In our last article, we examined the challenges plaintiffs encounter in bringing privacy and data breach claims, including difficulties establishing Article III standing, cognizable injury under state law, and the stringent requirements for class certification. Faced with the daunting problem of establishing an economic “injury” from the mere disclosure of personal data, plaintiffs have now begun to turn their attention to legal theories that do not require proof of actual damages. As we will see, some of these theories have gained legal traction, at least for the time being.
In the Sony Gaming Network data breach litigation, Sony faced a class action from consumers after a criminal intrusion into its PlayStation video game network. The original complaint alleged that plaintiffs faced an increased risk that their personal information would be misused. Finding that “the mere ‘damage of future harm, unaccompanied by present damage, will not support a negligence action,’” the court dismissed the case.
The Sony case is not alone in refusing to dismiss claims based on misrepresentations in user agreements and privacy policies. In 2012, Hackers infiltrated LinkedIn’s computer systems and posted millions of stolen users’ passwords on the Internet. The named plaintiff in the ensuing class action alleged she paid for a premium subscription, which provided her increased networking tools and capabilities. In her first amended complaint, the plaintiff alleged that she did not receive the benefit of her bargain with LinkedIn, and faced increased risk of future harm as a result of the 2012 hacking incident. The court rejected both theories based on lack of standing, finding that the promise of industry standard security had not been a part of the plaintiff’s bargain for premium services.
Despite these limited successes, claims of misrepresentation do not always fair well. For example, in a recent putative class action against Apple, plaintiffs alleged the company failed to adequately disclose that certain iPhone applications collected and disseminated the plaintiffs’ personal information, and that the company had designed its operating system to permit that practice. The plaintiffs also claimed that they relied on Apple’s alleged misrepresentations about privacy and data collection in purchasing their devices, and therefore overpaid for their purchase.
Although the plaintiffs asserted similar misrepresentation claims that initially survived scrutiny in the Sony and LinkedIn cases, the Court granted summary judgment in Apple’s favor. According to the court, to establish standing under California’s Unfair Competition Law, the plaintiffs must set forth specific facts showing that they actually relied on Apple’s alleged misrepresentations about privacy and suffered economic injury as a result of that reliance. Although the court found there was a genuine issue as to whether the plaintiffs suffered an “injury in fact,” it concluded that “actual reliance” is an essential element of standing under Article III, and the plaintiffs failed to raise a genuine issue concerning that element.
As the recent Sony, LinkedIn, and iPhone cases demonstrate, consumer data breach litigation is slowly evolving beyond the initial pleading pitfalls that have doomed many cases to early dismissal. Claims of misrepresentations in user agreements and privacy policies are beginning to gain legal recognition, particularly where they occur at the point of sale. In addition, claims of violations of state consumer protection statutes, especially those that do not require proof of actual economic injury, have proven more resilient to early attacks on the pleadings.
In the next article in this series, we will examine how the emerging trends in consumer data breach litigation may impact companies considering their own end user agreements and privacy policies.