On May 4, 2015, the U.S. District Court for the Eastern District of Louisiana held that a putative class plaintiff lacked standing to pursue claims against eBay Inc. (“eBay”) arising out of a data breach that occurred in February and March 2014.  In dismissing the putative class action, the court found that the increased risk of future identity theft or identity fraud posed by a data security breach did not confer Article III standing on individuals whose information was compromised by the data breach but had not yet been misused.

Following the 2014 data breach, plaintiff Collin Green filed a 10-count consumer privacy putative class action against eBay on behalf of himself and all eBay users in the United States whose personal information was accessed during the data breach.  The plaintiff alleged that as a result of the data breach,  users’ names, encrypted passwords, dates of birth, email addresses, physical addresses, and phone numbers were compromised, but there was no indication that any financial information was accessed or stolen.

eBay moved to dismiss the complaint, arguing that Green, the sole named plaintiff, had failed to allege a cognizable injury in fact and thus lacked Article III standing to pursue the case against it.  Green, on the other hand, argued that the class action complaint sufficiently alleged injury-in-fact because the plaintiff and the putative class members were “now subject to the ‘statistically certain threat’ of identity theft or identify fraud, and they have incurred, or will incur, costs to mitigate that risk.”

To show standing pursuant to Article III of the Constitution, a plaintiff bears the burden of establishing injury in fact, causation, and redressability. The injury alleged must be “concrete, particularized, and actual or imminent.”  For a threatened injury to be sufficient to confer Article III standing, it must be “certainly impending.”  In this case, the court found that the plaintiff failed to allege facts showing that he has suffered an actual or imminent injury.  First, according to the court, the mere fact that the plaintiff’s information was accessed during the data breach is insufficient to establish injury in fact. Second, despite alleging that all members of the putative class had suffered actual identity theft, the court found that plaintiff’s “true argument” was that class members suffered an increased risk of future identity theft or identity fraud.  However, plaintiff failed to allege sufficient facts showing that the alleged future injury was certainly impending, especially in light of the fact that there was no evidence that any financial information or Social Security numbers were accessed during the data breach.  Third, mitigation expenses do not qualify as an injury in fact when the alleged harm is not imminent.

A copy of the decision is available by clicking here.

Reporter, Ashley B. Guffey, Atlanta, + 1 404 572 2763, aguffey@kslaw.com.