Chapter 4A

Standing after TransUnion

ARCHIVED UPDATES TO THE FIRST EDITION, LISTING CASES ON STANDING AFTER TRANSUNION, INCORPORATED INTO CHAPTER 4 OF THE SECOND EDITION

Data Breach Standing Cases after TransUnion

As noted in the updates to Chapter 4, the Supreme Court’s June 2021 decision in TransUnion v. Ramirez seemed to represent an important shift in standing doctrine for data breach cases when the Court said that, “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm.” However, as lower courts respond to TransUnion, the picture is not clear at all. In fact, in a number of cases, the lower courts have found that standing has been established, including based on risk of future harm. This new chapter will compile a running list of standing cases. See also Jim Dempsey, US Courts Mixed on Letting Data Breach Lawsuits Go Forward, IAPP (March 9, 2022); Jim Dempsey, Third Circuit shows how to establish standing in data breach cases, IAPP (Sept. 9, 2022).

Cases Dismissed for Lack of Standing after TransUnion:

  • I.C. v. Zynga, Inc., 600 F. Supp. 3d 1034 (N.D. Cal 2022): Plaintiffs argued that they had alleged invasions of privacy bearing a close relationship to harms caused by the common law torts of disclosure of private facts and intrusion upon seclusion. However, the court noted, citing the Restatement (Second) of Torts, that an element of both torts is the disclosure of or intrusion upon matters of a kind that would be “highly offensive to a reasonable person.” The court then concluded that the data elements compromised in this case – email addresses, phone numbers, Zynga usernames, Zynga passwords, and Facebook usernames – were not so private that their revelation would be highly offensive to a reasonable person. Id. at 1049. Therefore, there was an insufficient fit with the common law privacy tort and, therefore, no standing.

    Plaintiffs tried to argue a version of risk of harm. However, the court said that TransUnion required that a risk of harm must either materialize or cause some other injury in order to confer standing in a suit for damages. The court said that claims of credential stuffing, phishing attacks, and various forms of spam may have been attempts to commit identity theft, but they fell short of actual identity theft and thus did not suffice. The complaint, the court stressed, did not allege that any of the plaintiffs actually experienced any type of fraud or identity theft as a result of the data breach, such as the unauthorized access of an account, an unauthorized transaction made in their name, or the unauthorized establishment of accounts. 

    The court also rejected a number of other injuries that were cited as grounds for standing independent of future harm: credential stuffing; phishing attacks; unsolicited emails, text messages, robocalls and other spam; mitigation costs (risk of harm was too conjectural); emotional distress (same); and diminution in value of the information taken. Notably, the court  found “implausible” allegations that the compromised information was susceptible to fraudulent use by way of phishing attacks and credential stuffing – “based on a chain of unsupported inferences.” 

  • Kim v. McDonald's USA, No. 1:21-cv-05287 (N.D. Ill. Sept. 27, 2022): Hackers stole McDelivery users’ delivery addresses, phone numbers, and email addresses. One plaintiff alleged an uptick in spam. Another received frequent notifications of unauthorized attempts to login to his email account. A third alleged receiving a phishing attempt. The court rejected standing based on increased risk of becoming the victims of phishing scams and identity theft in the future, relying on the conclusion that the data stolen was not sensitive. The court cited and distinguished pre-TransUnion Seventh Circuit cases, Remijas and Lewert, which involved stolen credit card information that led to plaintiffs experiencing actual fraud. In contrast, "the harm Plaintiffs claim here remains too attenuated and speculative given the non-sensitive nature of the information stolen in the data breach." The court cited multiple pre-TransUnion district court opinions dismissing claims where the data involved was not sensitive. The court also rejected standing based on time spent monitoring for and removing unwanted spam and phishing emails, time spent contacting defendants about the data breach, and time spent filing a proactive police report: “mitigation expenses qualify as ‘actual injuries’ only when the harm is imminent,”quoting Lewert, and “plaintiffs cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending,” quoting Clapper. The court also found that plaintiffs’ allegations that they experienced mental aggravation, anxiety, and emotional distress from the data breach were insufficient to provide standing under Article III, as such emotional injuries constitute “quintessential abstract harms that are beyond” a court’s power to remedy. It also ruled that the mere disclosure of the type of information at issue did not bear “a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American Courts.” The closest analog was the tort of publicity to private life, but that was not relevant, because the information at issue (delivery addresses, phone numbers, and email addresses) wasn't really private. Finally, the court held that any violation of Korea’s Personal Information Privacy Act was a bare procedural violation insufficient to support Article III standing.

