On Monday, February 12, a Southern District of Ohio district court dismissed two proposed class actions relating to an October 2012 Nationwide Mutual Insurance Co. data breach. Galaria v. Nationwide Mutual Ins. Co., No. 2:13-cv-118 (S.D. Ohio Feb. 10, 2014); Hancox v. Nationwide Mutual Ins. Co., No. 2:13-cv-257 (S.D. Ohio Feb. 10, 2014). The court held that neither case could proceed because the Plaintiffs had not sufficiently alleged an injury that would give them standing to sue in federal court under Article III of the U.S. Constitution. In their complaint, Plaintiffs alleged several putative injuries, including increased risk of identity theft and fraud arising from the breach, costs associated with mitigating that increased risk, “loss of privacy,” and deprivation of the value of their personal information. The court rejected each theory, in turn. The opinion is the latest in a series of opinions holding that plaintiffs seeking to recover in data breach case must allege more than the mere possibility of future harm.Continue Reading Federal Court Dismisses Data Breach Suit Alleging Only Speculative Harms

This week, in a 5-4 decision in Clapper et al. v. Amnesty International USA et al., the United States Supreme Court rejected two theories of Article III standing presented by a group of attorneys, human rights, labor, legal, and media organizations who sought a declaration that surveillance under section 1881a of the Foreign Intelligence Surveillance Act (“FISA”) is unconstitutional as well as an injunction against section 1881a-authorized surveillance.

These respondents argued first that, because their work requires them to engage in sensitive and/or privileged communications with individuals located abroad who are likely targets of surveillance, there was an objectively reasonable likelihood that their communications would be acquired under section 1881a at some point in the future, thus causing them injury.  (Section 1881a, which was added by the FISA Amendments Act of 2008, authorizes, under certain circumstances, the government surveillance of individuals who are not “United States persons” and are reasonably believed to be located outside the United States).  Second, the respondents maintained that the risk of surveillance under section 1881a is so substantial that they had been forced to take costly and burdensome measures to protect the confidentiality of their communications that constitute present injury and are fairly traceable to section 1881a.

The Supreme Court rejected each of these arguments holding (1) that respondents’ “highly attenuated chain of possibilities” and theory of future injury was too speculative to satisfy the well-established Article III standing requirement that threatened injury be “certainly impending” and, moreover, that they could not establish that the injury was fairly traceable to section 1881a; and (2) that the respondents “cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not certainly impending.”Continue Reading Supreme Court Nixes FISA Surveillance Suit on Standing Grounds

The Seventh Circuit held yesterday, in a decision written by Judge Posner, that damages are not available under the Video Privacy Protection Act (“VPPA”) for violations of the statute’s data deletion requirement, only for unlawful disclosures of video-viewing information. 

Subsection (b) of the VPPA prohibits knowing disclosure of personally identifiable information that identifies a person

Employees whose personal information might have been accessed in a data breach cannot sue the breached company in federal court based only on the possibility that the breach might lead to identity theft, a federal appeals court ruled Monday.

The case, Reilly v. Ceridian Corporation, is a proposed class action brought by employees whose companies used Ceridian Corporation to process company payrolls. An unknown hacker breached Ceridian’s firewall in December 2009, potentially gaining access to payroll information such as names, Social Security numbers, birth dates and bank account numbers. However, the lawsuit did not allege that the hacker actually accessed, copied, or misused the data. Instead, the plaintiffs based their claim on their allegedly increased risk of identity theft, their emotional distress, and the credit-monitoring costs they incurred.Continue Reading Federal Appeals Court: Risk of ID Theft Does Not Confer Standing for Data Breach Suit

Class action lawsuits are increasingly being brought against organizations that have suffered data breaches, as well as against companies that are alleged to have allowed third parties access to online or mobile users’ confidential information without authorization (for example the recent Del Vecchio v. Amazon and Low v. LinkedIn cases).  A repeated issue in these

The United States District Court for the Western District of Seattle recently dismissed an online privacy case involving the alleged improper use of browser and Flash cookies in Del Vecchio v. Amazon.  Finding that the plaintiff “simply not plead adequate facts to establish any plausible harm,” this opinion follows closely on the heels of

Judge Koh of the District Court for the Northern District of California recently granted LinkedIn’s motion to dismiss with leave to amend in Low v. LinkedIn.  Covington represents LinkedIn in this case, in which Plaintiff alleges that he suffered injury by virtue of LinkedIn’s purported transmittal of a unique UserID to certain third parties as a portion of a URL referrer header.

The Court held that the plaintiff had not alleged sufficient injury-in-fact to satisfy Article III standing, because “Plaintiff has failed to put forth a coherent theory of how his personal information was disclosed or transferred to third parties, and how it has harmed him.”  In making this determination, the Court rejected Plaintiff’s theories of  “emotional” and “economic” harm.

With respect to emotional harm, the court noted that Plaintiff was “unable to articulate a theory of what information had actually been transmitted to third parties, how it had been transferred to third parties, and how LinkedIn had actually caused him harm.”  Similarly, in considering Plaintiff’s theory of economic harm, the Court held that Plaintiff’s allegations were “too abstract and hypothetical to support Article III standing,” citing a growing body of precedent, including Judge Koh’s own recent decision in In re iPhone Application Litigation, in which courts have held that the unauthorized collection of personal information does not create an economic loss.  Quoting Specific Media, the Court observed that Plaintiff had failed to allege how he was foreclosed from capitalizing on the value of his personal data or how he was “deprived of the economic value of [his] personal information simply because [his] unspecified personal information was purportedly collected by a third party.”Continue Reading LinkedIn Motion to Dismiss Granted

Yesterday, Judge Lucy Koh of the U.S. District Court for the Northern District of California granted defendants’ motions to dismiss the consolidated, amended complaint in In re iPhone Application Litigation for lack of Article III standing, with leave to amend.  In finding lack of standing, the Court stated that plaintiffs’ allegations were “clearly insufficient” as plaintiffs did not allege “injury in fact to themselves” and “did not identify a concrete harm from the alleged collection and tracking of their personal information sufficient to create injury in fact.”  Further, the Court found that the plaintiffs had failed to allege any injury fairly traceable to Apple or any of the Mobile Industry Defendants.

In addition, the Court articulated specific deficiencies with respect to each of the causes of action, in the event plaintiffs choose to file an amended complaint.  These shortcomings include the fact that plaintiffs did not allege economic damages sufficient to meet the required threshold to state a civil claim under the Computer Fraud and Abuse Act.  The Court also found, as an increasing body of authority has held, that a plaintiff’s “personal information” does not constitute money or property under California’s Unfair Competition Law.Continue Reading In re iPhone Application Litigation Dismissed

Last week, the Ninth Circuit issued two opinions in connection with the theft of an unencrypted laptop that contained personal information about Starbucks employees.  First, the court held in a published opinion that Starbucks employees whose names, addresses and Social Security numbers were on the stolen computer could show that they had suffered enough injury