United States District Court, E.D. Louisiana
May 4, 2015
COLLIN GREEN, Plaintiff,
EBAY INC., Defendant Section:
ORDER AND REASONS
SUSIE MORGAN, District Judge.
Before the Court is Defendant eBay Inc.'s ("eBay") Motion to Dismiss Plaintiff's Class Action Complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6). In its motion, eBay first argues the Class Action Complaint should be dismissed pursuant to Rule 12(b)(1) because Plaintiff Collin Green, the sole named Plaintiff in this action, has failed to allege a cognizable injury-in-fact; therefore, he lacks Article III standing to pursue this case in federal court. In the alternative, eBay contends the Class Action Complaint should be dismissed pursuant to Rule 12(b)(6) for failure to state a claim upon which relief can be granted.
This case raises the issue of whether the increased risk of future identity theft or identity fraud posed by a data security breach confers Article III standing on individuals whose information has been compromised by the data breach but whose information has not yet been misused. After considering the parties' briefs and the relevant case law, the Court finds itself positioned with the majority of district courts that have held the answer is no. Because Plaintiff has failed to allege a cognizable Article III injury, the Court grants eBay's motion and dismisses the Class Action Complaint for lack of standing.
eBay is a global e-commerce website that enables its over 120 million active users to buy and sell in an online marketplace. In its normal course of business, eBay maintains personal information of its users, including: names, encrypted passwords, dates of birth, email addresses, physical addresses, and phone numbers. In February and March 2014, unknown persons accessed eBay's files containing this user information (the "Data Breach"). On May 21, 2014, eBay notified its users of the Data Breach and recommended that users change their passwords. Although eBay also collects other information, including credit card and bank account information, there is no indication that any financial information was accessed or stolen during the Data Breach.
Plaintiff Collin Green filed this 10-count consumer privacy putative class action against eBay on behalf of himself and all eBay users in the United States whose personal information was accessed during the Data Breach. Plaintiff alleges that as a direct and proximate result of eBay's conduct, "Plaintiff and the putative class members have suffered economic damages, " "actual identity theft, as well as (i) improper disclosures of their personal information; (ii) out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or identity fraud due to eBay's failures; (iii) the value of their time spent mitigating identity theft and/or identity fraud, and/or the increased risk of identity theft and/or identity fraud; (iv) and deprivation of the value of their personal information." The Class Action Complaint asserts federal causes of action under the Federal Stored Communications Act, Fair Credit Reporting Act, and Gramm-Leach-Bliley Act and several state law causes of action, including negligence, breach of contract, and violation of state privacy laws. eBay now moves to dismiss the Class Action Complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) for lack of standing and 12(b)(6) for failure to state a claim.
The gravamen of eBay's motion to dismiss is that Plaintiff lacks Article III standing to bring this action in both his individual and representative capacities. eBay contends the Court lacks subject-matter jurisdiction because Plaintiff "has not alleged any cognizable injury whatsoever, and he thus lacks Article III standing." eBay argues "Plaintiff does not allege that he has been injured by misuse of the stolen information[, ]... that anyone has used his password, or that anyone has even tried to commit identity fraud with his information-let alone that anyone has actually succeeded in doing so- and that he has thereby suffered harm." Instead, eBay claims "Plaintiff relies on vague, speculative assertions of possible future injury-that maybe at some point in the future, he might be harmed.... But the speculative possibility of future injury does not constitute injury-in-fact." eBay asserts that the Supreme Court recently made clear in Clapper v. Amnesty International USA that a future injury must be "certainly impending" to establish injury-in-fact, and "[b]ecause Plaintiff has not alleged specific facts constituting an injury that is present or certainly impending, ' Plaintiff lacks standing and the Complaint must be dismissed." In support, eBay points to numerous post- Clapper data breach cases where courts have held that neither the increased risk of identity theft nor expenses incurred to mitigate this speculative risk constitute injury-infact as required for Article III standing.
Plaintiff argues eBay has misconstrued recent Supreme Court case law on standing and contends the Class Action Complaint sufficiently alleges injury-in-fact because Plaintiff and the putative class members are now subject to the "statistically certain threat" of identity theft or identity fraud, and they have incurred, or will incur, costs to mitigate that risk. Plaintiff states his personal information was stolen, along with that of all of the members of the putative class, and "[e]mpirical data shows a vast number of the class members will be significantly harmed." Although Plaintiff concedes the entire class may not suffer injury,  he argues the Fifth Circuit "has explained... that the fact a section of the class may not suffer the damages alleged is not sufficient to destroy Article III standing; it is the allegation of injury that determines at this phase."