  • Aponte v. Northeast Radiology, P.C., 21 CV 5883 (VB) (S.D.N.Y. May 16, 2022): While stating that plaintiffs “need not wait until they suffer identity theft to bring their claims,” the court put great weight on the fact that plaintiffs had not alleged that third parties misused or attempted to misuse their data. Moreover, because plaintiffs did not allege they were members of the group of twenty-nine patients whose information was determinedly accessed, “allegations that [their] personal information was even accessed is conjecture.” This seemed to decide the case. However, the court went on to apply the McMorris factors (while stating that it is unclear whether McMorris is still good after TransUnion). But even under the McMorris factors, the court held, plaintiffs’ risk of future harm is too speculative to establish standing. Once that is decided, efforts and expense to monitor their accounts are only manufactured injury. And in the absence of misuse of their data, there is no lost benefit of the bargain. Plaintiffs also claimed that they suffered an injury-in-fact through defendants’ intrusion upon their seclusion. While intrusion upon seclusion is one of the “traditionally recognized harms” that may comprise an injury-in-fact under TransUnion, it was not the defendants who improperly accessed plaintiffs’ data, but instead other, unauthorized third parties. Therefore, the court concluded, plaintiffs had not identified a close historical or common-law analogue to the alleged injuries they suffered from defendants’ actions.

  • C.C. v. Med-Data Inc., 2022 U.S. Dist. LEXIS 60555, 2022 WL 970862 (D. Kan. March 31, 2022). The district court, in a lengthy opinion, kept coming back to its conclusion that “plaintiff never alleges that anyone has misused her data.” “A mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft.” Relying both on pre-TransUnion cases and on TransUnion itself and post-TransUnion cases, the court quoted Legg v. Leaders Life Ins. Co., CIV-21-655-D, 2021 U.S. Dist. LEXIS 232833, 2021 WL 5772496, at *4 (W.D. Okla. Dec. 6, 2021) for the proposition that, “where no allegations of misuse are present, circuit courts have generally declined to find standing.”  The court did not read TransUnion as shutting the door completely on risk of future harm, quoting instead from McMorris, 995 F.3d 295, 301: “Though a data breach plaintiff may establish standing on the basis of an increased risk of identity theft or identity fraud, plaintiff still must allege facts to show that risk ‘is sufficiently concrete, particularized, and imminent.’” The court found that plaintiff’s theories of future injury were too speculative, even for a claim seeking purely injunctive relief. Having reached that conclusion, the court, like others, rejected mitigation costs as manufactured harm. The court also rejected standing based on the lost benefit of the bargain, deeming plaintiff’s theory of overpayment as too flimsy. Finally, it rejected standing based on an invasion of privacy tort theory—specifically, public disclosure of private facts. Plaintiff had alleged that her data was uploaded to a public facing website. But the court held that, even if this upload qualifies as the requisite "publicity" for a public disclosure of private facts claim, plaintiff hasn't alleged a concrete harm resulted from this publicity. She hasn't alleged any harm to her reputation from the alleged breach. Hence no standing. The court remanded the case to state court, where it had originated.

  • In re PracticeFirst Data Breach Litigation, 1:21-CV-00790 (JLS/MJR) (W.D.N.Y. Feb. 2, 2022). In a ransomware incident where the attacker copied names, dates of birth, Social Security numbers, medical diagnoses, passwords, bank account information, credit card numbers, and other sensitive data, a magistrate judge recommended against standing. According to the court, TransUnion instructed that a plaintiff must allege both a risk of future harm that is “actual and imminent” or “certainly impending” as well as a separate concrete harm that is caused by exposure to the imminent risk and is proportional to the actual likelihood of the future harm occurring. To make that assessment, the court applied the McMorris factors, but first it said that it need not specifically determine whether McMorris applied in the same manner as it did before TransUnion, because it still found an insufficient showing of imminent or impending harm to confer standing. Focusing on the first factor, the court found that the complaint failed to plausibly allege that the breach was a targeted attempt to expose or copy plaintiff’s data for purposes of ID theft or other fraud: “the primary purpose of a ransomware attack is the exchange of money for access to data, not identity theft.”

