For Now, RockYou Court Finds Standing Based on PII Disclosure
By Eric Bosset & Mali Friedman
Judge Phyllis Hamilton of the U.S. District Court for the Northern District of California recently permitted a lawsuit arising out of a major data security breach suffered by social-media application developer RockYou to survive a motion to dismiss in part, based on the theory that plaintiff had stated a "generalized injury" sufficient to maintain Article III standing—at least at the initial pleading stage—because the breach of plaintiff’s personally identifiable information (“PII”) allegedly caused loss of an "ascertainable but unidentified ‘value’ and/or property right inherent in [plaintiff’s] PII.” Although this decision trends away from a recent dismissal [PDF] of a privacy suit by the U.S. District Court for the Central District of California on standing grounds, based on failure by that plaintiff to allege that the defendant caused any “actual or imminent harm,” it is a narrow ruling, the primary impact of which was to shift on these facts the timing of application of the operative standing test from the pleadings stage to the summary judgment stage.
Recognizing that the plaintiff was advancing a novel theory of damages for which supporting case law is scarce and that there is no clearly established law regarding the sufficiency of allegations of injury in the context of the disclosure of online personal information, the RockYou Court declined to hold as a matter of law that plaintiff had failed to allege an injury in fact sufficient to support Article III standing. (Under Lujan, Article III standing requires “injury in fact” that is “concrete and particularized”). Notably, though, the Court also stated that it would dismiss plaintiff’s claims for lack of standing should it become apparent, after discovery, “that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of PII” (emphasis added). The Court also rejected as a matter of law the characterization of PII disclosure as “lost money or property” and noted its doubts about plaintiff's ultimate ability to prove the damages alleged in the complaint. Additionally, the Court dismissed with prejudice several of the causes of action asserted, based on plaintiff’s failure to allege the more particularized elements of injury required for these claims—including a claim under California's Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200 et seq.), which requires a plaintiff to prove that a violation caused loss of money or property.
Although those involved in the wave of recent privacy suits based on speculative harms allegedly tied to the loss of or sharing of PII or user information surely will pay close attention to this ruling, the facts of this case—a publicly acknowledged, severe data breach and the Court’s observation that RockYou failed to use hashing, or any other common and reasonable method of data protection—are clear distinctions from much of the other online privacy litigation currently underway.