Does Clapper Silence Data Breach Litigation? A Two-Year Retrospective

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.infolawgroup.com/2015/02/articles/breach-notice/does-clapper-silence-data-breach-litigation-a-two-year-retrospective/


This February 26, 2015, marks the two-year anniversary of the U.S. Supreme
Court’s decision in Clapper v. Amnesty International USA,[1] which required
plaintiffs to allege that a threatened injury is “certainly impending” in
order to constitute an injury-in-fact sufficient to convey Article III
standing. In this time, federal district courts in at least twelve data
breach cases have applied Clapper.[2] While the majority of these courts
have concluded that Clapper mandates dismissal for a lack of standing, some
courts have found that standing exists. This article provides an overview
of these cases and highlights certain considerations that impacted the
courts’ analysis in determining whether standing exists.

The Clapper Decision

Clapper addressed the standing requirements under Article III of the U.S.
constitution.[3] In the case, the Supreme Court made a number of statements
that district courts have found relevant to data breach cases. However,
Clapper itself was completely unrelated to a data breach – the case
involved a challenge to the constitutionality of amendments to the Foreign
Intelligence Surveillance Act of 1978 (“FISA”) that permit the government
to engage in certain surveillance activities. US attorneys, human rights
organizations, and other entities who believed their sensitive
international communications would be subject to surveillance under the
amendment sued for a declaration that the amendment was unconstitutional.

The Supreme Court declined to address the constitutionality of the
amendments because it concluded that the Clapper plaintiffs lacked
standing. The Court stated that a “threatened injury must be certainly
impending to constitute injury in fact,” and that “allegations of possible
future injury” are not sufficient.[4] The Clapper plaintiffs did not meet
this standard. The Court considered the plaintiffs’ fear of government
monitoring pursuant to the new statutes to be “highly speculative” and
dependent upon “a highly attenuated chain of possibilities.”[5] According
to the Court, this mere fear is insufficient to convey standing. Further,
the Court explained that the plaintiffs “cannot manufacture standing merely
by inflicting harm on themselves based on their fears of hypothetical
future harm that is not certainly impending” – i.e., that alleged costs and
burdens incurred in response to their fear of surveillance (e.g., travel
costs to have in-person meetings) do not create standing because the harm
they seek to avoid is not certainly impending.[6] The Supreme Court
reversed and remanded. Defense attorneys and courts have applied this
language from Clapper to data breach cases.

Types of Data Breaches

The types of data breaches at issue in the cases citing Clapper can be
classified into three broad categories:

- Hacking: Hacking is by far the most common type of data breach at issue
in the cases citing Clapper, accounting for seven of the twelve cases.
Galaria v. Nationwide Mutual Insurance Co.,[7] Strautins v. Trustwave
Holdings, Inc.,[8] In re Sony Gaming Networks and Customer Data Security
(“Sony”),[9]Remijas v. Neiman Marcus Group, LLC,[10] Lewert v. P.F. Chang’s
China Bistro, Inc.,[11] Peters v. St. Joseph Servs. Corp,[12] and In re
Adobe Sys. Privacy Litig. (“Adobe”),[13] all involved hackers accessing a
network and stealing personal information. In these cases, various types of
information were exposed or stolen, ranging from general PII, to Social
Security Numbers, payment card data, medical information, and tax records.
Only two of these cases – Sony and Adobe, both from California federal
courts – survived a Clapper challenge.
- Physical Theft: Polanco v. Omnicell, Inc.,[14] In re Science Applications
International Corp. (SAIC) Backup Tape Data Theft Litigation,[15] and
Tierney v. Advocate Health & Hosps. Corp.[16] involved physical theft. In
Polanco, an unencrypted laptop was stolen; in Tierney, four desktop
computers; and in SAIC, backup tapes containing unencrypted data. Only some
of the Tierney plaintiffs’ claims survived a Clapper attack.
- Point of Sale Attacks: In re Barnes & Noble PIN Pad Litigation
(“B&N”)[17] and Moyer v. Michaels Stores, Inc.[18] involved attacks at a
retail point-of-sale – through credit card skimmers in B&N and through
malware in Moyer. Moyer survived a Clapper challenge.

