In light of the Department of Justice’s decision to look further into the Target data breach (http://thehill.com/blogs/hillicon-valley/technology/196830-holder-doj-investigating-target-breach), this seemed like a relevant topic to continue discussing. One problem any data breach case has is proving sufficient damages to receive an actual hearing from the court. A famous court case from last year, Clapper v. Amnesty International (http://www.datasecuritylawjournal.com/files/2013/12/Clapper-USSCt.pdf), limited what plaintiffs could claim as an injury. Clapper involved various civil rights advocacy organizations suing the NSA for privacy violations. The Supreme Court opted to dismiss the case because the parties could not prove cognizable harm due to a lack of provable instances of spying by the NSA (it should be noted that this court case was decided before Snowden made such instances public). Basically, Clapper says that a plaintiff must have a concrete example of the injury before they can seek redress. If the plaintiff lacks this concrete harm, then they lack standing. Some defense attorneys have already started putting Clapper’s holding to use in regard to data privacy issues (http://blogs.reuters.com/alison-frankel/2013/03/12/how-scotus-wiretap-ruling-helps-internet-privacy-defendants/).
This standard creates a relatively high standard for plaintiffs in these data breach cases. Without some concrete injury, such as one of the hackers using their identity, they cannot claim standing for Target’s data breach. This makes pursuing a class action much harder, since it potentially eliminates a great portion of the class. There might be many individuals who had their data taken in the breach that cannot state a concrete harm that occurred to them. It also doesn’t help these plaintiffs that purely economic losses are often barred from recovery (known as the economic loss rule).
With this in mind, there was an interesting development regarding another data breach case: In Re Sony Gaming Networks. What makes this case surprising is that it managed to survive a motion to dismiss, though only after the judge threw out 45 of the claims. According to Eric Goldman, a big reason why the case survived dismissal is that Sony made some pretty big promises regarding their level of security in various user and privacy agreements (http://blog.ericgoldman.org/archives/2014/01/sony-playstation-data-breach-lawsuit-whittled-down-but-moves-forward.htm). It’s hard to say what will come out of the Sony case, but it may teach companies not to promise too much to their customers when selling a product.