On The Case

D.C. judge: No actual damages, no claims for data breach victims

If you believe the 9th U.S. Circuit Court of Appeals in 2018’s In re, federal appellate courts have reached a near-consensus in the past few years about whether the victims of corporate data breaches meet constitutional requirements to sue. With the exception of a few outlier decisions that are distinguishable for unusual facts, the 9th Circuit said in Zappos, the circuits courts now agree that plaintiffs need only allege an increased risk of identity theft to establish their constitutional right to sue the businesses that left their personal information vulnerable to hackers.

Zappos disputes this supposed consensus and has asked the U.S. Supreme Court to resolve the question of constitutional standing for data breach victims whose information has not been misused. The justices scheduled the Zappos petition for its conference last December but are apparently holding the case until they decide what to do about the standing issues in Frank v. Gaos, a case in which the court ordered additional post-argument briefing on whether class members claiming violations of the Stored Communications Act have a right to sue.

Want more On the Case? Listen to the On the Case podcast.

But unless and until the Supreme Court decides to wade into standing in data breach cases, plaintiffs in at least five federal circuits – including the 3rd, 6th, 7th, 9th and D.C. Circuits – don’t have to worry about their right to sue. If their sensitive personal data was breached, they have constitutional standing.

That’s just the first obstacle, though. And a ruling last week by U.S. District Judge Christopher Cooper of Washington, D.C., in a data breach class action against the health insurer CareFirst shows that defendants can successfully repurpose arguments about plaintiffs’ inability to show actual damages to get cases tossed.

Judge Cooper initially dismissed the CareFirst class action in 2016, finding that plaintiffs didn’t have standing because they hadn’t alleged their stolen information was actually misused. In 2017, the case was revived by the D.C. Circuit, which said the threat of identity theft is adequately substantial and concrete to meet constitutional standing requirements. CareFirst’s lawyers at Eversheds Sutherland petitioned the Supreme Court to take up the issue of standing in data breach litigation but the justices declined.

On remand to Judge Cooper, Eversheds dusted off its old arguments about plaintiffs’ inability to cite specific allegations about how their data was supposedly misused – except that this time, the dismissal motion was framed as a failure to state a claim rather than a failure to establish constitutional standing. “The breach occurred more than 1,400 days ago and plaintiffs’ alleged damages remain entirely speculative,” the dismissal memo said. “Plaintiffs must plead a tangible injury or loss of some form to sustain most of their causes of action. Yet plaintiffs plead none. No plaintiff alleges specific facts about how he or she has been damaged. Plaintiffs offer only generic statements that their impending harms include time spent ‘to protect themselves’ and costs associated with identity theft, credit monitoring, and damage assessment services and non-specific ‘mental and emotional pain and suffering and anguish’ as a result of the cyberattack.”

Judge Cooper mostly agreed, in a thoughtful opinion that analyzes recent developments in data breach litigation. (“The court acknowledges the difficulty of applying traditional tort and contract principles in the contemporary context of data security,” he wrote. “It also recognizes that courts across the country have divided on a number of important legal issues that frequently arise in data breach litigation.”)

The judge specifically pointed out that allegations sufficient to establish standing don’t necessarily amount to an adequate claim for damages, as, he said, the 9th Circuit held in the landmark 2010 decision in Krottner v. Starbucks, one of the first rulings to address standing for victims of data theft. In the CareFirst case, Judge Cooper said, only two of the named plaintiffs, a Maryland couple who allege they were the victims of tax refund fraud, claim to have experienced a specific economic injury from the 2014 theft of CareFirst data. Under D.C. precedent, the judge said, the risk of economic harm isn’t enough to make out a claim for negligence or breach of duty.

The plaintiffs offered alternative damages theories: They lost the “benefit of the bargain” they struck in purchasing policies that purported to protect their confidential information; they suffered consequential damages, such as the cost of purchasing credit monitoring services, after the hack occurred; or they suffered emotional distress. Judge Cooper, citing rulings from colleagues in D.C. federal court rejected those theories, though he acknowledged that other courts have gone the other way.

That’s particularly true when it comes to allegations that plaintiffs can claim damages based on overpayment for services that didn’t live up to security promises. Plaintiffs’ lawyers at Nidel & Nace, Paulson & Nace and the Giatras Law Firm contended that the trend in data breach litigation is toward acknowledging these “benefit of the bargain” injuries. In the Yahoo and Anthem cases, for instance, U.S. District Judge Lucy Koh of San Jose – a leading judge on data breach class actions – agreed that plaintiffs adequately alleged economic injuries from paying for data protection they didn’t receive.

Judge Koh’s reasoning failed to sway Judge Cooper. “Trend or no across the country, the court declines to go beyond the decisions of its fellow (D.C.) courts … in the absence of controlling law from the District of Columbia Court of Appeals, especially because the standard for alleging actual damages is generally higher than that for plausibly alleging an injury-in-fact,” the judge wrote.

Judge Cooper similarly broke with judges in other major data breach class actions on the question of whether defendants have a common-law duty, in addition to a contractual obligation, to safeguard customer data. CareFirst asserted that its customers cannot claim negligence, fraud or other torts based on a breach of the insurer’s contractual duty. As Judge Cooper acknowledged, many federal courts have held that defendants have a basic responsibility to protect customer data and can be liable for negligence when they fail to exercise that responsibility. Judges have allowed data breach class actions against Sony, Arby’s, Home Depot and Target to move forward under that theory. But the judge found reasons to distinguish the facts in those cases from those alleged against CareFirst, which isn’t accused, for instance, of specifically ignoring warnings about data security or of affirmatively acting to weaken data protections.

In the end, Judge Cooper left standing only a breach of contract claim and a Maryland consumer protection claim by the couple who claimed their stolen data was used in a tax refund fraud.

It’s not clear whether plaintiffs whose claims were entirely dismissed can quickly appeal Judge Cooper’s ruling or must ask for an interlocutory appeal. I reached out to Jonathan and Christopher Nace but didn’t hear back. CareFirst counsel Matt Gatewood declined to comment.