Court Ruling in Saks Data Breach Case Illustrates That Threshold for Article III Standing Is Low
For years, plaintiffs in data breach class actions have argued that the threshold for Article III standing is low – and increasingly courts are accepting that argument. The Saks data breach class action, pending in the Southern District of New York, is the latest example of a federal court finding that Article III standing exists even where the plaintiff’s asserted injuries are very minimal.
As a quick reminder, under the Supreme Court’s seminal decision in Spokeo v Robins, plaintiffs in federal court must establish, among other things, that they have suffered an “injury-in-fact” in order to establish Article III standing for federal court jurisdiction. This injury can either be present or “certainly impending”, but it must be concrete and particularized. In the early days of data breach litigation, defendants were successful in convincing courts that a fear of future identity theft was too speculative a claim to support Article III jurisdiction. Over the years, plaintiffs’ attorneys adapted by finding consumers who have been the victims of identity theft or fraud, or suffered actual out of pocket losses to serve as class representatives.
In retail breach cases, plaintiffs face a different challenge because banks and credit card companies have become very adept at spotting retail fraud, immediately freezing consumer accounts, and replacing credit or debit cards free of charge. This has the effect of reducing the likelihood of any consumer suffering an actual out of pocket loss. And because retail data breaches do not involve social security numbers or other information that could be used to commit identity theft, plaintiffs in retail breach cases have had a difficult time convincing courts that their fear of future identity theft is reasonable. (See Michaels, SuperValu, and Zappos class actions).
But plaintiffs’ lawyers have seized on a new approach toward establishing standing in retail cases: claiming as injuries the incidental costs the plaintiff expended responding to notice of the breach itself. In the Saks case, the plaintiff alleged that upon learning about the data breach, she spent time on the phone talking to a bank representative, and then driving 90 minutes to her bank to obtain a replacement card. This lost time allegedly constituted an injury in fact, as did the $4.68 in gas the plaintiff expended making the trip.
In accepting the plaintiff’s standing argument, the Court noted that federal courts have frequently recognized that lost time and the expense of procuring new debit cards can constitute an injury in fact – an “identifiable, already incurred loss of time and money” — different in quality from the speculative mitigation costs that plaintiffs have claimed in fear of identity theft cases. The following chart identifies other retail cases where plaintiffs relied on incidental costs to establish standing.
Time spent with police, bank
Time spent changing automatic payments for other accounts
Late fee on utility bill tied to frozen debit card
Time spent obtaining new card
Cost to expedite delivery
Loss of cash-back rewards
Whether plaintiffs’ use of incidental costs will become the silver bullet to defeat standing motions remains uncertain. Saks argued, unsuccessfully, that plaintiff’s damages were too minimal to establish an injury in fact. But the trend in favor of finding standing – particularly in retail data breach cases – remains clear.