Data Breach Class Action Standing in California

2014 was an interesting year in data breach litigation in California at both the federal and state level.  As always is the case in data breach cases, the requirement of a cognizable harm or “standing” took center stage.  At the state level, data breach defendants scored a huge victory in the case of Sutter Health v. Superior Court.  In contrast, at the federal level, data breach plaintiffs scored big in the case of In re Adobe.

Sutter Health involved the increasingly common situation of a stolen computer from a hospital.  The computer contained millions of patient health records.  Patients filed a class action alleging violations of the Confidentiality of Medical Information Act (“CMIA”).  The Act prohibits the disclosure of patient records and provides for statutory damages of $1,000 per breach.  Doing the math, Sutter’s liability added up to $4 billion of exposure.  The trial court denied Sutter’s demurrer resulting in an immediate appeal.

On appeal, Sutter argued that the mere allegation that a computer with patient data was stolen was not enough to allege standing.  Sutter advocated that the plaintiffs must allege that the health care data was actually accessed by someone.  Plaintiffs countered that the CMIA was a strict liability statute such that as long as a computer with the protected data was taken, a claim could be advanced.  Facing massive damages that could bankrupt a company, Sutter Health prevailed.  The Court of Appeal stated that the mere possession of the protected records was not enough but rather access of those records must be alleged.

While the state court reigned in standing on data breach claims under the CMIA, the Northern District of California seemed to provide sanctuary to consumer class actions alleging various negligence theories in data breach cases.  In the case of In re Adobe, the Court found standing, allowing a massive class of 38 million customers to sue Adobe based upon a 2013 hack of Adobe’s servers.  The customers’ stolen personal information included credit cards, login id’s, passwords and expiration dates.  Nevertheless, the plaintiffs could not allege any actual misuse of this data.

In re Adobe says that doesn’t matter.  What matters is the impending, almost certain misuse of the data according to the Court.  The Court reasoned that the hacking attack was sophisticated and directly targeted Adobe’s servers and the personally identifiable information contained therein.  This differs from the stolen laptop scenario common in other data breach cases such as Sutter Health.  In those cases, courts have reasoned, including the Adobe court, that the computer itself was the impetus for the theft, not the data contained therein.  Of course, this is highly speculative, but that is the exercise courts often engage upon in deciding standing issues.

Additionally, the Court found that the Supreme Court’s decision in Clapper v. Amnesty International USA did not abrogate previous Ninth Circuit law in set forth in Krottner v. Starbucks, a 2010 case involving a stolen laptop from a Starbucks containing employee information.  In Krottner, the Court found standing because the plaintiffs were immediately in danger of sustaining some direct injury.

Expect to see plaintiffs class action firms set up camp in California’s Northern District for the next few years as it seems to be one of the only, if not the only, viable forum for consumer based data breach class actions (excepting, of course, from this statement claims by banks against retailers such as the In re Target case).  In the meantime, we may see more bright lines drawn in the murky waters created by Klapper, Krottner and Adobe.