Newspaper headlines remain replete with stories about the latest data breach—and the lawsuits that often ensue. Just a few weeks ago, three different plaintiffs filed separate class actions against Yahoo! based upon an alleged theft of at least 500 million users’ email addresses, telephone numbers and birthdates. For these lawsuits and those likely in the next weeks, months and years, the pivotal analysis has come from and will continue to spring from the Supreme Court’s decision in Spokeo v. Robbins.
The Spokeo Court made findings about what constitutes a concrete injury so as to address whether would-be “no injury” class actions are sufficient. The high court was asked whether a plaintiff who has violated a statute without alleging an injury-in-fact can withstand dismissal of his federal class action. Spokeo confirmed a plaintiff must plead more than a seemingly technical injury to remain in federal court, and held that so-called "no injury" class actions fail to pass muster. (You can read about the Spokeo decision here or find in-depth analysis here.)
Though Spokeo was not a lawsuit arising from a cyber breach, in its wake, federal courts have considered this analysis in data breach class actions.
In May, in Khan v. Children’s Nat'l Health Systems, a federal district court in Maryland tossed out a data breach class action on the grounds that a data breach alone, without showing a likelihood of the plaintiff’s data being misused, is insufficient to establish a concrete injury. The Maryland court also found that other theories of injury, such as a general loss of privacy, damage to the value of the plaintiff’s personal information, overpayment to a company for “privacy protection,” and bare violations of statutes, are insufficient to constitute a concrete injury.
Then, last month, the Sixth Circuit Court of Appeals, in Galaria v. Nationwide Mutual Insurance Co. held that a data breach plaintiff can establish a concrete injury by showing that there is an increased risk that data thieves intend to use plaintiff’s stolen data to commit identity theft or some other type of fraud.
As this analysis continues to develop, it is imperative to keep a close eye on the post-Spokeo line of cases. If your company’s e-mail system is breached, with personal information getting out, but the information is not affirmatively used to your employees’ detriment, can they still file a class action? If not, beyond the mere breach, what else is required? Spokeo hoped to guide the answers to such questions, but it will remain to be seen how lower courts rule on novel or inventive pleadings and arguments of data or cyber breach injury. What is considered “an injury” will greatly affect the outlook for your company if or when it finds itself involved in a data breach class action.