"Article III of the United States Constitution limits the jurisdiction of federal courts to actual Cases' and Controversies.'" "One element of the case-or-controversy requirement is that plaintiffs must establish that they have standing to sue." Because standing is a matter of subject-matter jurisdiction, a motion to dismiss for lack of standing is properly brought pursuant to Federal Rule of Civil Procedure 12(b)(1). Federal courts must dismiss an action if, "at any time, " it is determined that subject-matter jurisdiction is lacking. As the party invoking federal jurisdiction, the plaintiff constantly bears the burden of establishing the jurisdictional requirements, including standing.
"To establish Article III standing, a plaintiff must show (1) an injury in fact, ' (2) a sufficient causal connection between the injury and the conduct complained of, ' and (3) a likel[ihood]' that the injury will be redressed by a favorable decision.'" The first prong focuses on whether the plaintiff suffered harm, the second focuses on who inflicted that harm, and the third focuses on whether a favorable decision will likely alleviate that harm. Although all three elements are required for Article III standing, the injury-in-fact element is often determinative.
In the class action context, "named plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class." "[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class."
In this case, eBay contends Green, the only named Plaintiff, lacks standing because he has failed to allege a cognizable injury. The injury-in-fact element "helps ensure that the plaintiff has a personal stake in the outcome of the controversy." Recently, the Supreme Court in Clapper v. Amnesty International USA provided guidance on the standard for establishing injury-in-fact:
[A]n injury must be concrete, particularized, and actual or imminent.... Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes-that the injury is certainly impending. Thus, we have repeatedly reiterated that threatened injury must be certainly impending to constitute injury in fact, and that allegations of possible future injury are not sufficient.
Following Clapper, the majority of courts faced with data breach class actions where complaints alleged personal information was accessed but where actual identity theft was not alleged have applied this "certainly impending" standard; notably, where plaintiffs have alleged their injury was the increased risk of identity theft, courts have dismissed the complaints for lack of Article III standing. These courts found that the mere increased risk of identity theft or identity fraud alone does not constitute a cognizable injury unless the harm alleged is certainly impending.
For example, in Strautins v. Trustwave Holdings, Inc ., a hacker infiltrated the South Carolina Department of Revenue, and "approximately 3.6 million Social Security numbers, 387, 000 credit and debit card numbers, and tax records for 657, 000 businesses had been exposed." The plaintiff filed a class action claiming she and the other class members incurred the following injuries:
(1) untimely and/or inadequate notification of the Data Breach; (2) improper disclosure of [personal identifying information]; (3) loss of privacy; (4) out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or identity fraud pressed upon them by the Data Breach; (5) the value of time spent mitigating identity theft and/or identity fraud and/or the increased risk of identity theft and/or identity fraud; (6) deprivation of the value of [personal identifying information]; and (7) violations of rights under the Fair Credit Reporting Act.
The court in Strautins stated that "[t]hese claims of injury, however, are too speculative to permit the complaint to go forward." This is because under Clapper, "allegations of possible future injury are not sufficient to establish standing.... [T]he threatened injury must be certainly impending. "
Even where actual fraudulent credit card charges are made after a data breach, courts have held the injury requirement still is not satisfied if the plaintiffs were not held financially responsible for paying such charges. For example, in Peters v. St. Joseph Services Corp., hackers infiltrated a health care service provider's network and accessed personal information of patients and employees, including names, social security numbers, birthdates, addresses, medical records, and bank account information. Even though there was an attempted purchase on the plaintiff's credit card, which was declined by the plaintiff when she received a fraud alert, the court held the plaintiff did not have standing. The Court found the plaintiff's theory based on a certainly impending or substantial risk of identity theft/fraud was too speculative and attenuated to constitute injury-in-fact because she was unable to "describe how [she would] be injured without beginning the explanation with the word if.'" Similarly, the court in Remijas v. Neiman Marcus Group, LLC found the complaint did not adequately allege standing on the basis of increased risk of future identity theft. Despite the fact that thousands of Neiman Marcus customers had actual fraudulent charges on their credit cards, the court found the plaintiffs failed to allege that any of the fraudulent charges were unreimbursed, and the court was "not persuaded that unauthorized credit card charges for which none of the plaintiffs are financially responsible qualify as concrete' injuries."
Although Plaintiff's Class Action Complaint states all members of the putative class "have suffered actual identity theft, " Plaintiff makes this conclusory statement without any allegations of actual incidents of identity theft that any class member has suffered, let alone that Plaintiff himself has suffered. Plaintiff does not allege that any of the information accessed was actually misused or that there has even been an attempt to use it. Plaintiff has not alleged that his password was decrypted and utilized or that any of his other personal information has been leveraged in any way. As Plaintiff's opposition makes clear, his true argument is that his injury-in-fact is the increased risk of future identity theft or identity fraud-not actual identity theft or identity fraud. Thus, for Plaintiff to have standing under Article III, the threat of identity theft or identity fraud must be concrete, particularized, and imminent-meaning the harm must be certainly impending.