    [Note on ransomware: There seems to be a trend, which started before TransUnion, towards denying standing in ransomware cases. Other cases finding no standing arising out of ransomware attacks include Graham v. Universal Health Serv., 2021 U.S. Dist. LEXIS 93075 (E.D. Pa. May 17, 2021); Quintero v. Metro Santurce, Inc., 2021 U.S. Dist. LEXIS 237071 (D. P.R. Dec. 9, 2021); and Travis v. Assured Imaging LLC, 2021 U.S. Dist. LEXIS 89129 (D. Ariz. May 10, 2021). But see Gaddy v. The Long & Foster Cos., No. 21-2396 (RBK)(EAP) (D.N.J. Feb. 10, 2023) (standing granted in ransomware case).]

    The PracticeFirst court also was swayed by plaintiffs’ failure to allege that any of the compromised data had been misused. Allegations of an increase in spam, it said, are insufficient to allege injury in fact, citing earlier cases.

    The court quickly rejected the plaintiffs’ other theories: In the absence of an imminent or substantial risk of harm, costs such as monitoring their accounts more closely could not create a concrete injury. Loss of value in their personal information didn’t work, because plaintiffs did not allege that they had tried to sell their information and were forced to accept a lower price, nor did they allege any details as to how their specific information had been devalued as a result of the breach. The court rejected attempts by plaintiffs to base standing on a violation of their privacy rights, because (a) there had been no disclosure to the public and (b) plaintiffs had failed to demonstrate any concrete or particularized injury associated with the disclosure. Finally, it rejected the lost benefit of the bargain theory, citing other cases.

  • Cooper v. Bonobos, 21-CV-854 (JMF), 2022 U.S. Dist. LEXIS 9469 (S.D.N.Y. Jan. 19, 2022). The court focused on the Second Circuit’s decision in McMorris. It relegated TransUnion to a footnote, saying that it was the task of the Second Circuit to decide if McMorris should be overturned in light of the Supreme Court case. Applying the McMorris factors, the district court noted that the plaintiff was weak on the second factor, because he had not alleged that any of his accounts or the accounts of any other Bonobos customers had been compromised nor had he alleged that he had used his Bonobos password on other sites. But the third factor doomed his case, because the type of data exposed (name, address, email address, order history, IP address, encrypted password and the last four digits of his credit card number) was not susceptible to misuse.

    The court also rejected four other standing theories advanced by the plaintiff. It held that the time spent on credit monitoring and the money spent for a credit repair and protection service and a robocall blocking app did not qualify as a present-day injury, but rather were “manufactured” costs given the lack of real risk; that the plaintiff, by failing to allege that he intended to sell his personal information or that anyone would have bought it as a stand-alone product, could not claim diminution in the value of his private information; that unsolicited calls or emails allegedly linked to the breach did not constitute injury in fact; and that allegations about the risk and prevalence of credential stuffing did not suffice in the absence of an allegation that the plaintiff himself was subject to the tactic.

  • Legg v. Leaders Life Ins. Co., No. 21-655, 2021 U.S. Dist. LEXIS 232833 (W.D. Okla. Dec. 6, 2021). The court held that plaintiffs’ allegations of general risks of harm did not suffice. The receipt of phishing emails, while perhaps “consistent with” data misuse, does not “plausibly suggest” that any actual misuse of plaintiff's personal identifying information had occurred).

