Illinois Appellate Court Finds Increased Risk of Harm from Data Breach Insufficient to Confer Standing

As has been previously reported here, a series of recent federal court decisions has suggested a trend in data breach litigation – that an increased risk of harm will be sufficient to satisfy the injury-in-fact requirement for Article III standing. In fact, less than three weeks ago, the Seventh Circuit Court of Appeals revived a previously-dismissed data breach class action lawsuit, ruling that plaintiffs did not have to wait until hackers actually committed identity theft in order to establish standing. On August 6, 2015, the Illinois Appellate Court held exactly the opposite.

In Maglio v. Advocate Health and Hospitals Corporation, several plaintiffs sued Advocate Health and Hospital after computers containing patients’ personal information were stolen. 2015 IL App (2d) 140782 (August 6, 2015). Plaintiffs did not allege that their personal information was used in any unauthorized manner as a result of the burglary, but they claimed that they faced an increased risk of identity theft and identity fraud. Advocate Health moved to dismiss the complaint, arguing that mere stolen information is insufficient to establish standing, because an increased risk of identity theft and/or identity fraud is too speculative to constitute cognizable injury-in-fact.

Affirming the trial court’s dismissal of the action, the Illinois Appellate Court agreed with the defendant’s argument, concluding that the increased risk of harm arising out of a data breach is inadequate to confer standing on consumers. The Illinois Appellate Court noted the similarity between Illinois’ and federal standing principles, and relied for the most part on federal decisions, including Clapper v. Amnesty International USA, Inc., 133 S.Ct. 1138 (2013) – a case which the Seventh Circuit interpreted as not completely foreclosing on the use future injuries to support Article III standing. Yet, in stark contrast to recent federal court decisions, the Illinois Appellate Court opined that where no identity theft had yet occurred, the elevated risk of such harm was too speculative and conclusory to be considered a distinct and palpable injury.

The plaintiffs in Maglio also tried to achieve standing by alleging that they suffered emotional injury as a result of the data breach, such as anxiety, and that their privacy had been invaded. Again, the court found such allegations to be speculative and therefore insufficient, absent allegations of actual disclosure of personal information.

We expect to see fewer data breach class actions being filed in Illinois state courts – long criticized as plaintiff-friendly venues – and an uptick in federal court filings. The full opinion is available here.

Seventh Circuit Revives Consumer Class Action Relating To Neiman Marcus Data Breach

On Monday July 20, 2015, the Seventh Circuit Court of Appeals weighed in on the hotly-contested issue of standing in data breach class action litigation. In so doing, the Court reversed the district court’s dismissal of a consumer class lawsuit against luxury department store Neiman Marcus, holding that the plaintiffs had successfully alleged the concrete, particularized injuries necessary to support Article III standing.

This lawsuit arose in January of 2014, when Neiman Marcus publicly disclosed that it had suffered a major cyberattack, in which hackers collected the credit card information of approximately 350,000 customers. Soon after this disclosure was made, a number of consumers filed a class action lawsuit in the United States District Court for the Northern District of Illinois, alleging that Neiman Marcus put them at risk for risk for identity theft and fraud by waiting nearly a month to disclose the data breach. In September 2014, the district court dismissed the case, ruling that both the individual plaintiffs and the class lacked standing under Article III of the Constitution.

On appeal, the Seventh Circuit analyzed the injuries the Neiman Marcus consumers claimed to have suffered in order to determine whether they constituted the type of “concrete and particularized injury” required to establish standing. In this instance, plaintiffs alleged lost time and money spent in protecting against fraudulent charges and future identity theft, as well as two “imminent injuries:” an increased risk of future fraudulent charges and greater susceptibility to identity theft. The Seventh Circuit ultimately determined that these allegations sufficiently established standing, as they showed a “substantial risk of harm” from the Neiman Marcus data breach. Importantly, the Court explained that the Neiman Marcus customers did not have to wait until hackers actually committed identity theft or credit-card fraud to obtain class standing, as there was an “objectively reasonable likelihood” that such an injury would occur. The full opinion is available here.

