First Line Of Defense In Privacy Class Actions - Damages

Law360, New York (September 22, 2011, 12:57 PM ET) -- Named plaintiffs in privacy class actions ordinarily do not or cannot allege injury or loss resulting from the misuse or theft of their private information. As demonstrated by recent court decisions in California and New York, the inability to allege damages continues to pose significant obstacles for would-be class plaintiffs. Such was the case for the plaintiffs in In re Google Street View, No. 10-MD-02184 JW (N.D. Cal.). There, the court dismissed plaintiffs' claims under California's consumer protection statute, Business & Professional Code § 17200 ("Section 17200"), because plaintiffs failed to plead facts showing that Google's alleged collection of their Wi-Fi usage data caused plaintiffs to lose or expend money.

A similar inability to allege actual damages resulted in the dismissal of federal statutory claims asserted in Bose v. Interclick, No. 10 Civ. 9183 (DAB) (S.D.N.Y.). Although absence of monetary losses did not bar claims in Bose that were asserted under New York's deceptive trade practices statute, General Business Law § 349 ("Section 349"), statutes or causes of action that permit claims to go forward in the absence of actual damages are the exception, not the rule. The fact that lead plaintiffs in privacy class actions typically have not sustained any damages has frustrated most attempts to bring privacy class actions, and probably affords defendants their strongest line of defense.

Privacy class actions generally involve either commercial monitoring or use of private information (like the Google Street View and Bose cases), or the loss or theft of private information as the result of a data breach (as alleged in the cases concerning the Sony PlayStation Network data breach). Such occurrences would appear, at first glance, to be tailor-made for class action litigation.

The conduct at issue often affects large numbers of individuals, and is usually widely publicized. At the same time, alarmist commentators stoke consumers' fears about the omnipresent risk of identity theft, or decry efforts of online advertisers and marketers to use personalized user information to target online advertising and content. The felicitous combination of consumer angst, widespread publicity and large potential classes would seem to promise lucrative paydays for enterprising class action attorneys.

And yet, the 15 years of privacy class actions since the dawn of the Internet era have yet to produce a landmark plaintiffs' verdict. The common denominator has been damages or, more precisely, the lack of damages. For all of the pundit-driven frenzy about the potential for theft and misuse of personal data, claims for significant privacy-related injuries rarely materialize in class actions. It is certainly true that some privacy violations, such as identity theft, can result in serious individual losses.

But where a person has suffered a serious loss by reason of identity theft, there is no reason to pursue a class action because the loss would be significant enough to warrant bringing an individual claim. Moreover, the differences between a lead plaintiff who has actually suffered losses and putative class members who merely fear a potential loss raise typicality issues that frustrate class certification.

Thus, it is the imperatives of class action litigation — claims too small to merit individual adjudication and substantially undifferentiated causes of action and injuries — that result in the typical privacy class action being asserted on behalf of individuals who fear, but have not actually suffered, some loss or injury as a result of an alleged theft or misuse of their private information.

In this respect, privacy class actions closely resemble other species of "no injury" class actions that have sprung up as adjuncts to individual tort claims. For example, during the late 1990s, Firestone tires on Ford Motor Co. SUVs had high rates of failure, resulting in injuries and deaths that led to personal injury lawsuits. Those personal injury claims, however, were not the subject of class actions.

Rather, class action lawyers brought lawsuits for alleged economic injuries on behalf of putative class members who purchased Ford SUVs that were equipped with Firestone tires. Those class actions only sought recoveries for purported economic injuries and explicitly excluded claims for personal injury and property damages that were otherwise the subject of individual lawsuits (and which, not coincidentally, would have raised individual issues of fact and law antithetical to certifying a class). See, e.g., In the Matter of Bridgestone Firestone Tires Prods. Liab. Litig., 288 F.3d 1012 (7th Cir. 2002).

Privacy class actions resemble such "no injury" products liability class actions in that they are not brought on behalf of individuals who have suffered actual harm, but instead are asserted on behalf of individuals who, at most, fear that they will suffer injury or loss. Such fears, however, are often insufficient as a matter of law to support a claim arising from an alleged breach of privacy. A significant body of law now stands for the proposition that the mere apprehension that some type of harm will result from the loss or use of private data does not provide a basis for pursuing a claim at law.

A number of cases go so far as to conclude that a plaintiff lacks Article III standing to pursue a privacy claim in the absence of financial loss flowing from the alleged privacy violation. See, e.g., Hammond v. The Bank of New York Mellon Corp., 2010, at *6 - *8 (S.D.N.Y. Jun. 25, 2010); Amburgy v. Express Scripts Inc., 671 F. Supp. 2d 1046, Randolph v. ING Life Ins. and Annuity Co., 486 F. Supp. 2d 1, 4, 7-8 (D.D.C. 2007); Bell v. Acxiom Corp., 2006, at *1 (E.D. Ark. Oct. 3, 2006); Key v. DSW Inc., 454 F. Supp. 2d 684, 685-86, 690 (S.D. Ohio 2006); Giordano v. Wachovia Sec. LLC, 2006, at *4 - *5 (D.N.J. Jul. 31, 2006). In Amburgy, the court explained why plaintiff's allegation of a data breach resulting in release of his date of birth, Social Security number and prescription records, without more, was insufficient to confer standing:

