In a Data-Breach Lawsuit, Can Plaintiffs Use a Company’s Data Breach Notice to Establish Standing?
Ellis & Winters
We’ve discussed before challenges faced by plaintiffs in establishing Article III standing when they sue companies after a data breach, and some of the novel theories they’ve used to clear the Article III hurdle.
Today’s post looks at the latest one of these theories.
When a business suffers a data breach, state laws require the business to send a notice to affected individuals. Those laws typically prescribe the contents of the required notice—sometimes in detail. North Carolina’s data breach notification statute, for instance, requires the notice to include “[a]dvice that directs the person to remain vigilant by reviewing account statements and monitoring free credit reports.”
An interesting new decision from a federal court in California called Brett v. Brooks Brothers examines how this advice—which one might read as tacitly acknowledging that breaches create a risk of future fraud and identity theft—can affect a court’s standing analysis.
A Data Breach that Hits Close to Home
Brett involved a 2016 incident likely to rattle repp tie-clad lawyers everywhere: a hack of the Brooks Brothers clothing store chain’s in-store point-of-sale systems. For a yearlong period, thieves used malware to steal customers’ names and payment card data, and information about which stores and at what time the customers’ transactions took place.
After discovering the breach, Brooks Brothers notified its customers. The notice included standard language about what customers could do to protect themselves:
In order to help protect themselves, we recommend that customers review credit and debit card statements as soon as possible to determine if there are any discrepancies or unusual activity listed. We urge customers to remain vigilant and continue to monitor statements for unusual activity going forward. . . .
Although this incident did not include Social Security numbers, addresses, or other sensitive personal information, as a general practice we recommend that you carefully check credit reports for accounts you did not open or for inquiries from creditors you did not initiate.
After learning of the breach, the plaintiffs—California customers—sued Brooks Brothers on behalf of a nationwide class. Their complaint alleged that Brooks Brothers failed to use reasonable safeguards to protect their personal information, exposing them to a risk of future harm from identity theft. The hackers, alleged the plaintiffs, could use their payment card information to make fraudulent purchases, and to commit identify theft by linking that information to other information about them.
Advice as an accidental admission?
Brooks Brothers moved to dismiss for lack of standing under Rule 12(b)(1), arguing that the plaintiffs could not establish an “injury-in-fact” sufficient to satisfy Article III. Because the compromised payment cards had been cancelled and no other sensitive information was stolen, explained Brooks Brothers, the plaintiffs could not show a “substantial risk” of future harm as required under the Supreme Court’s decision in Clapper v. Amnesty International.
In response, the plaintiffs pointed to Brooks Brothers’ breach notice. The company, they argued, had itself acknowledged there was a substantial risk of harm by warning them to “remain vigilant and continue to monitor statements for unusual activity going forward” and to carefully check credit reports for unauthorized account openings and credit inquiries.
These statements, reasoned the plaintiffs, showed that the company understood the stolen information was sensitive enough to expose them to an imminent risk of identity theft—an injury-in-fact that satisfied Article III.
The Court’s Decision
The court sided with Brooks Brothers and dismissed the action for lack of standing.
Agreeing that the plaintiffs had failed to show an-injury-in fact, the court explained that the stolen information—limited to information related to payment cards that had already been cancelled—was not sensitive enough to show a credible threat of future harm. In so doing, it distinguished the Ninth Circuit’s data-breach standing decisions in Krottner v. Starbucks and In re Zappos. Both cases found standing but involved other sensitive information such as social security numbers, account numbers and passwords, and billing and shipping addresses.
The court rejected the idea that Brooks Brothers had admitted a risk of future harm by including advice about how customers could protect themselves against fraud and identity theft in its breach notice. That advice, said the court, did not show an injury-in-fact, for two reasons.
First, explained the court, California’s data breach notification statute specifically required the company to include information in its breach notice about how the customers could protect themselves. The court declined to interpret this “bare statutory compliance” as an admission of future harm.
Second, the court observed that accepting the plaintiffs’ argument would encourage undesirable behavior by breached companies. Instead of giving individuals useful information about how to protect themselves, companies would have an incentive to provide “vague or misleading disclaimers to customers affected by a data breach in an attempt to avoid litigation.”
Lessons for Litigants
Brett comes as a somewhat rare—but certainly welcome—win for the defense bar in the Ninth Circuit, whose courts have generally been more willing to find standing in data-breach cases.
The case should also give some comfort to breached companies that complying with the already-onerous task of notifying affected individuals won’t compromise key legal arguments when those individuals later sue.
Author: Alex Pearce