While some data breach victims will eventually sustain an ID theft, it is generally acknowledged that the vast majority will not. Accordingly, the direct damages sustained by ID theft victims are not very helpful in a class action — there are just not enough plaintiffs. Over the years, plaintiffs’ class action counsel have spent many hours trying to create a damages theory that would actually be common to all victims of a data breach event. The two theories that have gotten the most class action traction are based on “fear of ID theft” or “lost time and effort” allegations. Unfortunately — for plaintiffs’ counsel, that is — neither theory really fits the bill.
Damages Based on the “Fear of ID Theft”
Plaintiffs’ class action counsel chasing down data breach events have generally been unsuccessful in pursuing claims based solely on the “fear of identity theft” or related incidental damages. Although Ruiz v. Gap, Inc, instructs us there may be an outside chance of surviving a motion to dismiss, a defendant’s summary judgment motion will eventually kill any claim brought by those who have not actually sustained theft of their identities. In effect, an actual incidence of ID theft – which after a breach can take quite a while to happen – has become the de facto precursor to compensable damages.
Despite what some plaintiffs’ counsel have said after the standing ruling in Krottner v. Starbucks, Nos. 09-35823 and 35824 (9th Cir. , Dec. 14, 2010), nothing has really changed this dynamic. In fact, as shown in Ruiz and other cases cited below, Krottner is not even the first court to rule federal standing exists for “fear of identity theft” claims.
By way of background, employees at Starbucks sued the company after the October 29, 2008 theft of a laptop computer containing “names, addresses, and social security numbers of approximately 97,000 Starbucks employees.” Id. The trial court had previously dismissed the case, finding that Washington law doesn’t recognize a cause of action where the only financial damage is “risk of future harm.” The trial court also found insufficient facts to carry an implied contract claim.
In a pair of rulings issued last month, the Ninth Circuit agreed with the lower court and affirmed dismissal of the action given that, under Washington law, “actual loss or damage is an essential element” of a negligence claim. This opinion on the merits was not approved for publication.
It is the standing ruling – which was actually approved for publication – that has excited some in the data breach litigation business. The Ninth Circuit ruled [insert big yawn here] plaintiffs had Article III standing given that “‘generalized anxiety and stress’ as a result of [a data breach] is sufficient to confer standing”. It is very important to note that the court, quoting from Equity Lifestyle Props., Inc. v. County of San Luis Obispo, 548 F.3d 1184, 1189 n.10 (9th Cir. 2008), recognized as a threshold matter that “[t]he jurisdictional question of standing precedes, and does not require, analysis of the merits.” In other words, with jurisdictional standing you can reach the federal courthouse but once inside, you still need to prove your case – something plaintiffs here were unable to do given they lost at the district court level and on appeal.
In reaching its decision, the Ninth Circuit cites to cases on both sides of the issue. Compare Doe v. Chao,540 U.S. 614, 617-18, 624-25 (2004) (suggesting that a plaintiff who allegedly “was ‘torn . . . all to pieces’ and `was greatly concerned and worried’ because of the disclosure of his Social Security number and its potentially ‘devastating’ consequences’” had no cause of action under the Privacy Act, but nonetheless had standing under Article III) and Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 (7th Cir. 2007) (holding that plaintiffs whose data had been stolen but had not yet been misused suffered an injury-in-fact sufficient to confer Article III standing) with Lambert v. Hartman,517 F.3d 433, 437 (6th Cir. 2008) (although plaintiff’s actual financial injuries resulting from the theft of her personal data were sufficient to confer standing, the risk of future identity theft was “somewhat ‘hypothetical’ and ‘conjectural.’”).
Looking to exploit its Pyrrhic victory, plaintiffs’ counsel deftly uses the December 15, 2010 standing decision to solicit Starbucks employees who may have actually sustained an ID theft:
[We] received a favorable precedential opinion from the United States Court of Appeals for the Ninth Circuit in Krottner v. Starbucks Corporation, No. 09-35823. In the opinion, the Ninth Circuit judges held that plaintiffs whose personal information had been stolen, but not misused, had standing to bring their case in federal court. The opinion held on the facts before it that the increased risk of future harm from identity theft was a credible enough treat [sic] to provide an injury-in-fact for Article III standing…
If you have any information regarding the Starbucks data breach, or if you believe you have been affected by the data breach and would like to discuss your rights and interests in this matter, please contact our Washington D.C. office.
