Burns v. Mammoth Media: What does it take to meet the injury in fact requirement in data-breach class actions?
Courts continue to grabble with the threshold question of when plaintiffs in data-breach class actions have suffered an injury in fact sufficient to establish Article III standing. Judge Dean Pregerson in the Central District of California recently helped to resolve some issues in a particularly informative opinion dismissing a putative data-breach class action for lack of standing: Burns v. Mammoth Media, Inc. There, Judge Pregerson found insufficient the plaintiff’s allegations that a breach involving the plaintiff’s information would lead to (1) an increased risk of identity theft and (2) a decrease in “inherent value” of the plaintiff’s personal information. Defendants in data breach cases will be able to rely upon this helpful decision going forward.
In Burns, the plaintiff alleged a Wishbone data breach compromised his personal information, including his name, username for the Wishbone app, encrypted password, e-mail address, gender, user ID, and limited information related to or also used for unrelated third-party accounts. Notably, the plaintiff did not allege that more sensitive information, such as his “date of birth, address, social security number, or any financial information” had been compromised. On behalf of a putative class, the plaintiff asserted claims for negligence, declaratory judgment, and breach of confidence.
As part of his alleged harm, the plaintiff asserted he had used the same password for his Wishbone account and certain other accounts and that, following the Wishbone breach, he learned that two third-party accounts had been affected: a third party gained unauthorized access to one and another had been compromised and locked. According to the plaintiff, these events indicated to him that he was at an increased risk of identity theft and, as a result, he allegedly spent three hours changing online passwords, creating fraud alerts, and checking his bank accounts for fraudulent transactions.
The court dismissed the second amended complaint for lack of Article III standing because the plaintiff had not established an injury in fact for several reasons.
No risk of future harm. First, regarding the plaintiff’s future-harm theory, the court reasoned that the plaintiff had failed to explain how the nature of the compromised data was sufficiently sensitive to create a credible risk of identity theft. Although the plaintiff attempted to liken his situation to In re Zappos.com, Inc., 888 F.3d 1020 (9th Cir. 2018) – in which the Ninth Circuit held data-breach plaintiffs had standing and noted that hackers had taken over e-mail accounts – Judge Pregerson found Zappos distinguishable. Specifically, despite Zappos also involving allegations of account take overs following a security incident, Judge Pregerson reasoned that the Ninth Circuit found standing in Zappos due to the “sensitivity of the stolen data” – ie, credit card information— “it did not, however, suggest that the hacked email accounts alone evidenced an ongoing risk of identity theft or constituted an injury in fact.” Rather, the account take overs supported the Zappos plaintiffs’ allegations that the sensitive information there at issue could be used for fraud.
Because the plaintiff in Burns did not allege the exposure of sensitive information, Judge Pregerson found the alleged unauthorized attempts to access his other accounts did not by themselves create standing.
Mitigation efforts not reasonable. Second, as to whether the plaintiffs’ mitigation efforts constituted actual harm, although the court acknowledged that such efforts may sometimes constitute an injury sufficient for standing, they must be “reasonable.” Here, the court reasoned that the plaintiff knew what data was compromised in the Wishbone breach, and that it did not include financial or other sensitive information, rendering his efforts to mitigate a nonexistent risk of future fraud unnecessary and insufficient to confer standing.
Loss in value of data not enough. Third, the court found unavailing the plaintiff’s argument that he had suffered an injury because his exposed data lost its “inherent value.” Noting several other courts had found the same, the court held such a theory was faulty because the plaintiff had not alleged the existence of a “legitimate market” for the compromised data, and even if he had, it was not clear that the value of the data was be diminished.
Bottom line. By parsing the Ninth Circuit’s seminal Zappos decision, the Burns opinion clarifies that – even when there is evidence that stolen data was improperly used – that may not be sufficient for Article III standing. Instead, one has standing only when sensitive data is exposed that can actually create a real risk of imminent identity theft. The Burns opinion also helps solidify that general allegations of diminished value of personal information are insufficient to overcome a motion to dismiss.
Learn more about the implications of this case by contacting any of the authors.
US Supreme Court: Interlocutory appeals of denials of motions to compel arbitration...
6 July 2023 .6 minute read
FTC to update Health Breach Notification Rule for apps, connected devices
23 May 2023 .9 minute read