There are two kinds of companies. Those that have been hacked, and those that have been hacked but don’t know it yet.”
– Congressman Mike Rogers, Chairman of the House Intelligence Committee, 2011 Sony. Target. AT&T. Neiman Marcus. Michaels. J.P. Morgan Chase. Home Depot. What do these companies all have in common? These companies, along with countless others, have been the subject of a cyber-attack or data breach. And, consumers are taking these matters to the courts. As evidenced by the court’s ruling in In re Target Corporation Customer Data Security Breach Litigation, No. MDL 14-2522 (PAM/JJK), 2014 WL 7192478 (D. Minn. Dec. 18, 2014), courts are increasingly inclined to permit putative class actions to proceed beyond the motion to dismiss stage. Understanding the backdrop to the Target decision is important. In Clapper v. Amnesty International USA, the United States Supreme Court held that plaintiffs did not have Article III standing to challenge the Foreign Intelligence Surveillance Act of 1978, where they argued that there was a reasonable likelihood that their communications would be acquired in the future. 133 S. Ct. 1138, 1142 (2013). In addition, plaintiffs’ argument that they had standing because the surveillance has forced them to take “costly and burdensome measures to protect the confidentiality of their international communications” likewise did not confer standing because plaintiffs “cannot manufacture standing by incurring costs in anticipation of non-imminent harm.” Id. at 1143, 1155. Similarly, many data breach cases raise the same issue. Plaintiffs allege a hypothetical, future harm, not actual injury-in-fact. Thus, post Clapper, many courts have determined that alleging potential future harm from the data breach or increased monitoring costs of personal information is too speculative to support Article III standing. See, e.g., In re Science Applications International Corp., No. 12-347 (JEB), 2014 WL 185458, at *8-9 (D.D.C. May 9, 2014) (“Indeed, since Clapper was handed down last year, courts have been even more emphatic in rejecting ‘increased risk’ as a theory of standing in data-breach cases.”). While the Fifth Circuit has not yet applied Clapper to a data breach case, defense practitioners in the Fifth Circuit should be aware of its significance when arguing against standing in a data breach case. Despite Clapper, however, the court in In re Target Corporation Customer Data Security Breach Litigation (“_In re Target_”) permitted Plaintiffs to survive a motion to dismiss, noting that generally, Plaintiffs plausibly pleaded injury-in-fact. In re Target is a putative class action on behalf of consumers, alleging various causes of action against Target, arising out of the massive data breach in December 2013, which affected as many as 110 million Target customers. In re Target, 2014 WL 7192478, at *1. In the litigation, Target brought a motion to dismiss the class action, asserting that the plaintiffs lacked standing for the majority of the claims in the suit because plaintiffs failed to establish any injury. Id. While the court ultimately dismissed a small portion of the state law claims, the court denied the bulk of the motion to dismiss, concluding that plaintiffs “plausibly allege that they suffered injuries that are ‘fairly traceable’ to Target’s conduct,” including “unlawful charges, restricted or blocked access to bank accounts, inability to pay other bills, and late payment charges or new card fees.” Id. at *2. Significantly, the court determined that “at the motion-to-dismiss stage, Plaintiffs need only plausibly allege that they can establish the elements of standing.” Id. at *3. Thus, for cyber security class actions, In re Target will be the foundational case for class action plaintiffs to assert standing, providing a roadmap for future claims. And, should plaintiffs survive a motion to dismiss in a putative class action for a data breach case, the costs of litigation and the costs of settlement significantly increase. So, what can businesses do? Certainly your businesses must invoke all reasonable prophylactic security measures to protect your customers’ data. But does your company have a data breach response plan? Of course, you should always engage informed counsel to guide your data breach response. Cobb & Counsel has the experience to guide your company through a data breach response. As Texas Deputy Attorney General for Civil Litigation, Cobb protected consumer privacy interests, managing several data breach investigations and overseeing enforcement of the Texas Identity Theft Prevention Act. Cobb now advises companies regarding their duty to disclose data breaches and satisfy those obligations, and has counselled several clients through the various stages of a data breach response. Cobb has also litigated data breach cases, including the defense of a nationwide class action against a client whose customers’ credit card data was disclosed on Wikileaks by Anonymous hackers.