    [Note on phishing, spam and unsolicited calls: Other cases before and after TransUnion have held that unsolicited calls or emails alone did not give rise to standing: I.C. v. Zynga, Inc., 600 F. Supp. 3d 1034, 1051 (N.D. Cal 2022); Cooper v. Bonobos, 21-CV-854, 2022 U.S. Dist. LEXIS 9469 (S.D.N.Y. Jan. 19, 2022); Travis v. Assured Imaging LLC, 2021 U.S. Dist. LEXIS 89129 at *19  (D. Ariz. May 10, 2021) (a dramatic increase in targeted spam phone calls after ransomware attack did not constitute an injury for purposes of standing); Jackson v. Loews Hotels, Inc., No. 18-cv-827 (DMG), 2019 U.S. Dist. LEXIS 124525, 2019 WL 6721637, at *4 (C.D. Cal. July 24, 2019) (“receiving spam or mass mail does not constitute an injury”); Cherny v. Emigrant Bank, 604 F. Supp. 2d 605, 609 (S.D.N.Y. Mar. 12, 2009) (“The receipt of spam by itself... does not constitute a specific injury entitling [plaintiff] to compensable relief.”); Gordon v. Virtumundo, Inc., 06-0204, 2007 U.S. Dist. LEXIS 35544 (W.D. Wash. May 15, 2007) (the harm suffered “must rise beyond the level typically experienced by consumers - i.e., beyond the annoyance of spam.”). ]

  • Burns v. Mammoth Media, Inc., 2021 U.S. Dist. LEXIS 149190 (C.D. Cal. Aug. 6, 2021). The district court never even cited TransUnion. Without expressly saying whether risk of future harm could give rise to standing, it focused instead on a declaration submitted by the defendant stating that the stolen data was essentially useless for identity theft plus the plaintiff’s failure to produce any facts rebutting the defendant’s  declaration. The court held that, based on the pleadings and affidavits, the information stolen was harmless and could not possibly have caused the risk of identity theft, fraud, and attendant harms alleged in the complaint.

 Cases Finding Standing after TransUnion

  • Gaddy v. The Long & Foster Cos., No. 21-2396 (RBK)(EAP) (D.N.J. Feb. 10, 2023): In a ransomware case, the court found standing where plaintiff alleged unauthorized charges on her credit card. “[I]t is irrelevant that Ryan was able to cancel her credit cards and was reimbursed for the fraudulent charges both times. … Misuse of financial information is a cognizable, intangible injury that, even without financial loss, is sufficient to confer standing.” The court also found that the opening of an unauthorized account under plaintiff’s name on a dating site sufficed to generate standing, even if the plaintiff did not incur any charges.

    The court also considered traceability. It concluded that the nature of the allegedly stolen PII supported a causal connection between the data breach and the unauthorized opening of an online dating profile with the plaintiff's identity. And even though the plaintiff had not alleged that any credit card data was compromised, and one of the charges was on a card that did not even exist at the time of the breach, the court found that it was plausible that malicious actors could have used plaintiff’s PII to fill in the blanks of her financial accounts and obtain her credit card numbers. “This issue is better left for investigation during discovery than on a motion to amend, without the benefit of factual findings and expert reports. Therefore, the Court finds that the two credit card charges also give Plaintiff standing.” Although one of the fraudulent charges occurred twelve months and the other twenty-two months after the data breach, the court found that this passage of time did not break the chain of “but for” causation required for traceability. 

  • Clemens v. ExecuPharm Inc., 48 F.4th 146 (3rd Cir. 2022): The holding is worth quoting in full:

    “Following TransUnion’s guidance, we hold that in the data breach context, where the asserted theory of injury is a substantial risk of identity theft or fraud, a plaintiff suing for damages can satisfy concreteness as long as he alleges that the exposure to that substantial risk caused additional, currently felt concrete harms. For example, if the plaintiff’s knowledge of the substantial risk of identity theft causes him to presently experience emotional distress or spend money on mitigation measures like credit monitoring services, the plaintiff has alleged a concrete injury.”

    The Third Circuit applied a three part test: (1) Is the risk of future identity theft or fraud sufficiently imminent? The Clemens court relied on pre-TransUnion cases, including McMorris, in making that assessment. (2) Is the harm concrete? Citing TransUnion, the Third Circuit said the key consideration in assessing concreteness is whether the asserted harm has a “close relationship” to a harm traditionally recognized as providing a basis for a lawsuit in American courts. The Clemens court found that the harm involved (substantial risk of identity theft or fraud) was indeed “sufficiently analogous to harms long recognized at common law like the ‘disclosure of private information.’” (3) Had the plaintiff alleged separate harms, in addition to substantial risk, that would qualify as concrete? Yes, it found, Clemens had alleged several additional concrete harms that she had already experienced as a result of that risk (that is, her emotional distress and related therapy costs and the time and money involved in mitigating the fallout of the data breach). Thus the decision fits well into TransUnion’s suggestion that there would be standing where “the exposure to the risk of future harm itself causes a separate concrete harm.”

