A recent District of Nevada ruling could cause issues for consumers in data breach class action cases moving forward. On June 1, 2015, the court ruled that a consumer class action against Zappos.com Inc. could not proceed because the class did not state “instances of actual identity theft or fraud.” The suit was brought as a result of a 2012 data breach where Zappos’ customers’ personal information was stolen, including names, passwords, addresses, and phone numbers. Even though the information was stolen, the court dismissed the case because the class could not prove that they had been materially harmed and had no other standing under Article III.
If a data breach has occurred, but the victims cannot claim any harm besides the fear that a hacker has their information, courts have been willing to grant defendants’ motions to dismiss. The ruling by the District of Nevada court is the most recent decision in a trend to block consumer class actions relating to data breaches. Many of these recent rulings have been influenced by the Supreme Court’s 2013 decision in Clapper v. Amnesty International USA. In Clapper, the Supreme Court held that claims of future injury could only satisfy the Article III standing requirement if the injury was “certainly impending” or if there was a “substantial risk” that the harm was going to occur. Unfortunately for the consumer class in the Zappos’ case this means that unless their stolen information has been used to harm them, the data breach alone is not enough standing to bring a suit.
However, some district courts have been able to find sufficient standing for data breach victims in spite of the Clapper decision. In Moyer v. Michaels Stores, a district court in the Northern District of Illinois ruled that data breach victims had standing to sue. The court relied on Pisciotta v. Old National Bancorp, a Seventh Circuit pre-Clapper decision, which held that the injury requirement could be satisfied by an increased risk of identity theft, even if there was no financial loss. Moyer further distinguished itself from Clapper by explaining that Clapper dealt with national security issues, and not general consumer data breaches. Other district courts have distinguished their cases from Clapper by holding that Clapper dealt with harm that was too speculative to quantify, while consumer data breach cases deal with the concrete possibility of identity theft.
Although Clapper set the tone for consumer data breach claims, district courts have been divided because of different interpretations in the ruling. The Supreme Court recently granted certiorari in another Article III standing case, Spokeo Inc. v. Robins Inc., which deals with a private right of action grounded in a violation of a federal statute. Although it does not directly deal with consumer data breaches, the decision may lead the Supreme Court to expand the standing requirements generally. Given society’s increasing use of technology and inclination to store personal information electronically, consumer data breach claims will only increase in the future. The courts’ standing requirements must adapt to meet the changing needs of individuals and businesses alike.