Is Article III Standing a Foregone Conclusion in Privacy and Data Breach Class Actions?
On August 30, 2017, The Honorable Judge Koh of the United States District Court for the Northern District of California issued a decision denying in part defendant Yahoo’s motion to dismiss a consolidated class action involving three data breaches in which hackers accessed the private information of over 1 billion Yahoo users. In Re Yahoo! Inc. Customer Data Security Breach Litigation, Case No. 16-MD-02752, Docket No. 132 (N.D. Cal. Aug. 30, 2017).
Yahoo argued that plaintiffs lacked standing because they did not suffer a concrete injury. The Court disagreed, holding that plaintiffs sufficiently alleged injury from (1) the increased risk of future identity theft and (2) the loss of value of their personal identifying information. Although some plaintiffs also alleged that they were harmed because they incurred out of pocket expenses in response to the breaches, or because their stolen information already had been used, the Court concluded that such completed harms were not necessary to establish standing. Instead, citing decisions of the Sixth, Seventh, and Ninth Circuits, the court found that plaintiffs’ allegations of future harm were sufficient. The Court also held that the potential existence of other data breaches or causes for plaintiffs’ injuries had no effect on plaintiffs’ standing to sue Yahoo.
The decision highlights that the bar for alleging Article III standing in data breach and privacy violation cases appears low because the very nature of the violation – theft of personal identifying information – is harmful in of itself, even if the stolen data is never used, and that the two forms of future harm that are always likely to exist are the increased risk of identity theft and the reduction in value of personal identifying information.
You can read the entire 93-page decision here.