The Court finds Plaintiff has failed to allege an injury-in-fact: the allegations in the Complaint fail to demonstrate a concrete and particularized actual or threatened injury that is certainly impending. In most data breach cases, the complaints allege sensitive information was stolen, such as financial information or Social Security numbers. In such cases, courts nonetheless have found that the mere risk of identity theft is insufficient to confer standing, even in cases where there were actual attempts to use the stolen information. In this case, there is no evidence that any financial information or Social Security numbers were accessed during the Data Breach. Additionally, the fact there is no evidence of actual or even attempted identity theft or identity fraud further supports the Court's finding that Plaintiff has failed to show the alleged future injury is certainly impending. Furthermore, "[i]t is well settled that [a] claim of injury generally is too conjectural or hypothetical to confer standing when the injury's existence depends on the decisions of third parties, '" and the existence of Plaintiff's alleged injury in this case rests on whether third parties decide to do anything with the information. If they choose to do nothing, there will never be an injury.
Indeed, Plaintiff's Complaint makes clear that he does not face a certainly impending risk of future identity theft or identity fraud. For example, the Complaint states: "Criminals who now possess Plaintiffs' [sic] and the class members' personal information may hold the information for later use, or continue to sell it between identity thieves. Thus, Plaintiff and the class members must be vigilant for many years in checking for fraud in their name, and be prepared to deal with the steep costs associated with identity fraud." Additionally, the Complaint states: "Studies indicate that individuals whose personal information is stolen are approximately 9.5 times more likely than other people to suffer identity fraud. Moreover, it can take time before the identity thieves use the stolen information." However, an increase in the risk of harm is irrelevant-the true question is whether the harm is certainly impending. Just as in Peters v. St. Joseph Sevices Corp., the allegations in Plaintiff's Class Action Complaint make clear that "[t]he misuse of the accessed information could take any number of forms, at any point in time.... It may even be impossible to determine whether the misused information was obtained from exposure caused by the Data Breach or from some other source. Ultimately, [Plaintiff's] theory of standing relies on a highly attenuated chain of possibilities.' As such, it fails to satisfy the requirement that threatened injury be certainly impending to constitute injury in fact.'"
Although Plaintiff claims "[t]he only purpose to steal the information [from eBay] is to profit from it, " nothing in the Complaint indicates the threat of future identity theft or identity fraud is certainly impending. The potential injury in this case is far too hypothetical or speculative to meet Clapper 's certainly impending standard. Whether Plaintiff and other class members actually become victims of identity theft depends on numerous variables, including whether their data was actually taken when it was accessed, whether certain information was decrypted, whether the data was actually misused or transferred to another third party and misused, and whether or not the third party succeeded in misusing the information. The mere fact that Plaintiff's information was accessed during the Data Breach is insufficient to establish injury-in-fact. Thus, the potential threat of identity theft or identity fraud, to the extent any exists in this case, does not confer standing on Plaintiff to pursue this action in federal court.
The Complaint also alleges that Plaintiff and the putative class members have spent, or will need to spend, both time and out-of-pocket expenses to protect themselves from identity theft or identity fraud and/or the increased risk of either occurring. As the Supreme Court made clear in Clapper, mitigation expenses do not qualify as injury-in-fact when the alleged harm is not imminent. Therefore, Plaintiff's allegations relating to costs already incurred or that may be incurred to monitor against future identity theft or identity fraud likewise fail to constitute injury-in-fact for standing purposes.
Based on Plaintiff's failure to allege facts showing he has suffered an actual or imminent injury, the Court must dismiss the Class Action Complaint for lack of standing. This disposition is in line with the vast majority of post- Clapper data breach cases where no actual identity theft or identity fraud was alleged. Plaintiff lacks standing to sue in federal court unless and until he suffers an actual injury or faces an imminent injury traceable to the Data Breach that can be fully compensated with money damages, and there is simply no compensable injury at this time.
Given the Court's lack of original jurisdiction over Plaintiff's federal claims, the Court declines to exercise supplemental jurisdiction over the state law claims pursuant to 28 U.S.C. § 1367. Thus, the state law claims are dismissed without prejudice.
Based on the foregoing analysis and discussion, Plaintiff has not adequately alleged Article III standing. For that reason, the case must be dismissed for want of subject-matter jurisdiction. Accordingly,
IT IS ORDERED that eBay's Motion to Dismiss for lack of standing (R. Doc. 20) be and hereby is GRANTED, and the Class Action Complaint is DISMISSED without prejudice.