  • Rand v. The Travelers Indemnity Co., no. 7:21-cv-10744 (S.D.N.Y. Oct. 26, 2022): One or more unauthorized parties improperly used the credentials of Travelers insurance agents to access Travelers’s agency portal and thereby obtained driver’s license numbers and other identifying information. Plaintiff asserted claims under the federal Driver’s Privacy Protection Act (DPPA) and Section 349 of the New York State General Business Law, as well as state law claims for negligence and negligence per se. The court held that the plaintiff had adequately pleaded injuries-in-fact in the form of a loss of privacy, as well as the harm incurred by attempting to mitigate existing and future identity theft. Citing TransUnion, the court held that the loss of privacy arising out of the data breach, against which the DPPA was intended to protect, bears a sufficiently “close relationship” to the tort of public disclosure of private information, recognized at common law. The court acknowledged that the facts of the case did not closely fit with the traditional privacy tort, which applies when one gives publicity to a highly offensive matter concerning someone’s private life, but the court noted that TransUnion made it clear that the common-law analogue need not be an “exact duplicate.” Separately, the court concluded, based on the first and third McMorris factors, that plaintiff’s risk of future identity theft was sufficiently imminent and substantial such that the costs incurred to mitigate that risk constitute an independent injury-in-fact.

  • Bohnak v. Marsh & McLennan, 1:21-CV-06096 (S.D.N.Y. Jan. 17, 2022). Early on in the opinion, the court said that it was holding that “under the Supreme Court’s latest pronouncement in TransUnion, Plaintiffs cannot allege a concrete injury relying solely upon a future risk of harm; however, Plaintiffs may, and do, plausibly allege that the exposure to the risk of identity theft causes concrete injury, and thus, have Article III standing.” The second half of that seems to contradict the first half, but the court’s reasoning becomes clear as it goes on to say that it is finding standing because, “exposure to identity theft itself ‘causes a separate concrete harm,’” quoting TransUnion. The court concluded its standing analysis by holding that “Plaintiffs have alleged an intangible concrete injury, analogous to that associated with the common-law tort of public disclosure of private information, and therefore have Article III standing.” 

    However, the standing victory was short-lived: the court went on to find that the plaintiffs had not adequately alleged damages and therefore it granted dismissal for failure to state a claim.  “I hold that Plaintiffs’ failure to plausibly allege damages is fatal to their request for monetary damages, and their failure to plausibly allege irreparable injury fatal to their request for injunctive relief.”

  • In re Am. Med. Collection Agency, Inc. Customer Data Sec. Breach Litig., 2021 U.S. Dist. LEXIS 240360, 2021 WL 5937742 (D. N.J. Dec. 16, 2021). Citing TransUnion, the district court granted standing to one group of plaintiffs on a very expansive theory: that the compromise of data alone gives rise to standing. “[I]ntangible harms are sufficiently ‘concrete’ to establish an injury-in-fact where they share a ‘close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts.’ TransUnion, 141 S. Ct. at 2204.” The court went on to say, again citing TransUnion, “A plaintiff who suffers a wrongful disclosure need not additionally demonstrate misuse resulting in economic harm.” The court also found standing for plaintiffs who had experienced fraudulent charges, but for these plaintiffs too the court’s reasoning seemed expansive: “The fraudulent charges identified by [this group of] Plaintiffs permit the inference that their specific information has been accessed and misused. Therefore, at a minimum, they have suffered the actionable intangible harm of the wrongful use and dissemination of their private information, like the interests protected by common law privacy torts. See TransUnion, 141 S. Ct. at 2208.” However, the court found no standing for plaintiffs who had failed to allege with particularity that their data had been compromised. Plaintiffs in that third category cited four theories: (1) an increased risk of future identity theft; (2) expenses incurred to prevent future identity theft; (3) the allegedly diminished value of their Personal Information; and (4) a lost "benefit of the bargain" regarding the services purchased from Defendants. None of these, the court found, provided a sufficient injury-in-fact given the fundamental defect in these plaintiffs’ allegations (that is, no allegation that their data in particular had been compromised).

