In In re Zappos.com, Inc., Customer Data Security Breach Litigation (9th Cir., Mar. 8, 2018), the U.S. Court of Appeals for the 9th Circuit issued a decision that represents a more expansive way to understand data security harm. The case arises out of a breach where hackers stole personal data on 24 million+ individuals. Although some plaintiffs alleged they suffered identity theft as a result of the breach, other plaintiffs did not. The district court held that the plaintiffs that hadn’t yet suffered an identity theft lacked standing.
Standing is a requirement in federal court that plaintiffs must allege that they have suffered an “injury in fact” — an injury that is concrete, particularized, and actual or imminent. If plaintiffs lack standing, their case is dismissed and can’t proceed. For a long time, most litigation arising out of data breaches was dismissed for lack of standing because courts held that plaintiffs whose data was compromised in a breach didn’t suffer any harm. Clapper v. Amnesty International USA,568 U.S. 398 (2013). In that case, the Supreme Court held that the plaintiffs couldn’t prove for certain that they were under surveillance. The Court concluded that the plaintiffs were merely speculating about future possible harm.
Early on, most courts rejected standing in data breach cases. A few courts resisted this trend, including the 9th Circuit in Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). There, the court held that an increased future risk of harm could be sufficient to establish standing.
In ACLU v. NSA, –F.3d — (6th Cir. 2007), a panel from the 6th Circuit held that the ACLU and other plaintiffs lacked standing to challenge the Bush Administration’s warrantless wiretapping program conducted by the National Security Agency (NSA). NYT coverage is here. According to the sketchy details known about the program, the court noted, “it has been publicly acknowledged that the TSP [the Terrorist Surveillance Program, as it has now been named by the Administration] includes the interception (i.e., wiretapping), without warrants, of telephone and email communications, where one party to the communication is located outside the United States and the NSA has ‘a reasonable basis to conclude that one party to the communication is a member of al Qaeda, affiliated with al Qaeda, or a member of an organization affiliated with al Qaeda, or working in support of al Qaeda.”
The plaintiffs are “journalists, academics, and lawyers who regularly communicate with individuals located overseas, who the plaintiffs believe are the types of people the NSA suspects of being al Qaeda terrorists, affiliates, or supporters, and are therefore likely to be monitored under the TSP.” The plaintiffs claimed that the NSA wiretapping violated, among other things, the First Amendment, Fourth Amendment, and the Foreign Intelligence Surveillance Act (FISA).
According to Judge Batchelder’s opinion, the plaintiffs could not establish standing because they could not directly prove that they were subject to surveillance. One of the problems with the court’s reasoning is that there is little way for the plaintiffs to find out more specific information about whether particular plaintiffs’ phone calls have been wiretapped. As a result, the government can violate the plaintiffs’ First and Fourth Amendment rights with impunity if they cannot ever learn enough to gain standing to challenge the surveillance.