Court Dismisses Data Breach Class Complaint For Lack Of Standing - May 2015

King & Spalding
Contact

On May 4, 2015, the U.S. District Court for the Eastern District of Louisiana held that a putative class plaintiff lacked standing to pursue claims against eBay Inc. (“eBay”) arising out of a data breach that occurred in February and March 2014.  In dismissing the putative class action, the court found that the increased risk of future identity theft or identity fraud posed by a data security breach did not confer Article III standing on individuals whose information was compromised by the data breach but had not yet been misused.

Following the 2014 data breach, plaintiff Collin Green filed a 10-count consumer privacy putative class action against eBay on behalf of himself and all eBay users in the United States whose personal information was accessed during the data breach.  The plaintiff alleged that as a result of the data breach,  users’ names, encrypted passwords, dates of birth, email addresses, physical addresses, and phone numbers were compromised, but there was no indication that any financial information was accessed or stolen.

eBay moved to dismiss the complaint, arguing that Green, the sole named plaintiff, had failed to allege a cognizable injury in fact and thus lacked Article III standing to pursue the case against it.  Green, on the other hand, argued that the class action complaint sufficiently alleged injury-in-fact because the plaintiff and the putative class members were “now subject to the ‘statistically certain threat’ of identity theft or identify fraud, and they have incurred, or will incur, costs to mitigate that risk.”

To show standing pursuant to Article III of the Constitution, a plaintiff bears the burden of establishing injury in fact, causation, and redressability. The injury alleged must be “concrete, particularized, and actual or imminent.”  For a threatened injury to be sufficient to confer Article III standing, it must be “certainly impending.”  In this case, the court found that the plaintiff failed to allege facts showing that he has suffered an actual or imminent injury.  First, according to the court, the mere fact that the plaintiff’s information was accessed during the data breach is insufficient to establish injury in fact. Second, despite alleging that all members of the putative class had suffered actual identity theft, the court found that plaintiff’s “true argument” was that class members suffered an increased risk of future identity theft or identity fraud.  However, plaintiff failed to allege sufficient facts showing that the alleged future injury was certainly impending, especially in light of the fact that there was no evidence that any financial information or Social Security numbers were accessed during the data breach.  Third, mitigation expenses do not qualify as an injury in fact when the alleged harm is not imminent.

A copy of the decision is available by clicking here.

Reporter, Ashley B. Guffey, Atlanta, + 1 404 572 2763, aguffey@kslaw.com.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
Contact
more
less

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.