  • Griffey v. Magellan Health Inc., No. CV-20-01282-PHX-MTL, 2021 U.S. Dist. LEXIS 184591, 2021 WL 4427065 (D. Ariz. Sep. 27, 2021). In a relatively brief discussion concluding that victims of a data breach had adequately establishing standing, the district court cited TransUnion for the proposition that “’disclosure of private information’ is one of many ‘[v]arious intangible harms’ that satisfy Article III standing.” It’s not clear whether the court was basing standing on the disclosure itself or on the “certainly impending” risk of future harm.

  • Cotter v. Checkers Drive-In Restaurants, Inc., No. 8:19-cv-1386-VMC-CPT, 2021 U.S. Dist. LEXIS 160592, 2021 WL 3773414 (M.D. Fl. Aug. 25, 2021). The court, in finding that there was standing, distinguished TransUnion: “TransUnion does not eviscerate [plaintiffs’] standing because (1) TransUnion involved a suit for statutory damages, not compensatory damages as here, or in the alternative, (2) TransUnion was decided at a different phase of litigation. The parties did not cite, and the Court did not locate in its own research, any cases applying TransUnion’s principle to a claim for compensatory damages or to a case in an early pleadings stage. Thus, without further guidance from the Supreme Court or the Eleventh Circuit on this issue, the Court concludes that these facts take the instant matter outside of TransUnion’s reach.”

    The district court, relying heavily on a pre-TransUnion Eleventh Circuit decision, Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332 (11th Cir. 2021), went on to hold that the declarations submitted by the plaintiffs showing that at least some members of the proposed class had incurred fraudulent charges and suffered out-of-pocket expenses constituted specific evidence of some misuse of the class members' data, which is sufficient to demonstrate that all class members face a substantial risk of identity theft or fraud. The district court favorably cited some very pre-TransUnion language from McMorris: “requiring plaintiffs to allege that they have already suffered identity theft or fraud as the result of a data breach would seem to run afoul of the Supreme Court's recognition that ‘an allegation of future injury may suffice’ to establish Article III standing ‘if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.’”

  • In re GE/CBPS Data Breach Litigation No. 1:20-cv-02903-KPF, 2021 WL 3406374 (S.D.N.Y., Aug. 4, 2021). The case arose out of a breach of an email account maintained by Canon Business Process Services, which resulted in an unauthorized third party gaining access to personally identifiable information of current and former GE employees held by Canon. While the defendants argued that TransUnion was relevant because the Supreme Court had rejected the risk of future harm theory proffered by the plaintiffs, the district court essentially ignored the Supreme Court decision. Instead, the court quoted McMorris (quoting Susan B. Anthony List v. Driehaus, 573 U.S. 149 (2014)) for the proposition that a future injury may support standing only if “the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.” 

    The court found that the first and second McMorris factors pointed “strongly” in favor of standing. First, the complaint alleged that the data breach was the result of a phishing attack — in other words, a “targeted attempt to obtain” the GE employee data held by Canon.  Second, although the plaintiff did not allege that he himself had yet experienced identity theft as a result of the breach, he did allege that he had received phishing and scam emails and phone calls, and, further, the complaint alleged that other proposed class members had already suffered identity theft, fraud, and abuse. As to the third factor, sensitivity of the data, the court stated that even an individual’s email address, mailing address, telephone number, and employment information can “provide further ammo” to nefarious actors. “Thus, while the third factor does not support Plaintiff's claim to standing as strongly as do the first two, it also does not undermine it.”

