The following Data Security Law Journal post was authored by Becky Schwartz, my law partner at Shook Hardy & Bacon. Becky is an experienced class action litigator who has developed a specialty in privacy litigation. In this post, Becky discusses a recent U.S. Supreme Court decision that may make it more difficult for consumers to sue companies that suffer data breaches. Special thanks to Becky for writing about this recent development in the law:
On February 26, 2013, the United States Supreme Court in Clapper v. Amnesty International confirmed a demanding threshold showing for plaintiffs suing based on increased risk of harm in privacy-related litigation. The decision effectively resolves a circuit split over the application of the Article III standing requirement in data breach cases. Plaintiffs must show that the threatened harm that establishes their standing to sue is “certainly impending,” not merely “possible.” Given that many consumers cannot plead or prove that exposure of their data has resulted, or will result, in identity theft or any other financial injury, the high court’s recent decision should prove very useful to companies seeking early dismissal of individual or class action data breach litigation.
Clapper involved issues of constitutional privacy arising out of a challenge to a 2008 amendment to the Foreign Intelligence Surveillance Act of 1978 (“FISA”), 50 U.S.C. §1881a. FISA allows the federal government to conduct surveillance on the electronic communications of non-U.S. persons located outside the United States, but only after obtaining approval from a Foreign Intelligence Surveillance Court (“FISC”). Plaintiffs in Clapper were several attorneys and human rights, labor, legal, and media organizations who sued to obtain a declaration that FISA is unconstitutional, and to obtain a prospective injunction against the surveillance on the grounds that it would encompass plaintiffs’ own sensitive international communications with individuals believed to be likely targets of the federal government.
Under the well-established Supreme Court precedent of Lujan v. Defenders of Wildlife, to establish Article III standing plaintiffs are required to show an “invasion of a legally protected interest” that is both “concrete and particularized” and “actual or imminent, not conjectural or hypothetical,” along with a causal connection between the injury alleged and the conduct complained of. The district court dismissed the Clapper complaint upon concluding that plaintiffs had failed to show the requisite “injury in fact” necessary to confer Article III standing. The Second Circuit reversed, holding that the injuries plaintiffs claimed were sufficiently concrete and imminent.
In the Supreme Court, the Clapper plaintiffs offered two arguments to support their claim of Article III standing. First, they argued that there was an “objectively reasonable likelihood” that their communications would be monitored under §1881a at some point in the future, thus satisfying the imminent injury requirement. Second, they claimed that in order to avoid having their confidential communications compromised by surveillance that might occur under §1881a, they had incurred actual harm by undertaking costly and burdensome measures, including international travel to conduct meetings in person, in order to avoid that surveillance.
The Supreme Court rejected both arguments. First, the Court held that any threatened injury sufficient to confer Article III standing must be “certainly impending,” not merely “possible.” It found that plaintiffs had not met this standard because their standing argument relied on a “speculative chain of possibilities,” including assumptions about the actions of an independent third party (in that case FISC) – actions that could not be predicted. The Court expressly refused to “endorse standing theories that rest on speculation about the decisions of independent actors.”
Plaintiffs’ second argument was equally ill-fated. The Court declined to accept the notion that plaintiffs could “manufacture standing by inflicting harm on themselves based on fear of hypothetical future harm that is not certainly impending.” Were it to do so, it noted, “an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”
Justice Alito wrote for the majority in this 5-4 decision.
Notwithstanding its particular focus on governmental intrusions into privacy, Clapper broadly reinforces a stringent Article III standing requirement applicable in every data breach case where plaintiffs purport to have standing based solely on an increased risk of future harm.
Companies facing data breach litigation can and should consider moving to dismiss the complaint on the grounds that plaintiffs lack Article III standing, and may rely on Clapper to argue that:
- The mere possibility that a third party criminal might someday misuse information obtained in a data breach is too speculative to demonstrate the “imminent” harm required to establish standing;
- The actions of third-party hackers and/or criminals are utterly unpredictable; any assertion of standing premised on the probable acts of such persons improperly assumes the existence of a criminal who has both the ability and the desire to act on information obtained by way of a security breach;
- Consumers cannot be permitted to “manufacture” standing for purposes of data breach litigation by voluntarily incurring costs to monitor their credit or otherwise guard against the mere possibility of harm that has yet to—and may never—materialize.
DISCLAIMER: The opinions expressed here represent those of Al Saikali or Rebecca Schwartz and not those of Shook, Hardy & Bacon, LLP or its clients. Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Rebecca Schwartz, Shook, Hardy & Bacon, or its clients. All of the data and information provided on this site is for informational purposes only. It is not legal advice nor should it be relied on as legal advice.