Are you a business that has had a data breach? Will your customers be able to sue you?

Class actions for damages resulting from a data breach are difficult to succeed upon unless there is an identifiable harm.  Once again a court has determined that the mere loss of data is not sufficient to confer standing (Chambliss v. CareFirst, Inc.,  No. RDB-15-2288 [D. MD., May 27, 2016]).  With the decision in Chambliss, Maryland now joins D.C., Nevada, New Jersey, Louisiana, Ohio, Illinois and Minnesota, taking the stance that mere loss of data does not give a party standing.  In the context of hacking in a data breach class action, mere misuse of a person’s data is not enough to give them standing.

In Chambliss, the court determined the plaintiffs lacked standing because they failed to allege a sufficient injury to satisfy Article III of the Constitution.  To obtain standing there must be a showing of misuse and how the misuse of the stolen data would harm the victim.  Harm may be shown by offering evidence of fraudulent charges stemming from information being stolen or by showing that the stolen data is on the internet.  The Chambliss court cites In re Adobe, which found that when data is stolen and is already on the internet, plaintiffs have standing because the risk of the harm is immediate and very real.  A plaintiff is not required to wait until they suffer identity theft or credit card fraud to have standing instead the misuse of the data only needs to be certainly impending.

Moreover, the type of data that is stolen impacts the courts determination of whether a plaintiff may have standing.  Information, such as social security numbers, credit and debit card numbers, expiration dates, and other information required to use the cards, which may easily be used in fraudulent transaction or easily alleged that hackers already misused the data, is sufficient to show that the risk of future harm is identifiable and realistic.   In Chambliss, standing was not conferred, in part because it was not apparent how a potential hacker would use the stolen information (customers’ names, birth date, email address, and subscriber identification numbers).

The Chambliss court further stated that mitigation costs, such as paying for credit monitoring, are considered self-inflicting harm if they are based on fears of “hypothetical future harm that is not certainly impending” and are insufficient to establish that the plaintiff has standing.  The logic behind this finding is that permitting a party to secure standing by simply buying insurance based on fear would impermissibly allow a party to secure standing through a standard lower than required by Article III of the Constitution.  In order for a mitigating cost to be considered an injury, harm must be “certainly impending” and the cost must be used to mitigate the risk of such harm.

Next the court addressed the issue of whether the benefit of the bargain loss theory is applicable to data breach cases.  For the bargain loss theory to apply a plaintiff must show that the value of the good or service they purchased was diminished as a result of the breach and that the prices paid by a plaintiff included some form of protection that the plaintiff and the Defendant were aware.   The plaintiffs in Chambliss failed to make any allegations about how the data breach diminished the value of the health insurance they purchased from CareFirst.  Furthermore, the plaintiffs failed to make any factual allegations about how the prices they initially paid for the health insurance incorporated a sum that would be used for data security and that both the purchaser and the insurance company understood this.

Another avenue for a plaintiff to use in order to attempt to establish standing is to show a decreased value of personal information. Courts have not determined whether personal information has monetary value.  However, the court stated even if the courts did determine personal information had inherent value, the plaintiff has the burden to show that the price of their information which they tried to sell had diminished.  The Chambliss court did not determine whether plaintiff’s personal information had value because the plaintiffs failed to allege that they tried to sell the information.

As a business who has to evaluate the business aspects of a data breach, it is important to understand the current legal landscape and the potential liability.  Data breach class actions are still new and currently the trend is that plaintiffs in a class action will have an uphill battle in order to establish that they have standing.  Plaintiffs, generally, may have a multitude of different approaches to attempt to establish they have standing to bring a lawsuit.  However, in the case of data which is not sensitive, such as data that does not contain social security numbers, credit or debit card numbers, and expiration dates for such cards, plaintiffs will have to show that the data stolen has been misused or there is a “substantial risk that the harm will occur.”  Where a significant period of time has elapsed and no harm has occurred allegations of harm are merely speculative.  Further, plaintiffs will not be able to solely use mitigation costs as a way to establish standing if injury is not “certainly imminent”.  Also, if a plaintiff attempts to utilize the theory of bargain loss to obtain standing they must show that the value of the goods or service they purchased diminished as a result of the data breach and that the price they paid for the good or service included an amount specifically for data security.  In fact it is unclear if courts will even find that personal information has monetary value.  In short, in a data breach class action, the burden on the plaintiff is higher if non-sensitive information is involved but less so in situations where there is sensitive personal information.

Andrew Ko assisted in writing this blog post.  For more information, contact Danielle Holley.  She can be reached at (518) 462 – 5601 or via email at dholley@oalaw.com.