Because the focus of an article III standing analysis is on a plaintiff’s
injury, the form of the attack itself is not dispositive of whether
standing will be found. However, in finding standing, the Adobe court, for
example, found significance in certain allegations surrounding the attack –
e.g., that “hackers deliberately targeted Adobe’s servers and spent several
weeks collecting names, usernames, passwords, email addresses, phone
numbers, mailing addresses, and credit card numbers and expiration dates”
and used Adobe’s own systems to decrypt credit card numbers.”[19] Partly
because of the hackers’ alleged behavior, the court was willing to conclude
that there was an “immediate and very real” risk of harm. However,
information is “deliberately targeted” in many data breach cases – for
example, in B&N, thieves used credit card skimmers – a deliberate action
targeting payment card data, but the court did not find standing. Future
data breach cases may further explore whether, and how, the specifics of a
criminal’s acts affect the standing analysis.

Cases Applying Clapper to Dismiss Data Breach Cases

Several courts have dismissed data breach claims, at least based in part on
Clapper.[20] Although a full analysis of each of these opinions is beyond
the scope of this article, some observations can be distilled from these
the opinions:

- These courts were generally hostile to the notion that a mere risk of
identity theft is sufficient to establish standing. The B&N court explained
that an alleged “risk to Plaintiffs of suffering some actual injury due to
the security breach” – such as identity theft – is insufficient to convey
standing.[21] The Galaria court explained that “an increased risk of
identity theft, identity fraud, medical fraud or phishing is not itself an
injury-in-fact” without allegations or facts suggesting that this harm is
“certainly impending.”[22] The Polanco court similarly concluded that the
mere threat of a possible future injury is insufficient to convey standing.
These holdings demonstrate the high bar that plaintiffs face in
establishing standing, particularly when there is a rush to the courthouse.
Actual harm from a data breach may not materialize or become known until
months or years after the breach, which suggests that a case that would
survive a Clapper attack may need to be brought much later than current
cases have been filed. However, the fact that it may take months or years
for injury to surface may also make it difficult to prove causation.

- Some courts determined that actual fraudulent charges – but ones that the
plaintiffs were not held financially responsible for paying – were not
concrete injuries sufficient to convey standing. The Remijas and Lewert
courts both reached this conclusion. The Remijas court also considered it a
“leap too far” to conclude that individuals who actually had fraudulent
charges on their credit cards were “also at a certainly impending risk of
identity theft.”[23] Thus, the Remijascourt drew an important distinction
between fraudulent charges and identity theft – an issue that courts
sometimes gloss over. While fraudulent charges can be reversed and credit
cards can be reissued, actual identity theft, involving the fraudulent use
of personal information to open new accounts and incur debts, likely poses
much more harm to a plaintiff.

- Some data breach claims are very hypothetical or speculative. The Peters
court took the plaintiff to task for her inability to “describe how she
will be injured without beginning the explanation with the word ‘if'” – the
plaintiff “might be able to demonstrate harm if third parties become aware
of her exposed information and reveal their interest in it; if they form an
intent to misuse her information; and if they take steps to acquire and
actually use her information to her detriment.”[24] Similarly, the
Strautins court provided a hypothetical chain of events that would need to
occur for Plaintiffs to suffer harm that would confer standing in an
attempt to demonstrate just how attenuated the risk of identity theft
actually is: for plaintiffs to become victims of identity theft, (a) their
data would actually need to have been taken, (b) subsequently sold or
otherwise transferred, (c) attempted to have been used, and then (d)
successfully used by an acquirer.[25] The court considered the harm alleged
by the plaintiff to be “contingent on a chain of attenuated hypothetical
events and actions by third parties independent of the defendant.”[26] The
Strautins court was also skeptical that the complaint, which was filed a
mere three weeks after the data breach was announced, provided “no basis to
believe that any of these events have come to pass or are imminent.”[27]
This example demonstrates well just how many intervening acts are necessary
for actual harm to befall a potential plaintiff in many data breach cases.

- Attempting to quantify an increased risk – even with big numbers –
doesn’t necessarily make that risk any more relevant for purposes of
standing. The plaintiffs in both Galaria and SAICclaimed that they were 9.5
times more likely than the general public to become victims of theft or
fraud as a result of the lost data; however, both courts concluded that
these allegations are immaterial. The SAIC court explained: “The degree by
which the risk of harm has increased is irrelevant—instead, the question is
whether the harm is certainly impending.”[28] The Galaria court stated: “a
factual allegation as to how much more likely they are to become victims
than the general public is not the same as a factual allegation showing how
likely they are to become victims.”[29]For example, if the baseline risk of
becoming a victim of some type of harm is 0.01%, then a ten-fold, or even
perhaps 100- or 1,000-fold increase in that risk (resulting in an actual
risk of 0.1%, 1% or 10%, respectively) may not mean that the increased risk
is “certainly impending.” What matters is the actual risk of becoming a
victim – not the multiplier.