  • Mackey v. Belden, Inc., 2021 U.S. Dist. LEXIS 145000 (E.D. Mo. Aug. 3, 2021).The opinion does not cite TransUnion at all and it is unclear whether it ultimately relies on risk of future injury. The opinion started by citing Clapper for the proposition that future injury can be sufficient to establish standing if such injury is “clearly impending” or there is a “substantial risk the harm will occur.”  It then noted that the stolen information included Mackey’s social security number and that individuals appeared to have already used this information to attempt to file a tax return on her behalf. The court then said that there was standing: “The Court finds that injury is clearly imminent where PII including social security numbers has been stolen by hackers and unauthorized persons have already attempted to use such information to falsely file a tax return on a plaintiff's behalf.” The court went on to also find that Mackey suffered actual injury when she spent hours speaking with TurboTax regarding the false tax return. Finally, the court noted that the plaintiff had also alleged that she “spent and continues to spend additional time reviewing her credit monitoring service results.” This, the court said, was not manufactured injury: “her data was stolen by sophisticated hackers, and she claims to have taken necessary and appropriate action to prevent further damages.  This Court finds that Mackey suffered injury in fact by expending time and resources in responding to an actual attempted identity theft.”

  • Mastel v. Miniclip SA, 2021 U.S. Dist. LEXIS 132401 (E.D. Cal. July 15, 2021) was not a data breach case, but rather concerned the interaction between the Apple iPhone Pasteboard feature and a gaming app. The case is cited here because it illustrates the potential relevance of the privacy right under California’s state constitution. (Most states do not have a constitutional right to privacy that applies to private entities.) Plaintiff alleged that the gaming app illegally copied and saved text the plaintiff had copied into Pasteboard, in violation of his right to privacy under the California Constitution. The court found that there was standing based just on the allegation that the app maker had accessed data copied into Pasteboard, even though there was no allegation that the app developer had further disseminated the information.  The court found that TransUnion was distinguishable and did not foreclose standing, because TransUnion involved a fundamentally different type of alleged injury. TransUnion, the court said, concerned a violation of a statute that the Supreme Court analogized to the common law tort of defamation. Because publication is essential to liability in a suit for defamation, the Supreme Court held that the plaintiffs whose data had not been published (disclosed to a third party) had no standing. By contrast, the Mastel court said, the closest historical analogue to plaintiff's invasion of privacy claim under the California Constitution is not defamation, but other invasion of privacy torts such as intrusion upon seclusion. These claims, the court noted, have long been actionable at common law. The court cited Facebook Tracking, 956 F.3d at 598: “The Ninth Circuit has expressly noted that, because the right to privacy ‘encompasses the individual's control of information concerning his or her person,’ allegations that a company has violated a plaintiff's right to privacy under the California Constitution by collecting personal information without the plaintiff's consent involve a sufficiently ‘concrete’ injury, even if there are no additional allegations of publication, because the invasion itself causes harm to the plaintiff's interest in controlling the information.”

  • In re Blackbaud, Inc., Customer Data Breach Litigation, 2021 U.S. Dist. LEXIS 123355 (D.S.C. July 1, 2021). Considering a 12(b)(1) motion to dismiss, the court distinguished TransUnion on the ground that the Supreme Court decision came after a jury trial and did not apply at the earliest stages of a case. The court’s discussion of TransUnion was confined to a footnote. It focused on the portion of TransUnion where, “[a]fter examining the evidence presented at trial, the Supreme Court concluded that some of the plaintiffs failed to ‘factually establish’ that their risk of future harm materialized into a sufficient ‘concrete’ harm to satisfy the injury in fact requirement.” The district court went on to say:

    • At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss [courts] ‘presum[e] that general allegations embrace those specific facts that are necessary to support the claim.’” …  Since the court must rely on the pleadings to resolve the instant Motion, the court is not in a position to discern whether Plaintiffs have “factually establish[ed]” that their alleged risk of future harm materialized into a sufficient “concrete” harm as held in Ramirez. …  Such an inquiry may be appropriate after a proceeding on the merits but it is not proper at this juncture. Plaintiffs should have the benefit of discovery before being required to “factually establish” their injuries. Id. 

  • Note that thirty-one of the thirty-four named plaintiffs asserted that they had experienced actual identity theft or fraud as a result of the cyberattack.


Last updated: Feb. 22, 2023.

Photo: “The Allegory of Good Government," by Ambrogio Lorenzetti, 1338, Museo Civico, Siena, (c) Erik Törner, CC BY-NC-SA 2.0.