This ruling is consistent with decisions from several other courts across the country. See, e.g., In re Sony Gaming Networks and Customer Data Security Breach Litigation, 996 F.Supp.2d 942 (S.D. Cal. 2014); Moyer v. Michaels Stores, Inc., No. 14 C 561, 2014 U.S. Dist. LEXIS 96588, 2014 WL 3511500 (N.D. Ill. July 14, 2014); In re Adobe Systems Inc. Privacy Litigation, No 13-cv-05226-LHK, 2014 U.S. Dist. LEXIS 124126, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014); Michael Corona, et al. v. Sony Pictures Entertainment, Inc., No. 2:14-cv-09600-RGK-E (C.D. Cal. June 15, 2015). Earlier this year, in a comprehensive article on standing in data breach cases (available here), our firm questioned whether opinions of this nature were indicative of a trend or anomalies. The Seventh Circuit’s ruling this week and the Central District of California’s ruling in Corona last month suggest it is in fact a trend. If the trend continues, consumers nationwide may find it easier to survive a motion to dismiss based on a lack of standing.

Please continue to monitor our blog for the latest news on data breach litigation and other privacy laws.

Corona Class Action Against Sony Pictures Survives Motion to Dismiss

After the highly publicized cyber-attack on Sony Pictures Entertainment, Inc., which has been attributed to the so-called Guardians of Peace, Michael Corona, and eight other former Sony employees whose personal information was stolen, filed a class action asserting claims for: (1) Negligence; (2) Breach of Implied Contract; (3) Violation of the California Customer Records Act; (4) Violation of the California Confidentiality of Medical Information Act; (5) Violation of the Unfair Competition Law; (6) Declaratory Judgment; (7) Violation of Virginia Code § 18.2-186.6, and (8) Violation of Colorado Revised Statutes § 6-1-716.

Sony filed a motion to dismiss arguing that the Central District of California lacked subject matter jurisdiction over the action. Specifically, Sony argued that the plaintiffs lacked Article III standing, because they failed to allege a current injury or threatened injury that was certainly impending. Sony further argued that, even if plaintiffs had standing, the suit must be dismissed for failure to state a claim.

On June 15, 2015, the court ruled on the motion to dismiss. The court disagreed that plaintiffs’ allegations were insufficient to establish standing. Relying on Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), Clapper v. Amnesty International USA, Inc., 133 S.Ct. 1138 (2013), and In re Adobe Systems, Inc. Privacy Litigation, 2014 WL 4379916, the court determined that the plaintiffs need only allege a credible threat of real and immediate harm, or certainly impending injury—not a current injury—which they had done by alleging their information was stolen, posted on file-sharing websites for identity thieves to download, and was used to send emails threatening physical harm to employees and their families.

The court’s ruling is consistent with other recent rulings in California, which suggests this is a trend in the prosecution of data breach claims rather than just an outlier. (To read more on this subject, please see our article published in DRI’s For the Defense in February 2015, available here.)

The court then turned to the merits of plaintiffs’ claims. It dismissed four of plaintiffs’ claims and a portion of plaintiffs’ negligence claim. The court dismissed the plaintiff’s negligence claim to the extent it was based on an increased risk of future harm, as there was no cognizable injury. The court also dismissed plaintiffs’ breach of implied contract claim, finding that, while there was an implied employment contract, that there was no indication Sony intended to frustrate the agreement by consciously and deliberately failing to maintain an adequate security system. The court dismissed the California Customer Records Act claim as the plaintiffs were not damaged as Sony customers. Further, the court dismissed plaintiffs’ claims for violation of the Virginia Code and the Colorado Consumer Protection Act, because plaintiffs failed to allege injury resulting from the alleged untimely notification.

Plaintiffs’ negligence claim survived to the extent it was based on actual damages, such as costs associated with credit monitoring, password protection, freezing/unfreezing of credit, obtaining credit reports, and penalties resulting from frozen credit, even though they were prophylactic in nature because they were reasonable and necessary. The court denied the motion to dismiss with respect to plaintiffs’ claim for violation of California Business and Professions Code Section 17200 on the same basis.

Finally, the motion was denied with respect to the California Confidentiality of Medical Information Act claim, because negligent maintenance of records, which allows someone to gain unauthorized access, may constitute a negligent release of medical information within the meaning of the Act. The plaintiffs did not need to allege an affirmative act to maintain this cause of action.

Please continue to monitor our blog for more updates on the Corona case and other news on privacy and data security.

Target Ends Dispute With Mastercard Over 2013 Data Breach

Following the highly publicized data breach affecting Target retail stores in 2013, the retail giant has agreed to pay up to $19 million to MasterCard credit card issuers worldwide to compensate them for the costs of canceling accounts, creating new accounts, and issuing new cards. MasterCard is urging card issuers to accept the deal, which calls for Target to pay the card issuers by the end of the second quarter.