Damages Based on “Lost Time and Effort”
Thankfully (for defendants), there is no compelling precedent that expressly recognizes negligence or contract damages derived solely from the time and effort spent to remediate an alleged wrongdoing. Although mitigation damages are sometimes awarded in addition to other damages such damages generally never rest as the sole measure of injury in either a negligence or contract setting. This general rule manifests as the “economic loss rule” in some jurisdictions (used to bar recovery in negligence when the only loss is pecuniary) or is simply bolted on to the concept of damages in other jurisdictions.
Seeking to resolve a “lost time and effort” argument made by plaintiffs in a very public data breach context, on November 24, 2009, Judge D. Brock Hornby, the federal district judge in Maine presiding over the Hannaford Brother data breach litigation, certified the following question to the Maine Supreme Court:
In the absence of physical harm or economic loss or identity theft, do time and effort alone, spent in a reasonable effort to avoid or remediate reasonably foreseeable harm, constitute a cognizable injury for which damages may be recovered under Maine law of negligence and/or implied contract?
See In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 671 F. Supp. 2d 198, 201 (D. Me. 2009).
On September 21, 2010, the Maine Supreme Court answered this question in the negative. Relying on longstanding law, Maine’s highest court responded to Judge Hornby without equivocation: “[Maine case law] does not recognize the expenditure of time and effort alone as a harm.” In re Hannaford Bros. Co. Customer Data Sec. Breach Litig., 4 A.3d 492 (Me. 2010). Rejecting a “mitigation of damages” argument that would elevate expended time and effort to the status of a compensable legal injury, the court ruled, “[u]nless the plaintiffs’ loss of time reflects a corresponding loss of earnings or earning opportunities, it is not a cognizable injury under Maine law of negligence.” Id. And, given that “the time and effort expended by the plaintiffs here represent ‘the ordinary frustrations and inconveniences that everyone confronts in daily life’” damages were also not available under the implied contract claim. Id. (quoting lower court).
Although other courts have made passing comments regarding the relevance of “lost time” as the sole measure of harm, the Maine Supreme Court decision is the only decision on all fours within a data breach context. Id. (“In other cases, a passing mention of loss of time without adequate facts to demonstrate how those damages were being measured is insufficient to persuade us that the expenditure of time and effort alone is a harm recoverable in negligence.”) (citing Kuhn v. Capital One Fin. Corp., No 05-P-810, 2006 WL 3007931, at *3 (Mass. App. Ct. Oct. 23, 2006); Freeman v. Missouri Pac. Ry. Co., 167 P. 1062, 1063-65 (Kan. 1917)).
Even if a future court found these damages standing alone somehow compensable, there exists another barrier that would likely stymie future class certification motions relying on this damages theory — courts would have a tough time finding an efficient means of determining on a class-wide basis the value of a plaintiff’s “time and effort”. Although courts have recognized that the need for individualized proof of damages is not per se an obstacle to class certification, the measure of a plaintiff’s relative “time and effort” would likely not predominate any data breach putative class.
To the extent such thorny class certification issues would possibly resolve differently among the federal circuits, the U.S. Supreme Court may soon add some needed clarity. On December 6, 2010, the Court agreed to review the April 27, 2010 decision by the U.S. Court of Appeals for the Ninth Circuit granting class certification in the massive Wal-Mart sexual discrimination case. See Dukes v. Wal-Mart Stores, Inc. , 603 F.3d 571 (9th Cir. 2010), cert. granted, Wal-Mart Stores, Inc. v. Dukes, 178 L. Ed. 2d 530 (2010) (“Petition for writ of certiorari to the United States Court of Appeals for the Ninth Circuit granted limited to Question I presented by the petition. In addition to Question I, the parties are directed to brief and argue the following question: “Whether the class certification ordered under Rule 23(b)(2) was consistent with Rule 23(a).”) (emphasis added).
Although named plaintiffs in the Wal-Mart case “waived any claim for compensatory damages, forfeiting the rights of individual class members to recover damages authorized by Congress solely in order to facilitate class treatment”, an important commonality ruling remains likely given the Court specifically requested that the parties brief the applicability of Federal Rule of Civil Procedure 23(a). See Petitioners Brief at 35, dated January 20, 2011. One way or the other, the Supreme Court’s decision in Wal-Mart will impact the class action landscape – including the potential landscape surrounding breach class action suits.
Data Breach Class Action Suits — Will the Floodgates Ever Open?
It may not arrive this year or next but the time will likely eventually come when class actions are routinely certified after a significant data breach. As discussed above, these future certified class actions will not likely derive from courts applying a new and improved “fear of” or “lost time” damages theory. Moreover, this shift certainly won’t happen using a newly varnished claim theory based on lost chattel, conversion, or a constructive bailment.
In part two of this post, I’ll outline the one data breach claim that will very likely eventually clog the class action dockets of judges throughout the country.