- Plaintiffs may not be able to recover their actual expenditures that were
incurred based on their fear of harm. Some of these decisions focused on
the “manufacture[d] standing” concept fromClapper to reject alleged costs
incurred to guard against a future hypothetical harm that is “not certainly
impending.”[30] The SAIC court explained: “There is . . . nothing
unreasonable about monitoring your credit after a data breach . . . [but]
proactive measures based on fears of future harm that is not certainly
impending do not create an injury in fact, even where such fears are not
unfounded.” [31] In Polanco, where the plaintiff later sought medical
treatment at a hospital that was not affected by the data breach, the
alleged expenses did not create standing because they were “based entirely
on her speculative belief” that the plaintiff’s personal or health
information would be lost again by the defendants.[32] The language from
these cases sets a high bar for plaintiffs to recover their expenditures
based on their own fear, even if that fear is reasonable.

Cases Concluding that Clapper Does Not Mandate Dismissal

A small number of courts have concluded that some data breach cases
sufficiently allege article III standing:

- The Clapper standing analysis may be too rigorous for cases not involving
national security or constitutional questions. The Moyer court concluded
that the plaintiffs had standing, creating a split of authority within the
Northern District of Illinois. The Moyer court noted that Clapper analyzed
imminence in an “especially rigorous” manner to avoid ruling on the
constitutionality of the FISA amendments and questioned whether the same
rigorousness was necessary in a case that did not present national security
or constitutional issues. The Moyer court also noted that in a subsequent
non-national security case,[33] the Supreme Court subsequently described
the imminence requirement in a “less demanding” manner than in Clapper.
Accordingly, the Moyer court concluded that “a credible, non-speculative
risk of future harm” remained sufficient to confer standing, consistent
with the Seventh Circuit’s prior decision in Pisciotta v. Old Nat’l
Bancorp.[34] However, the court dismissed the case in whole for failure to
state a claim. In contrast, the Strautins court concluded that Clapper
superseded Pisciotta.

- District courts may be reluctant to conclude that Clapper impliedly
overruled their earlier circuit precedent. The Sony court concluded that
the Supreme Court did not set forth a new Article III framework in Clapper
or overrule previous precedent requiring only that harm be “real and
immediate.”[35] Therefore, both Clapper and the Ninth Circuit’s earlier
decision in KrottnerStarbucks Corp.,[36] which found standing based on a
“credible threat of harm” that was “both real and immediate, not
conjectural or hypothetical,” controlled the outcome of the case. The Sony
court explained that there was no need for allegations that personal
information was actually accessed by a third party; and that because the
plaintiffs alleged a “credible threat of impending harm” based on the
disclosure of their PII following the breach, the plaintiffs had standing.
Nevertheless, the court proceeded to dismiss the majority of the counts for
failure to state a claim.

- Hacking that deliberately targets personal information, and which results
in that information being posted on the internet, may create a sufficient
risk to convey standing. The court inAdobe court also concluded that
Krottner remained viable, but it found standing independently of that
determination. The Adobe court determined that there was an “immediate and
very real” risk of harm based on the plaintiffs’ allegations that “hackers
deliberately targeted Adobe’s servers and spent several weeks collecting
names, usernames, passwords, email addresses, phone numbers, mailing
addresses, and credit card numbers and expiration dates,” used Adobe’s own
systems to decrypt credit card numbers, and because some of the stolen data
had already surfaced on the internet.[37]

Conclusion

As data breach litigation does not look like it will be stopping any time
soon,[38] a body of district court case law applying Clapper will continue
to develop. The first circuit court case law applying Clapper to data
breach cases may be issued this year, as several decisions discussed above
are already on appeal.[39] To the extent that conflicting appellate
precedent develops, a data breach case may even reach the Supreme Court in
the years ahead. Although Clapper is proving to be a useful tool for many
data breach defendants, cases decided under Clapper in the past two years
demonstrate that the decision will not likely end all data breach
litigation. Cases where the plaintiffs state a credible injury will still
be permitted to proceed – but these cases appear to be the exception. In
addition, because Clapper only addresses the question of standing in
federal courts, data breach litigation may be able to proceed in state
court. Companies defending against data breach claims will likely want to
be on the lookout for appellate opinions applying Clapper and to monitor
district court cases applying Clapper.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!