In the November 25, 2020 edition of The Legal Intelligencer Edward T. Kang, managing member of Kang Haggerty wrote, “Data Breach Cases: An Analysis of Standing and Best Causes of Action.”
Despite the rules and security measures that many organizations put in place to protect the personal information of their clients or customers, sensitive information may still fall prey to hackers and other kinds of breaches. Those affected may seek counsel to aid in bringing suit to hold an entity liable for its intermediary role when a third party commits a data breach.. While data breaches have become too common, case law and statutory law governing redress for data breaches is limited. This column explores standing and potential causes of action in data breach suits.
Standing in data breach cases may be impacted or determined by various factors, including especially the types of information stolen, and the action taken after the breach. In Antman v. Uber Technologies, (N.D. Cal. Oct. 19, 2015), the trial court dismissed the plaintiffs’ argument that Uber’s failure to protect their data was sufficient to confer standing because, among other reasons, they failed to establish Article III standing. Article III standing has three constitutional requirements. The plaintiff must have: suffered some actual or threatened injury; the injury can fairly be traced to the challenged action of the defendant; and, the injury is likely to be redressed by a favorable decision.” See Legal Information Institute, “Constitutional Standards: Injury in Fact, Causation, and Redressability.” For example, the court in Antman stated that the plaintiffs had not adequately established injury. But, it suggested the result would have been different had Social Security numbers been stolen (stating that the plaintiff “specifies disclosure only of his name and drivers’ license information. It is not plausible that a person could apply for a credit card without a social security number … plaintiff alludes to the disclosure of unspecified ‘other personal information; this is insufficient’”).
Thus it is critical when attempting to establish standing under Article III in a data breach suit that the type of information stolen places plaintiff in danger of immediate harm (if the harm has not already occurred). Social Security numbers are the kind of information that would bring about such harm, while a name or address alone is not.
Also essential to standing is action taken after a data breach. In Engl v. National Grocers by Vitamin Cottage, Civil Action No. 15-cv-02129-MSK-NYW (D. Colo. Sept. 21, 2016), the court granted the defendant’s motion to dismiss for lack of standing because the “card issuer identified the fraudulent activity on his account and unilaterally exonerated Bernhard Engl of responsibility for the fraudulent charges; then closed the account associated with the stolen card number. This, it would seem, brought Engl’s exposure to any future harm from … the data breach to an end.” In other words, because he acted to mitigate his risk upon learning of the breach, plaintiff decreased his chances for recovery, since under Article III he could not sufficiently claim standing without having suffered actual harm.
Courts’ analyses of standing under Article III expand the constitutional requirements previously outlined. In Engl, the language of the opinion suggests that harm must not necessarily have been suffered at the time of the suit, but rather could be imminent. The U.S. Supreme Court made specific reference to this expansion in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), stating, “Our cases do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about. In some instances, we have found standing based on a ‘substantial risk that the harm will occur.’” Still, even at the limits of interpretation, it must be objectively likely that harm will result from the breach in order to reach standing under Article III. Again, this is much easier to prove when information like Social Security numbers is stolen. Often, the two factors—the type of information stolen, and the action taken after the breach—reinforce one another to strengthen standing.
Another challenge in data breach suits is choosing the best cause of action. A wide array of causes of action have been used in such cases, including breach of contract, negligence, and even fraud. Breach of contract claims have been, for the most part, unsuccessful. But, a recent decision demonstrates that given certain factors these claims may survive the motion to dismiss stage of the litigation. In In re Marriott International Customer Data Security Breach Litigation, 440 F.Supp.3d 447 (D. Md. 2020), the court looked to objective manifestations of intent when considering the hotel’s privacy statements, which constituted the express contract in question. It found that the standard privacy statement used by the hotel did in fact represent an offer to protect guests’ personal information. Notably, while the court denied defendants’ motion to dismiss plaintiffs’ breach of contract claim, it granted defendants’ motion to dismiss plaintiffs’ negligence claim, reasoning that, “Illinois law does not impose a duty on retailers to safeguard personal information from cyberattacks.”
Failing in In re Marriott International, negligence claims have fared better in the courts generally. The Pennsylvania Supreme Court recently held that an employer owed employees a duty to exercise reasonable care to protect their personal information. See Dittman v. UPMC, 649 Pa. 496 (2018). More recently, the U.S. District Court for the Eastern District of Pennsylvania found that there was no duty of care for banks to noncustomers, yet did not rule out the possibility of other entities owing their customers a common law duty of care. See Fragale v. Wells Fargo Bank, (E.D. Pa 2020). This case is currently pending appeal in the U.S. Court of Appeals for the Third Circuit, though it is not expected that the Third Circuit will reverse the Eastern District of Pennsylvania’s decision.
In bringing data breach suits, litigators will find few statutory causes of action. Most statutes governing data breaches ban the hacking and stealing of data, but do not govern the duties of the entity from which the data is stolen. Those in Pennsylvania that address protection of consumer data, such as 31 Pa. Code. Section 146a.1, are limited in scope to insurers. Otherwise, the law merely states, “an entity that maintains, stores or manages computerized data that includes personal information shall provide notice of any breach of the security of the system following discovery of the breach … to any resident of this commonwealth whose unencrypted and unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person.” See Breach of Personal Information Notification Act, Section 2303. Crucially, however, only the attorney general has the authority to bring an action against an entity in violation of the act. Thus the act provides little help to the attorney seeking to bring suit for her client by this cause of action.
Indirectly, notice laws may still be of benefit when bringing common law claims. The court in In re Marriott International differentiated this case from past cases in which the plaintiffs’ claims failed because they did not establish that the data was stolen for the purpose of identity theft or misuse of their information. By sending out notification of a criminal breach in accordance with the notification laws of the state, Marriott recognized and admitted to the data breach by identity thieves. The court took this admission as sufficient evidence that the information was stolen for such purposes. This enabled Plaintiffs to allege the injury-in-fact required for Article III standing.
Unfortunately for litigators seeking to bring suit for data breaches, common law and statutory law have not kept up with the machinations of hackers, identity thieves and other cyber criminals. In order to increase one’s chances of success in such challenging suits, it is critical to establish standing under Article III by demonstrating the theft of consequential information and arguing for imminent harm (if actual harm has not already occurred). In Pennsylvania, litigators would also do well to move under a negligence claim, since this cause of action has been better received here than in other jurisdictions. While the law continues to lag behind the land when it comes to data breaches, more recent decisions throughout the country indicate that it will not do so for long.
Edward T. Kang is the managing member of Kang Haggerty LLC. He devotes the majority of his practice to business litigation and other litigation involving business entities.
Reprinted with permission from the November 25, 2020 edition of “The Legal Intelligencer” © 2020 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited, contact 877-257-3382 or reprints@alm.com.