Seemingly not a day goes by without news of another major data breach. In the past few weeks, Yahoo! announced that at least 500 million of its user accounts were stolen in 2014, hot on the heels of Dropbox’s announcement that more than 68 million of its accounts were compromised.  Data breach announcements by major companies are inevitably swiftly followed by class action complaints alleging a bevy of state and common-law claims.  Yet despite the ubiquity of this litigation, courts’ jurisprudence regarding what plaintiffs must plead to have standing and to state a claim arising from an alleged data breach continues to be unpredictable.  The source of this difficulty is a thorny question: what injury must plaintiffs allege to have standing and to adequately plead their claims in the wake of an announcement that their personal information has been stolen?

As the Supreme Court held in Clapper v. Amnesty Int’l, USA, for a plaintiff to establish an injury in fact sufficient to demonstrate standing, she must plead an injury that is “sufficiently impending.”  While plaintiffs need not “demonstrate that it is literally certain that the harms they identify will come about,” “allegations of possible future injury are not sufficient” and the plaintiff must demonstrate a “substantial risk” of harm that caused her to “reasonably incur costs to mitigate or avoid that harm.”   In the context of data breach litigation, courts have varied in how they apply this test in cases where plaintiffs allege that the theft of their personal information put them at “substantial risk” of identity theft.  Most courts have held that the mere allegation that stolen information may be misused is insufficient to establish an injury-in-fact necessary for Article III standing.  For example, in In re Science App. Int’l Corp. Backup Data Theft Litig., Judge Boasberg of the District of Columbia (citing a string of similarly-decided cases) held that the mere increased risk of identity theft, and plaintiffs’ expenditures in purchasing identity theft protection, were insufficient to confer standing.  But other courts have not followed suit, reasoning that sophisticated hacks are made for only one purpose: to obtain and then misuse personal information, which naturally injures innocent individuals.  As Judge Koh of the Northern District of California put it in finding standing for injuries arising from a hack of Adobe’s servers, “after all, why would hackers target and steal personal customer data if not to misuse it?”

Injury-in-fact jurisprudence seemed to grow only more convoluted when the Court of Appeals for the Seventh Circuit decided Remijas v. Neiman Marcus Group, LLC in 2015.  In Neiman Marcus, the Seventh Circuit held that plaintiffs’ allegations that hackers deliberately targeted Neiman Marcus to obtain their credit card information were sufficient to establish an injury-in-fact.  Cautioning that it was “important not to overread Clapper,” the Seventh Circuit echoed Judge Koh’s rhetorical question (albeit without attribution), asking, “Why else would hackers break into a store’s database and steal consumers’ private information?”  The Seventh Circuit also noted that Neiman Marcus offered credit and identity theft protection services to customers, reasoning that the retailer’s actions demonstrated the substantial risk of harm because “it is unlikely that it did so because the risk is so ephemeral that it can safely be disregarded.”  In holding that plaintiffs established injury-in-fact sufficient to confer standing, the Seventh Circuit seemingly created a circuit split with the Third Circuit, which considered nearly identical claims and rejected them in Reilly v. Ceridian Corp.

Yet even within the Seventh Circuit, courts continue to grapple with what plaintiffs must plead regarding their alleged injury. In an October 3, 2016 decision in In re Barnes & Noble Pin Pad Litig., Judge Wood of the Northern District of Illinois held that plaintiffs’ claimed injuries resulting from hackers’ theft of their personal information through Barnes & Noble’s PIN pads sufficed to establish standing following Remijas. However, the court nevertheless dismissed plaintiff’s claims for failure to state a claim.  The court reasoned that several of plaintiffs’ claims required that they plead economic damages and noted that plaintiffs did not plead any actual monetary loss as a result of the data breach.  The court also dismissed plaintiffs’ common-law claim for invasion of privacy for failure to plead that the accessed personal information had been widely disseminated or that its disclosure was embarrassing to the plaintiffs.

The question arises whether the court’s decision in Barnes & Noble was simply a pleading failure that will be rectified by the plaintiffs’ bar – in future cases, plaintiffs might plausibly plead economic injuries resulting from identity theft or fraudulent charges.  Additionally, plaintiffs frequently pursue negligence claims on the theory that the breached company failed to employ reasonable information security measures, a claim that was absent in Barnes & Noble but might have survived under Judge Wood’s analysis.  The state of data breach litigation is further complicated by the FTC’s stance that unreasonable information security measures may violate the FTC Act even absent identifiable harm to consumers.  In sum, the state of data breach litigation, and courts’ approach to plaintiffs’ alleged injuries, remains in flux.  McGuireWoods LLP data privacy and class action attorneys will continue to monitor and report trends in data breach litigation.