In late 2013, Target suffered a massive data breach in which 110 million customer records were stolen, which included 40 million credit card numbers. In an attempt to be proactive, Target informed financial institutions about credit cards that may have been compromised and offered free credit counseling to its consumers to combat the onslaught of litigation that was to follow. As a result of the breach, which was highly publicized, many other retail establishments became victims of their own data breaches, spurring numerous lawsuits nationwide.

Apart from individual consumers filing class action lawsuits across the country against Target, credit card issuers, which include banks, credit card companies, and other financial firms, incurred hard costs of cancelling accounts and issuing replacement cards with new account numbers. While individual consumers filing data breach lawsuits had to overcome Clapper in arguing that an injury-in-fact did occur instead of speculative damages, credit-card issuers and financial institutions had actual damages to move forward on their claims. As a result, Target has negotiated a deal only with MasterCard to this point.  It is possible that Target is also negotiating a similar agreement with Visa.

Image courtesy of Flickr by Mike Mozart

‘Twas the Season for Data Breaches

With the recent hacks into Sony’s system and the emails sent to Home Depot’s customers regarding the breach of its system, data breach is no longer some fantastical notion that only plays out in a 1980s sci-fi movie. It is a real threat to businesses and their employees and customers, and that threat rises during the holiday season, when the average consumer spends approximately $800 on gifts for family, friends, and co-workers.

Venture back with me to December 2013, when Target Corporation announced that it was hacked, which resulted in 110 million of its customers having their credit- and debit-card information stolen. When I came across a recent ruling in that case, my reaction was: “Oh, yes. I vaguely remember that happening,” and I might have even been a customer who received an email from Target explaining the breach. My point is that, as consumers, the shock has worn off, and we are not surprised to hear about such breaches. But businesses cannot be so cavalier—the courts require vigilance in the protection of data.

As we have reported on our blog, multiple lawsuits arose shortly after Target’s announcement, resulting in the consolidation of all federal cases into In re: Target Corp. Customer Data Security Breach Litig., which involved claims brought by financial institutions on one hand, and by consumers on the other.  Just last month, the District of Minnesota ruled largely in favor of the financial institutions on Target’s motion to dismiss, making it clear that Target breached its duty to maintain adequate security systems.

Just in time for the holiday season, the now famous Sony breach (which, in part, resulted in the cancellation of most theater showings of the movie, “The Interview”) has triggered at least five class-action complaints filed in California federal court against Sony Pictures Entertainment, Inc.  The hacking incident allegedly exposed volumes of confidential emails, social security numbers, and salary and medical information of Sony’s former and current employees.  The gist of the complaints is that Sony, despite being aware that hackers were able to breach their system, “failed to develop, maintain, and implement internet security measures on its corporate network,” and this led to the catastrophic data breach that one complaint calls an “epic nightmare.”  Just last week at the Consumer Electronics Show, Sony’s CEO, Kazuo Hirai described the hack, noting that Sony and its current and former employees “were the victim[s] of one of the most vicious and malicious cyber attacks in recent history.”

The class action filed in Los Angeles Superior Court also blames Sony for its decision regarding “The Interview,” since the film allegedly sparked the ire of hackers who were not pleased with the subject matter (a planned talk show assassination of North Korea’s leader, who was heavily parodied).  In addition to its limited theatrical release, it was recently reported that the film has earned over $30 Million in online and on demand sales.

It is too early to predict the outcome of these actions, but it is likely that the federal complaints regarding Sony will ultimately be consolidated.  As with most data breach cases, we anticipate heavily briefed motions to dismiss on standing and other grounds.  We will, or course, track these cases and provide updated reports as developments unfold.

Privacy Class Action Dismissed for P.F. Chang’s

P.F. Chang’s has a reason to celebrate this holiday season: A judge recently dismissed a data breach class action lawsuit against the Chinese-inspired food restaurant chain citing the failure of the two plaintiffs in describing any injury for which relief could be granted. The ruling itself is available here.

In the action, the plaintiffs John Lewert and Lucas Kosner filed a class action complaint against P.F. Chang’s arising from a data breach involving theft of customers’ credit card and debit card data. The plaintiffs alleged that P.F. Chang’s had failed to comply with reasonable security standards arising from the data breach, which one report estimated that nearly seven million cards were compromised as a result of the breach, dating as far back as September 18, 2013.

