In February, we wrote about how the road for plaintiffs in cyber breach class actions may be getting smoother.  Since then, the U.S. Supreme Court has continued to avoid the issue of standing in data breach cases (declining to take up the issue in CareFirst, Inc. v. Attias, 138 S. Ct. 981 (2018)), but the Circuit courts and the California legislature have handed plaintiffs a few significant victories.

In March, the Ninth Circuit decided In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018), reversing the district court’s dismissal of plaintiffs’ claims for lack of standing.  Plaintiffs claimed that they were harmed when hackers allegedly stole more than 24 million customers’ names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information.  Id. at 1023.  Plaintiffs did not allege that they had already suffered financial losses as a result of the data breach; rather, the appeal concerned “claims based on the hacking incident itself, not any subsequent illegal activity.”  Id.  The court found that “the sensitivity of the stolen data in this case . . . gave hackers the means to commit fraud or identity theft” even though plaintiffs’ social security numbers were not compromised.  Id. at 1027.

In April, plaintiffs racked up another win when the Seventh Circuit reversed the district court’s dismissal of plaintiffs’ claims for failing to adequately plead damages in Dieffenbach v. Barnes & Noble, 887 F.3d 826 (7th Cir. 2018).  Hackers had allegedly compromised the company’s PIN pads, stealing information like customers’ names, card numbers and expiration dates, and PINs.  Plaintiffs claimed they temporarily lost funds while trying to reverse unauthorized charges, spent money on credit-monitoring services, and lost time trying to change their account numbers.  Id. at 827.  The Seventh Circuit held that pleading does not require detail about the nature of the plaintiff’s injury or require plaintiffs to identify items of loss.  Id. at 828.  The court reasoned that plaintiffs had standing because of the payments made for credit-monitoring services, the unauthorized withdrawals (even when the money was later restored), and the “value of one’s own time needed to set things straight.”  Id.

Finally, in June, the Fourth Circuit decided Hutton v. National Board of Examiners in Optometry, Inc., 892 F.3d 613 (4th Cir. 2018).  Plaintiffs had alleged that their personal information—including their names, social security numbers, birthdates, addresses, and credit card information—was compromised in a breach of defendant’s systems.  The lower court dismissed plaintiffs’ claims, finding no standing for plaintiffs who claimed they were harmed by the threat of future identity theft.  The Fourth Circuit reversed on the basis that plaintiffs had “already suffered actual harm in the form of identity theft and credit card fraud,” through unsolicited credit cards applied for using their information and alerts that their credit score had decreased.  Id. at 622.

While plaintiffs were winning standing arguments in appellate courts, the California legislature provided some potentially significant statutory assistance.  In June, California enacted The California Consumer Privacy Act of 2018 (“the Act”), creating a private right of action for California residents whose personal information is subject to unauthorized access due to a company’s failure to implement and maintain reasonable cybersecurity measures.  To enforce those rights, California residents would be able sue to recover statutory damages starting at $100 and not to exceed $750 per California resident per incident, or they could recover their actual damages, whichever is greater.  The Act does not go into effect until January 1, 2020, so we will have to wait and see to see what the final legislation looks like when effective, and whether other states follow suit.

Congress, however, may have recently provided defendants with a new argument against standing.  Effective September 21, 2018, the Economic Growth, Regulatory Relief and Consumer Protection Act will allow consumers to freeze their credit at no charge nationwide, which in some cases may negate the only economic damage that data breach plaintiffs may have suffered, thereby undermining their standing argument.

As we have said here before, the increasing public outcry over large-scale data breaches has resulted in regulators, politicians, and consumers calling for more accountability from companies that have experienced major hacks, and that may be having an effect on how courts and legislatures are treating standing issues in these kinds of cases.

The authors gratefully acknowledge the assistance of summer associate Catherine Martinez in preparing this entry.