By Eric Bosset

Judge Phyllis Hamilton of the U.S. District Court for the Northern District of California recently permitted a lawsuit arising out of a major data security breach suffered by social-media application developer RockYou to survive a motion to dismiss in part, based on the theory that plaintiff had  stated a “generalized injury” sufficient to maintain Article III standing—at least at the initial pleading stage—because the breach of plaintiff’s personally identifiable information (“PII”) allegedly caused loss of an “ascertainable but unidentified ‘value’ and/or property right inherent in [plaintiff’s] PII.”  Although this decision trends away from a recent dismissal [PDF] of a privacy suit by the U.S. District Court for the Central District of California on standing grounds, based on failure by that plaintiff to allege that the defendant caused any “actual or imminent harm,” it is a narrow ruling, the primary impact of which was to shift on these facts the timing of application of the operative standing test from the pleadings stage to the summary judgment stage.

Recognizing that the plaintiff was advancing a novel theory of damages for which supporting case law is scarce and that there is no clearly established law regarding the sufficiency of allegations of injury in the context of the disclosure of online personal information, the RockYou Court declined to hold as a matter of law that plaintiff had failed to allege an injury in fact sufficient to support Article III standing.  (Under Lujan, Article  III  standing requires “injury in fact” that is “concrete and particularized”).  Notably, though, the Court also stated that it would dismiss plaintiff’s claims for lack of standing should it become apparent, after discovery, “that no basis exists upon which plaintiff could legally demonstrate tangible harm via the unauthorized disclosure of PII” (emphasis added).  The Court also rejected as a matter of law the characterization of PII disclosure as “lost money or property” and noted its doubts about plaintiff’s ultimate ability to prove the damages alleged in the complaint.  Additionally, the Court dismissed with prejudice several of the causes of action asserted, based on plaintiff’s failure to allege the more particularized elements of injury required for these claims—including a claim under California’s Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200 et seq.), which requires a plaintiff to prove that a violation caused loss of money or property.

Although those involved in the wave of recent privacy suits based on speculative harms allegedly tied to the loss of or sharing of PII or user information surely will pay close attention to this ruling, the facts of this case—a publicly acknowledged, severe data breach and the Court’s observation that RockYou failed to use hashing, or any other common and reasonable method of data protection—are clear distinctions from much of the other online privacy litigation currently underway.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Eric Bosset Eric Bosset

Eric Bosset is a partner whose practice encompasses a broad range of complex litigation matters, with an emphasis on (1) privacy, data security and consumer protection, (2) employment and ERISA, and (3) financial products and services. Eric has extensive experience in class actions…

Eric Bosset is a partner whose practice encompasses a broad range of complex litigation matters, with an emphasis on (1) privacy, data security and consumer protection, (2) employment and ERISA, and (3) financial products and services. Eric has extensive experience in class actions, MDL proceedings, and other multi-party lawsuits. His trial victories include a jury verdict in an employment class action lawsuit that The National Law Journal ranked among the 25 most notable defense verdicts of the year.

Privacy and Consumer Protection

Eric was named “Most Valuable Player” in Privacy & Consumer Protection by Law360. He has an extensive practice representing Internet service providers, publishers and advertisers in class action litigation involving claims of unauthorized collection and disclosure of personally identifiable information (“PII”). He has successfully represented Microsoft, AOL, CBS, McDonald’s, Mazda, the Indianapolis Colts, and other companies in obtaining the dismissals of putative class action lawsuits that asserted federal law claims under the Electronic Communications Privacy Act (“ECPA”), Computer Fraud and Abuse Act (“CFAA”), and Video Privacy Protection Act (“VPPA”), as well as state law claims under the Illinois Biometric Information Privacy Act (“BIPA”) and for unfair practices, trespass, and invasion of privacy.

Eric also represents companies in connection with matters arising under the Fair Credit Reporting Act (“FCRA”), Fair and Accurate Credit Transaction Act (“FACTA”), Telephone Consumer Protection Act (“TCPA”), and other consumer protection statutes.

Employment and ERISA

Eric has extensive experience defending companies in individual and class action litigation brought under federal and state laws concerning discrimination, retaliation, whistleblowing, wage and hour disputes, and wrongful termination, as well as in class action litigation involving the Employee Retirement Income Security Act (“ERISA”). Eric has the rare distinction of having tried and won a jury verdict in a class action lawsuit alleging “pattern or practice” discrimination on the basis of age in connection with a corporate reduction in force. Bush, et al. v. Deere & Company (C.D. Ill.). He also secured the reversal on appeal of a class certification order in a “stock drop” lawsuit that claimed breaches of fiduciary duty in the administration of a company retirement savings plan. In re Schering Plough Corporation ERISA Litig., 589 F.3d 585 (3d Cir. 2009). Eric also represents clients in EEOC investigations.

Financial and Fintech

Eric’s practice includes the representation of financial and fintech companies on a broad array of civil litigation, arbitration, and regulatory enforcement matters relating to financial products and services, including matters for Wells Fargo Bank, JPMorgan Chase, Synchrony Bank, Envestnet, Yodlee, and MidFirst Bank.