Data Breach Claims: Lack Of Injury Means Lack Of Standing To Sue

Two recent federal court decisions follow a growing line of federal and state decisions dismissing tort and other claims in data breach cases on various grounds, including the notable challenge plaintiffs face in making out the element of injury to satisfy their pleaded claims. Most recently, on Sept. 3, 2013, the U.S. District Court for the Northern District of Illinois dismissed a class action against Barnes & Noble stemming from a credit card “skimming” incident that occurred in 2012. In re Barnes & Noble PIN Pad Litigation, No. 12-cv-8617 (N.D. Ill.). Holding that plaintiffs failed to satisfy the elements of Article III standing, the court dismissed all five pleaded causes of action: (1) breach of contract, (2) violation of the Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA), (3) invasion of privacy, (4) violation of the California Security Breach Notification Act, and (5) violation of the California Unfair Competition Act. The Barnes & Noble PIN Pad decision highlights the ongoing challenges faced by plaintiffs in data breach litigation to articulate injury both for purposes of Article III standing and in order to state a claim for relief.

Barnes & Noble uses PIN pads to process its customers' credit and debit card payments at retail stores. On Oct. 24, 2012, the company notified the public that it suffered a security breach. So-called “skimmers” may have stolen customer information from 63 locations in nine states, including Illinois and California. As described by the court and alleged in the complaint, “skimming” is a form of electronic hacking that enables the unauthorized collection of credit and debit card data. Barnes & Noble learned that the skimming took place six weeks before it gave timely notice to the public.

Following the announcement, four customers who made debit and credit card purchases at affected stores in Illinois and California filed suit, claiming they suffered many different types of damages due to the security breach, including: untimely and inadequate notification of the security breach, improper disclosure of their personal identification information or “PII,” loss of privacy, expenses incurred in efforts to mitigate the increased risk of identity theft or fraud, time lost mitigating the increased risk of identity theft or fraud, an increased risk of identity theft, deprivation of the value of plaintiffs’ PII, anxiety and emotional distress, and diminished value of products and services. One plaintiff also alleged she suffered a fraudulent charge on her credit card after the security breach.

In disposing of most of the claims asserted, the district court relied on the Supreme Court's 2013 decision in Clapper v. Amnesty Int’l USA, 122 S.Ct. 1138 (2013), wherein the court explained that an injury that is “certainly impending” can, in fact, be considered an injury for the purposes of standing, though “[a]llegations of possible future injury are not sufficient.” Thus, the allegation of mere increased risk of identity theft or fraud, even though couched as “substantial” in the complaint, did not meet the Clapper standing requirement of certain impending harm. Likewise, the court viewed the statutory claims to be deficient because plaintiffs merely pleaded violations of the statutes, but no injury. Moreover, the statutes themselves plainly state that the customer must suffer damages or injury.

As for the alleged loss of privacy and improper disclosure of plaintiffs’ PII, the court held that plaintiffs had not pleaded that their PII was in fact disclosed in the security breach. “The inference that their data was stolen, based merely on the security breach, is too tenuous to support a reasonable inference that can be made in plaintiffs favor.” Furthermore, again relying on Clapper, the court dismissed the claim that expenses incurred to mitigate an increased risk of identity theft or fraud because there was no imminent harm. In similar fashion, the court reasoned that emotional distress in the wake of a security breach is insufficient to establish standing, particularly absent any imminent threat that plaintiffs’ PII would be used in a malicious way.

The court had no difficulty dismissing the claim that plaintiffs had been deprived of the value of their PII, noting that plaintiffs would have to allege that they had the ability to sell their information and that a defendant sold the information. Plaintiffs made no allegation they could sell their PII. The court also saw no injury in the alleged claim that plaintiffs overpaid for Barnes & Noble products in light of security measures the company failed to provide, simply because there were no allegations that Barnes & Noble charged higher prices for transactions using debit and credit cards. Finally, the plaintiff who suffered a fraudulent charge on her card also failed to plead injury in fact. The credit card company contacted her, confirmed the charge was fraudulent, canceled her card and issued her a new card. She did not plead that she was required to pay the fraudulent charge. The court also noted that it was not directly apparent that the fraudulent charge had anything to do with the security breach at Barnes & Noble.

In the other recent case involving data breach claims, Benjamin Bell, et al. v. Blizzard Entertainment, Inc., No. 12-CV-09475-BRO (C.D. Cal.) (July 11, 2013), the U.S. District Court for the Central District of California granted defendant’s motion for judgment on the pleadings dismissing most of the claims brought against Blizzard Entertainment, Inc. refusing to allow common law claims to be asserted against Blizzard following a data breach the company incurred in 2012. This decision is another good example of the ongoing obstacles plaintiffs face in asserting such common law claims against entities that experience data security breaches. Lack of proof of damages remains the principal obstacle to such claims, although there were additional grounds for dismissal of the claims in this case also.