Following the discovery by the U.S. Secret Service of the data compromise, it was confirmed by P.F. Chang’s that identity thieves had used personal identifying data to steal individual’s identities and open financial accounts and receive government benefits under those names, inter alia.

In the lawsuit, the plaintiffs had alleged that they incurred several types of damages in that they overpaid for products/services purchased from P.F. Chang’s, which included overpayment for putative compliance with industry standard measures for the collection and safeguarding of personally identifiable information. The plaintiffs also claimed that they had suffered actual damages from monetary losses arising from unauthorized bank account withdrawals and/or related bank fees. The plaintiffs further claimed damages arising from costs associated with identity theft and the increased risk of identity theft, and claimed opportunity cost and value of time spent monitoring financial and bank accounts, including the cost of obtaining replacement cards.

In ruling on P.F. Chang’s motion to dismiss, the court did not deny there was a theft of customers’ credit card information from the security breach. However, the court relied on authority that future injury regarding the release of data is not a current injury in fact. Accordingly the court ruled that the plaintiffs had suffered no injury and found unconvincing the argument that the plaintiffs had been overcharged since there was no indication that P.F. Chang’s had charged more for people who paid via credit/debit cards as compared to those who paid by cash.

The court also ruled that there was no economic injury involved with the time the plaintiffs incurred to replace any credit card and so no opportunity costs or damages arose from this aspect.  Finally, the court held that a party cannot manufacture standing unless they can show that the harm of identity theft is imminent. The court found that the potential threat of identity theft was eliminated after the customers in this case cancelled the cards that were involved in the security breach.

This ruling is being appealed to the Seventh Circuit. We will continue to monitor the impact of this ruling on future data breaches involving similar factual and legal issues.

Image courtesy of Flickr by Mark Crawley

With Data Breach Class Actions on the Rise, Clapper Provides a Viable Defense

With recent data breaches at Home Depot, Target, Jimmy John’s, eBay, Neiman Marcus, P.F. Chang’s, Goodwill Industries, CNET, and others, there has been a resultant explosion of cybersecurity litigation.  Despite the rise in this area of litigation, data breach lawsuits still have to overcome a major hurdle – the standing requirement enunciated in Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138 (2013).

In Illinois, a number of such lawsuits were filed in the wake of Advocate Medical Group’s revelation that four laptops were stolen from its offices, containing the unencrypted personal health information of more than 4 million patients.  In one such putative class action, Vides v. Advocate Health and Hospitals Corp., the state court followed the rationale of Clapper in rejecting the plaintiffs’ argument that an increased risk of identity theft is sufficient in and of itself to satisfy the “injury-in-fact” requirement necessary to establish standing.

In Vides, the plaintiffs’ theories of liability included common law negligence, violation of the Illinois Consumer Fraud and Deceptive Business Practices Act, violation of the Illinois Personal Information Protection Act, public disclosure of private facts, and intentional infliction of emotional distress.  The court found that none, including the purported statutory violations, were adequate to confer plaintiffs standing, and that the damages asserted were too speculative to establish an injury in fact.  In coming to that conclusion, Judge Mitchell Hoffman reasoned that there are a number of variables that would have to be answered in the affirmative to establish an injury in fact, such as whether a person’s data was actually taken, whether that data was sold or transferred, whether anyone attempted to use the person’s data, and whether they succeeded in using it.  Because the plaintiffs could not allege that a threatened injury was certain as a result of the breach, the suit was dismissed in its entirety.

In coming to this ruling, the court noted that courts across the country had rejected the argument that risk of harm could equate to an injury in fact sufficient to satisfy Article III of the U.S. Constitution.  In its survey of law on data breach class actions across the country, the court also distinguished Seventh U.S. Circuit Court of Appeals decisions holding that the mere increased risk of identity theft was sufficient to confer standing, since these decisions predated Clapper.  Therefore, Clapper remains a tenuous obstacle for data breach lawsuits to overcome.

While the Clapper decision provides an excellent defense to data breach lawsuits, cybersecurity litigation remains on the rise.  As such, companies should continue to be proactive in assessing their internal systems and procedures to prevent any data breaches from occurring.

Image courtesy of Flickr by Mike Mozart