"For plaintiff to suffer the injury and harm he alleges here, many 'ifs' would have to come to pass. Assuming plaintiff's allegation of security breach to be true, plaintiff alleges that he would be injured 'if' such information was obtained by an unauthorized third party, and 'if' his identity was stolen as a result, and 'if' the use of his stolen identity caused him harm. These multiple 'ifs' squarely place plaintiff's claimed injury in the realm of the hypothetical. If a party were allowed to assert such remote and speculative claims to obtain court jurisdiction, the Supreme Court's standing doctrine would be meaningless." 671 F. Supp. 2d at 1053 (citing National Resources Def. Council v. EPA, 464 F.3d 1, 6 (D.C. Cir. 2006)).

Other courts have held that a controversy over the loss, theft or misuse of private information is sufficient to confer standing, but that the absence of pecuniary loss precludes the assertion of statutory or common law causes of action. See, e.g., Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir. 2007). In Pisciotta, the Seventh Circuit disagreed with the courts that had held that the absence of actual damages would deprive a party of standing under Article III, stating that "the injury-in-fact requirement [of Article III] can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions." Id. at 634.

Even so, the Seventh Circuit concluded that the plaintiffs' fear of injury resulting from a data breach was not compensable under Indiana law, which governed plaintiffs' claims. See id. at 635-640. As such, the cost of credit monitoring services that the plaintiffs purchased because of their fear of identity theft and other losses failed to establish the existence of damages sufficient to maintain a cause of action arising from an alleged invasion of privacy. See id. In so holding, the Seventh Circuit observed that "in the somewhat analogous context of toxic tort liability," the Indiana Supreme Court had declined to recognize a cause of action and right to medical monitoring for persons exposed to hazardous substances. See id. at 638-39. See also Rowe v. UniCare Life & Health Ins. Co., 2010, at *5 - *6 (N.D. Ill. Jan. 5, 2010) (under Illinois law and other states' laws, because plaintiffs cannot sue more than once based on the same tort, a claim based on the risk of future injury should be denied without prejudice).

Other courts, following the Seventh Circuit's analysis in Pisciotta, have held that, despite having standing, plaintiffs who had not suffered actual damages could not maintain a privacy-related cause of action. See, e.g., Ruiz v. Gap Inc., 622 F. Supp. 2d 908, 913, 914-16 (N.D. Cal. 2009); In re Hannaford Bros. Co. Customer Data Security Breach Litig., 613 F. Supp. 2d 108, 131-35 (D. Me. 2009); Kahle v. Litton Loan Servicing LP, 486 F. Supp. 2d 705, 710-12 (S.D. Ohio 2007).

One notable exception to this trend was the recent decision in Interclick, which held that absence of pecuniary loss would not preclude maintaining a deceptive trade practices claim under New York's Section 349. Unlike many statutes and common law causes of action, Section 349 does not explicitly require a plaintiff to allege or prove that there has been a pecuniary loss. In support of that latter point, the court notes that prior New York state court decisions have held that a complaints alleging a purported breach of privacy stated claims under Section 349 even in the absence of any allegation of pecuniary loss.

Left unresolved by this decision, however, is the question of whether plaintiff can prove an injury that is substantial enough to result in liability under Section 349. Plaintiff will also have the burden to show that injury can be established for members of the class without engaging in individualized fact finding that would preclude certification of a plaintiff class.

Even so, this case demonstrates how allegations under state consumer protection statutes can, in some jurisdictions, provide a basis at the pleading stage to keep a privacy class action alive even in the absence of actual damages. In most other states — including, notably, California, as illustrated by the Google Street View case — actual damages requirements under state consumer protection laws pose an obstacle to maintaining such claims.

Ultimately, in most jurisdictions and for most causes of action, absence of damages will provide a strong defense against privacy class actions. Potential defendants should also bear in mind, however, that the potency of this defense can be enhanced by a proactive response to data breaches and potential invasions of customers' privacy. Businesses should consider adopting a rapid response plan to ensure prompt compliance with regulatory and statutory requirements in the event of a data breach. As part of such a plan, businesses may want to offer free credit monitoring services and other such support for affected individuals. Doing so will help retain customer goodwill while providing a defense against claims that there have been compensable injuries under any statute or cause of action, including Section 349.

Furthermore, even in the absence of dismissal, a fair and effective remediation program can also provide a defense against class certification by making it difficult for plaintiffs to meet their burden under Fed. R. Civ. P. 23(b)(3) to show that a class action provides a superior means of resolving a dispute. See, e.g., In the Matter of Aqua Dots Prods. Liab. Litig., No. 10-3847 (7th Cir. Aug. 17, 2011) (proposed class action was inferior to defendant's voluntary recall program because the class action would result in greater expenditure of resources and provide a smaller recovery to the class). In the end, prompt, efficient and thoughtful response to data breach and privacy issues will help reduce exposure to class action litigation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.