According to the decision, Blizzard develops video games for use online. To play a Blizzard game, customers are required to create a “Battle.net” account. When registering for the account, users agree to the account’s terms of use and privacy policy. The privacy policy provides assurances that Blizzard will take steps to store securely any personal information collected. In addition, Blizzard introduced a higher level of security in 2008 called “Authenticator,” which created a random code that account holders must enter when logging in.

In August 2012, Blizzard became aware that hackers gained access to account holders' email addresses, answers to personal security questions and cryptographically scrambled versions of Battle.net passwords. Hackers also accessed information that could compromise the integrity of certain Authenticators. Blizzard notified account holders within five days of learning of the security breach.

Subsequently, plaintiffs filed a class action complaint alleging various theories of fault for failure to protect account holders’ personal information. They asserted the following claims against Blizzard: (1) violation of the Delaware Consumer Fraud Act (CFA), (2) unjust enrichment, (3) negligence per se, (4) negligence, (5) breach of contract, and (6) bailment.

All of the common law claims failed to pass muster under applicable Delaware law. For the unjust enrichment claim, plaintiffs alleged that Blizzard was unjustly enriched when it sold games that lost value as a result of the security breaches, and then passed the costs associated with system security on to class members. The basis for plaintiffs' allegations stem from the assurances in Blizzard's terms of use and privacy policy. Having received payment for the games, but having failed to provide the security protections Blizzard promised, plaintiffs alleged, the company was therefore unjustly enriched. The court dismissed the claim because it was based on representations only from the terms of use and the privacy policy — a contract — and, accordingly, an unjust enrichment claim could not be asserted.

To make out their negligence per se claim, plaintiffs alleged that Blizzard failed to inform its users of the breach in a timely manner. Specifically, they claimed Blizzard violated Delaware’s Data Breach Notification Law (6 Del. C. Sec. 12B-101, et seq.), which requires notice to be given as soon as possible after an investigation determines that a misuse of a Delaware resident’s personal information as defined in the statute has occurred or is likely to occur. Plaintiffs alleged that Blizzard failed to give such required notice, which purportedly prevented plaintiffs from taking steps to protect their personal information. The allegations in the complaint, however, failed to plead that any of plaintiffs’ “personal information” as defined by the Data Breach Notification Law was taken, and failed to plead what data would be accessed if the hackers had gained access to their accounts. The court accordingly dismissed the negligence per se claim.

The heart of the case is found in the dismissal of the negligence and breach of contract claims, where the court held that plaintiffs failed to allege adequate harm. Plaintiffs did not allege actual identity theft harm. Rather, they alleged that because their private information was subjected to hackers, there was an increased risk of identity theft. Noting Delaware case law on point that held future risk of identity theft was not actionable harm to support a negligence claim, and noting that Delaware courts relied on similar decisions from other jurisdictions, the court rejected plaintiffs’ argument that the increased risk of future harm was sufficient to support their claims. Plaintiffs also argued that the security breach diminished the value of their video games. The court held that the economic loss doctrine barred recovery for the decreased value of the video games, since the product has only damaged itself, and purely economic loss has been incurred. Plaintiffs also alleged a claim for breach of contract, claiming that a constant threat of cybercriminal hacks caused a diminution of the value of their games. The court dismissed that claim as well because no damages were suffered, since the contract did not allow the users to sell their accounts. As a result, the value of the accounts before and after the security breach was effectively zero. Any alleged harm suffered by the plaintiffs as the result of the security breach was speculative. Both the negligence and breach of contract failed as a result.

Finally, the court rejected plaintiffs’ assertion that a duty of bailment was created when plaintiffs provided their personal information to Blizzard to create their accounts. The court noted that no court has held that personal information is chattel that can be bailed, and therefore the claim failed as a matter of law.

The court did allow claims under the CFA to proceed, though on very narrow grounds. Plaintiffs alleged that Blizzard violated the CFA by omitting or misrepresenting the quality of its security measures. They also alleged that Blizzard failed to inform account holders that the purchase of the Authenticator is required for account safety. The court found that plaintiffs did not adequately establish that Blizzard fraudulently misrepresented the security measures for plaintiffs' personal information. Also, the court determined that Blizzard did not violate the CFA by failing to tell account holders that they had to enter private information before playing games. But because Blizzard was unable to explain to the court why it failed to advise account holders that the purchase of the Authenticator at the point of sale would result in account safety, the court permitted the CFA claim to go forward on that ground.