Recent Standing Decision in Data Breach Context (SD Cal.)

Another federal court has weighed in on Article III standing in a data breach class action. In Dugas v. Starwood Hotels, plaintiff alleges that criminal hackers inflicted a series of attacks on the United States hospitality industry.  2016 WL 6523428 (S.D. Cal. Nov. 3, 2016).  Plaintiff claims the data breach affected hundreds of thousands of customers of the Starwood Hotel system.

When defendants moved to dismiss, the court focused on plaintiff’s alleged injury-in-fact for under Article III.  The court categorized the claimed injuries within four categories:

These claimed injuries can be summarized as (1) past financial costs associated with detecting and preventing identity theft or unauthorized use of credit cards; (2) future costs in terms of time, effort and money to prevent or repair identity theft or future unauthorized use of credit cards; (3) theft of personal identifying information and; (4) past loss of productivity from efforts to mitigate consequences of data theft.

The court then concluded that plaintiff lacked standing for the first three types of injuries.

First, the court held “Plaintiff merely alleges that he was ‘exposed’ to economic losses. Such indirect allegations do not demonstrate injury in fact.”

Second, the court emphasized that the theft of personal information had been relatively limited–it did not involve social security information or usernames, passwords, or emails, but rather names, addresses, billing information, and credit card numbers.  Consequently, the court held that the plaintiff failed to allege a “credible threat of future identity theft needed in order to plead injury in fact for his causes of action.”

Third, the court rejected plaintiff’s claim of “a property right to personal identifying information, [because he] fail[ed] to identify any authority to support this proposition.”

Finally, the court went the other direction on the fourth category of injury, holding:

Plaintiff has alleged that his credit card information was stolen and misused and that he arranged to cancel and reissue the compromised credit card after learning that his PII was misused. He further alleges that the need to mitigate his exposure to fraudulent charges and potential identity theft resulted in a loss of productivity. These allegations present a concrete, non-speculative harm that befell Plaintiff as a result of the Starwood breach. Accordingly, to the extent Plaintiff seeks relief for the loss of time and money spent to avoid losses caused by the data breach, his allegations are sufficient to state an injury in fact.