The Standing Struggle in Data Breach Litigation Continues
Two courts. Two days. Two different results. On March 7, on remand from the U.S. Court of Appeals for the Eighth Circuit, a federal district court judge in Minnesota granted a motion to dismiss a consumer class action suit involving a 2014 data breach affecting over 1,000 grocery stores. The court found that the allegations of possible future identity theft or fraud because of the breach were not sufficient to establish a substantial risk of future harm.
The next day, the U.S. Court of Appeals for the Ninth Circuit reached an opposite result, further highlighting the split among courts on the issue of standing in data breach litigation. The Ninth Circuit reversed the dismissal of a consumer class action claim against Zappos for a 2012 data breach involving the payment card information of nearly 24 million customers. The court concluded, as it has in the past, that the risk of future identity theft or fraud tied to the data breach meets standing requirements.
Due to the U.S. Supreme Court’s recent refusal to grant certiorari in Attias v. CareFirst, we are likely to see the divide deepen as plaintiffs’ class action lawyers find ways to file suit in jurisdictions offering more plaintiff-friendly interpretations of Article III standing. For a more in-depth discussion of the standing issues, see our Jan. 22, 2018 post.