September 17, 2019

September 17, 2019

Subscribe to Latest Legal News and Analysis

September 16, 2019

Subscribe to Latest Legal News and Analysis

Court Ruling in Saks Data Breach Case Illustrates That Threshold for Article III Standing Is Low

For years, plaintiffs in data breach class actions have argued that the threshold for Article III standing is low – and increasingly courts are accepting that argument. The Saks data breach class action, pending in the Southern District of New York, is the latest example of a federal court finding that Article III standing exists even where the plaintiff’s asserted injuries are very minimal.

As a quick reminder, under the Supreme Court’s seminal decision in Spokeo v Robins, plaintiffs in federal court must establish, among other things, that they have suffered an “injury-in-fact” in order to establish Article III standing for federal court jurisdiction. This injury can either be present or “certainly impending”, but it must be concrete and particularized. In the early days of data breach litigation, defendants were successful in convincing courts that a fear of future identity theft was too speculative a claim to support Article III jurisdiction. Over the years, plaintiffs’ attorneys adapted by finding consumers who have been the victims of identity theft or fraud, or suffered actual out of pocket losses to serve as class representatives.

In retail breach cases, plaintiffs face a different challenge because banks and credit card companies have become very adept at spotting retail fraud, immediately freezing consumer accounts, and replacing credit or debit cards free of charge. This has the effect of reducing the likelihood of any consumer suffering an actual out of pocket loss. And because retail data breaches do not involve social security numbers or other information that could be used to commit identity theft, plaintiffs in retail breach cases have had a difficult time convincing courts that their fear of future identity theft is reasonable. (See Michaels, SuperValu, and Zappos class actions).

But plaintiffs’ lawyers have seized on a new approach toward establishing standing in retail cases: claiming as injuries the incidental costs the plaintiff expended responding to notice of the breach itself. In the Saks case, the plaintiff alleged that upon learning about the data breach, she spent time on the phone talking to a bank representative, and then driving 90 minutes to her bank to obtain a replacement card. This lost time allegedly constituted an injury in fact, as did the $4.68 in gas the plaintiff expended making the trip.

In accepting the plaintiff’s standing argument, the Court noted that federal courts have frequently recognized that lost time and the expense of procuring new debit cards can constitute an injury in fact – an “identifiable, already incurred loss of time and money” — different in quality from the speculative mitigation costs that plaintiffs have claimed in fear of identity theft cases. The following chart identifies other retail cases where plaintiffs relied on incidental costs to establish standing.

Diffenbach v. Barnes & Noble (7th Cir)

Time spent with police, bank

Time spent changing automatic payments for other accounts

Torres v. Wendy’s International (M.D. Fla.)

Late fee on utility bill tied to frozen debit card

Gordon v. Chipotle Mexican Grill (D. Colo.)

Time spent obtaining new card

Cost to expedite delivery

Loss of cash-back rewards

Whether plaintiffs’ use of incidental costs will become the silver bullet to defeat standing motions remains uncertain. Saks argued, unsuccessfully, that plaintiff’s damages were too minimal to establish an injury in fact. But the trend in favor of finding standing – particularly in retail data breach cases – remains clear.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

Philip Yannella, Ballard Spahr Law Firm, Philadelphia, Data Security Attorney
Partner

As Co-Practice Leader of Ballard’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Mr. Yannella regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of...

215-864-8180