at Barnes and Noble stores that had been compromised. Because there was no way to prove that plaintiffs' information had in fact been stolen, the court held that plaintiffs did not have standing. In re Barnes & Noble Pin Pad Litig., 12-CV-8617, 2013 WL 4759588, at *3-6 (N.D. Ill. Sept. 3, 2013). Interestingly, the court did not even mention Pisciotta v. Old National Bancorp, which is the Seventh Circuit’s longstanding opinion that plaintiffs whose data had been compromised but not yet misused had standing based on the increased risk of future harm. See 499 F.3d 629, 634 (7th Cir. 2007). While the continued viability of Pisciotta remains in question, the fact that the Barnes & Noble plaintiffs could not allege that their information was disclosed is likely to be considered universally fatal regardless of whether litigation is brought in the Seventh or Ninth Circuit.
Less than three weeks after Sony II, the Southern District Court of Ohio, relying explicitly on Clapper’s standing test, dismissed the Nationwide Mutual Insurance security breach litigation. Galaria v. Nationwide Mutual Ins. Co., Case No. 2:13-cv-118 (S.D. Ohio Feb. 10, 2014). The Nationwide plaintiffs alleged that their personal information had be disclosed by Nationwide during a security breach. Like the plaintiffs in Sony II, the Nationwide plaintiffs could not allege that their information had in fact been misused. They claimed merely increased risks. However, unlike the Sony II court, which found that the threat of identity theft was real and immediate, the Nationwide court held these future risks were equivalent to the threats of future injury rejected in Clapper. It therefore held that increased risk could not support standing "where, as here, the occurrence of such future injury rests on the criminal actions of independent decision makers and where, as here, the complaint lacks sufficient factual allegations to show such future injury is imminent or certainly impending." Similarly, the costs of monitoring did not support standing, because this was the same “manufactured standing” that the Clapper court had rejected. Interestingly, in its survey of prior cases and acknowledgment of the different approaches to standing, the Nationwide court did not cite Sony II. However, it stated that it disagreed with Krottner and other cases that find standing based on future harm, in part because they were decided pre-Clapper. Because Sony II was decided after Clapper and the Ninth Circuit found Krottner consistent with Clapper, the Nationwide court’s decision is in direct conflict with Sony.
In sum, post-Clapper, most commentators thought it would be more difficult for data breach litigation to survive absent proof of actual damages and that the different approaches to standing requirements would narrow. The Sony II court’s interpretation of Clapper as being consistent with existing law and the opinion in Nationwide finding precisely the opposite make it clear that the split remains.