Why (most) consumer data breach class actions vs Target are doomed
Who doesn’t empathize with the 70 million Target customers whose private information was supposedly hacked? No one likes to worry about identity theft and impaired credit ratings, the odds of which, according to Reuters, drastically increase for data breach victims. But that doesn’t mean Target customers have a cause of action in federal court. I don’t see how the vast majority of hacked Target shoppers can get past the threshold constitutional requirement that they show an actual injury, at least under the U.S. Supreme Court’s 2013 definition of injury in Clapper v. Amnesty International.
I’m not saying Target faces no litigation exposure for the data breach. Some of the new cases against the company are class actions by financial institutions that had to bear the cost of notifying customers about compromised debit cards, closing customer accounts and reissuing new cards. Those cases involve real-money claims that will be tough for the company to fend off with threshold defenses. So too will be suits by state attorneys general making claims in state court under state consumer protection laws (assuming, of course, that the Supreme Court does not hold that state AG suits have to be litigated in federal court in this term’s Mississippi v. AU Optronics case). And depending on the facts that emerge about Target’s disclosure decisions, Target shareholders may have viable class action claims that the company engaged in misrepresentation-by-omission.
Customers, however, are a different story, thanks to what I predict will be a fatal intersection between the 2013 Clapper decision and the Class Action Fairness Act.
CAFA, as the class action law is known, requires that class actions involving more than 100 people and claims of more than $5 million be litigated in federal court, even if they assert only state laws. Target will almost certainly be able to remove all of the consumer class actions stemming from the data breach to federal court. It’s also a near certainty that the suits will be consolidated into a multidistrict litigation, in which a single federal judge will decide pretrial motions. Target’s first substantive motion in the consolidated litigation, you can be sure, will be an argument that the privacy breach cases must be dismissed because consumers do not have standing, under Article III of the U.S. Constitution, to sue in federal court because they can’t show they’ve been injured.
That’s where the Clapper decision comes in. As I’ve explained in previous blog posts, the Clapper case involved allegations by human rights groups and public interest lawyers claiming that the National Security Agency’s warrantless wiretapping program violated their First and Fourth Amendment rights. The Supreme Court held that the human rights advocates did not have standing because they couldn’t show their communications with terrorism suspects were actually intercepted, only that they might have been. (That finding came before Edward Snowden’s revelations about the extent of NSA wiretapping.) The majority opinion in Clapper, written by Justice Samuel Alito, said that standing requirements can be met only by showing actual harm or “certainly impending” injury. Alito also said that plaintiffs can’t establish standing by spending money to ward off a feared injury. “If the law were otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a non-paranoid fear,” he wrote. “(Plaintiffs) cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”
Soon after the Clapper decision came down, defense lawyers in privacy breach cases realized that the ruling’s definition of standing would be useful to them as well. (Kudos to the privacy team at Ropes & Gray, which was, I believe, the first to make a connection between Clapper and data breach class actions.) Under Clapper, the defense argument goes, consumers can’t establish standing based on either the possibility that their personal information may be misused or the costs they’ve incurred to monitor their credit reports for unauthorized charges. So far, federal trial judges have been receptive to these arguments in privacy breach litigation. I told you last September about the first two decisions that tossed privacy cases based on Clapper, one a case stemming from the breach of Barnes & Noble customer data, the other a class action accusing Sam’s Club of failing to institute adequate data protection protocols. The third Clappper-based dismissal of a privacy breach class action came late in December, when U.S. District Judge Noel Hillman of New Jersey tossed a case against several healthcare providers and a company that provides them with pharmaceutical dispensary software.
According to Judy Selby of Baker & Hostetler, whose firm represented one of the defendants in the New Jersey case (and who blogged about the ruling last week), no federal judge has so far rejected Clapper standing arguments in a privacy class action. “Without a real injury, there’s nothing (consumers) can do,” Selby told me. “Without jurisdiction, you’re done.” Especially because Target has already pledged to offer a year of credit-monitoring services to customers whose information was hacked, Selby said, consumers will have a very, very hard time showing enough of an injury to establish their right to sue in federal court.
There are still two live federal circuit court decisions to the contrary. In 2011, the 1st Circuit Court of Appeals held in Anderson v. Hannaford that grocery store customers could show they were injured by a data breach through the credit-monitoring costs they incurred. The following year, the 11th Circuit Court of Appeals found standing under somewhat distinct circumstances in Resnick v. Avmed. But both of those rulings predated Clapper, which would certainly seem to contradict the 1st Circuit’s reasoning on standing and mitigation costs. Whether the 1st and 11th Circuit decisions are still good law after Clapper is very much an open question.
There could well be some consumers victimized by identity theft after their personal information was stolen from Target, and perhaps they can show a strong enough link between the Target hacking and injuries they suffered from identity theft to establish Target’s liability. There may even be a class of identity theft victims with viable claims. The rest of Target’s customers, though, should be excluded from recovery – especially because Target has already promised to pay for credit-monitoring services for them.
I hope Target’s defense lawyers – including the privacy team at Ropes that first realized the impact in these cases of the Supreme Court’s holding in Clapper – stand firm and litigate the standing question, rather than caving in the face of a 70 million-member putative class. Retailers everywhere are watching, said data privacy lawyer Al Saikali of Shook, Hardy & Bacon, who has also blogged about the Target cases. Saikali said precedent is heavily in Target’s favor and the complaints against the company seem so far to be based on speculation. But if Target is forced to settle, he told me, every company that does business on the Internet should be worried. “Target is a very large company that undoubtedly had in place complex and sophisticated safeguards to protect against this type of a data breach, and from what we know so far, they notified affected individuals very quickly,” Saikali wrote at his blog. “If there is anything less than a dismissal or summary judgment entered in all of these cases, then the proverbial blood will be in the water and we can expect the floodgates of data breach litigation to open.”
For more of my posts, please go to WestlawNext Practitioner Insights