Time for defendants to reassess risk in data breach class actions?
Based on sheer numbers of people affected, I doubt there’s any litigation bigger than data breach class actions. Information on hundreds of millions of consumers has been exposed by hackers who overcame corporate cyber-defenses at banks and retailers such as JPMorgan Chase, Home Depot and eBay. That’s an awful lot of plaintiffs for privacy breach defendants to face.
For the past two years, corporations have had a very effective way to get out of these cases early. As I’ve told you in a bunch of previous posts, data breach defendants were quick to capitalize on the U.S. Supreme Court’s 2013 decision in Clapper v. Amnesty International, which tweaked the criteria for standing to sue in federal court. (The vast majority of big class actions are litigated in federal court under the Class Action Fairness Act of 2005.) In Clapper, the justices said that Article III of the U.S. Constitution requires plaintiffs in federal court to allege an actual or “certainly impending” threat of injury from the defendant’s conduct. Plaintiffs can’t establish standing by speculating that they might be harmed in the future, according to the Supreme Court opinion, nor even by showing that they spent time and money to ward off that potential harm.
Since Clapper, more than a half-dozen federal judges have dismissed data breach class actions, concluding that consumers don’t have constitutional standing to sue just because their personal data was compromised. Last January, after Target disclosed that hackers had stolen information on tens of millions of its customers, I predicted that Clapper would also spell doom for consumer class actions against the retailer.
I turned out to be completely wrong – and that’s making me question whether I’ve been too quick to assume that data privacy class actions are more of a nuisance than a real risk for hacked companies.
Last month, U.S. District Judge Paul Magnuson of Minnesota ruled that consumers can move forward with their nationwide class action against Target. (The judge did dismiss some state-law claims against the retailer. He previously denied Target’s motion to dismiss a parallel class action by financial institutions suing over the cost of replacing customers’ credit and debit cards.) Magnuson said class counsel at Heins Mills & Olson had provided sufficient allegations that name plaintiffs suffered actual harm from the compromise of their personal information, including “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.” Those claims were enough to establish their constitutional right to sue in federal court, according to Magnuson.
The Target decision doesn’t do much to clarify the law on Article III standing in data breach class actions. Judge Magnuson disposed of the issue in a mere few paragraphs. He didn’t so much as mention Clapper v. Amnesty International, even though Target’s motion to dismiss and the class memo in opposition each devote many pages to discussing Clapper’s impact on the case. (The judge instead referred in his analysis of constitutional standing to the 1992 Supreme Court case Lujan v. Defenders of Wildlife.) In that regard, Magnuson’s Target opinion is a missed opportunity to use one of the biggest data breach cases in the courts to shape precedent.
But the ruling certainly shows that plaintiffs’ lawyers in privacy class actions should pick name representatives carefully. Target’s lawyers at Ropes & Gray had argued that half of the more than 100 named plaintiffs in this case hadn’t even alleged any actual injury. Magnuson focused instead on the complaint’s allegations of the concrete harm the data breach caused in other plaintiffs’ finances. Heins Mills deserves credit for a smart, strategic pleading that anticipated Target’s standing defense.
Magnuson, moreover, is at least the fourth federal judge to find that Clapper doesn’t preclude standing for data breach class action plaintiffs. (I incorrectly reported last month that only one privacy class action ruling before Target distinguished Clapper.) Judges presiding over cases against Sony (for a previous hack of its gaming system data), Michaels Stores and Adobe Systems all permitted class actions to proceed to discovery despite defense challenges under Clapper to the plaintiffs’ constitutional standing to sue. More judges have gone the other way, as Target documents in its filings before Judge Magnuson. But the tally isn’t as lopsided as it used to be.
And that means additional risk for data breach defendants. As Magnuson said in his opinion, Target can still argue on summary judgment that the plaintiffs don’t have standing. The retailer can also, of course, contest the certification of a class of consumers who haven’t all suffered the same supposed harm. The reality of leverage in class actions, however, is that when defendants lose a motion to dismiss, they start to think more seriously about settling. Sony, for instance, agreed earlier this year to pay $15 million to settle a class action over the PlayStation hack after its dismissal motion was denied last January. Think about it: If Target owes just $1 to everyone supposedly affected by the compromise of its systems, the class action is a $100 million case.
Proskauer partner Margaret Dale, who specializes in privacy litigation defense but is not involved in the Target case, said Magnuson’s decision suggests that as class action lawyers learn to draft complaints to get past challenges to plaintiffs’ standing, data breach cases will be harder for defendants to dispose of quickly. “I think these cases are going to go on a little longer and we’ll see more factual development,” she said. “That’s because of the ripening of this area of the law.” Defendants will still win quick dismissals of cases based on speculative abuse of customers’ information, Dale said, but good plaintiffs’ lawyers are going to choose named representatives who can claim the breach caused them actual harm.
Class counsel Vincent Esades of Heins Mills wasn’t immediately available for comment. Target counsel Douglas Meal of Ropes & Gray didn’t return my phone call.
For more of my posts, please go to WestlawNext Practitioner Insights