For years, the plaintiffs’ bar has faced a virtually insurmountable barrier in pursuing class action litigation in the data breach/consumer privacy context. Absent actual theft and misuse of customers’ data by a third-party, plaintiffs generally have been found to lack standing and/or failed to establish the elements of a damages claim, and the litigation has been dismissed at the earliest stages.
However, a recent case in the 1st Circuit, as well as cases in the 9th and 7th Circuits, could represent either a vulnerability in this barrier upon which creative plaintiffs can capitalize, or simply a modified analysis that does not change the typically adverse outcome for plaintiffs.
This month, the 3rd Circuit recently joined the overwhelming majority of state and federal district courts across the country in holding that where plaintiffs have suffered no actual identity theft or other harm, they lack standing to pursue their claims, and thus the courts need not reach the merits of those claims. See Reilly v. Ceridian Corp. However, the 9th Circuit recently joined the 7th Circuit in finding standing under such circumstances. See Krottner v. Starbucks Corp.
Notably, though, both the 9th and 7th Circuits rejected the claims on the merits. The two courts found that the mere alleged risk of identity theft is insufficient to establish the legally cognizable damages elements of plaintiffs’ claims. Thus, while the analytical approach of the 9th and 7th Circuits differs from other courts, including the 3rd Circuit, the adverse result for plaintiffs remained the same.
However, a recent decision by the 1st Circuit in Anderson v. Hannaford Brothers Co., arguably goes one step further in favor of plaintiffs. Set in the relatively narrow context of an alleged large-scale criminal operation and the deliberate taking of credit and debit card information by thieves intent on using the information for financial gain, the 1st Circuit held that while damages for loss of reward points, loss of reward point earning opportunities, and fees for altering pre-authorized payment arrangements were not legally cognizable, the reasonable mitigation costs of card replacement and credit insurance were sufficient to state a claim.
The 1st Circuit distinguished the facts of the case from contrary decisions in other jurisdictions. In those cases, the court said, the costs of credit monitoring services and identity theft insurance were not foreseeable because they often involved the theft of expensive computer equipment, which the thieves may not have been aware contained confidential data. Moreover, in Hannaford, unlike the other cases, the card owners were not merely exposed to a hypothetical risk that their personal data would be used, but it was alleged that they actually suffered financial losses from credit and debit card misuse.
The impact of the Hannaford decision remains to be seen. However, you can be sure that plaintiffs’ lawyers will use this decision to argue that other out-of-pocket costs incurred to mitigate losses following a data breach, other than for credit monitoring and identity theft insurance, are reasonable and thus are recoverable damages.
And while Hannaford could be read narrowly to involve targeted card number theft only, plaintiffs’ lawyers may argue that its holding should apply with equal force to inadvertent data breaches. At the very least, this decision is a valuable reminder to businesses that handle sensitive consumer information to remain vigilant in their data security efforts.