Plaintiffs presenting a claim in federal court must have standing to sue, under Article III of the Constitution (as we have written about in the past). The Second Circuit recently entered an order reminding plaintiffs, defendants, and their attorneys just how difficult overcoming the standing hurdle can be for individuals suing in the wake of a data breach.
In Whalen v. Michaels Stores, a putative class action plaintiff sued Michaels for what the store termed a possible data breach affecting its credit card systems in 2014. Whalen asserted that (1) her credit card information was stolen and used twice for fraudulent purposes, (2) she faced a risk of future identity fraud, and (3) she lost time and money resolving the attempted fraudulent charges and monitoring her credit. The appellate panel rejected these theories as insufficient to give her (or the class) standing, reasoning that “Whalen does not allege a particularized and concrete injury suffered from the attempted fraudulent purchases,” and that she “pleaded no specifics about any time or effort that she herself has spent monitoring her credit.”
While consumers class action claims in federal courts are not doomed before they start — certainly, some courts have articulated rules that seem to be more permissive in what plaintiffs must plead when they bring claims arising from data breaches — as a rule, since the Supreme Court case Clapper v. Amnesty International, 133 S. Ct. 1138 (2013), plaintiffs must plead more than the mere risk of future harm.
Whalen and similar cases are not just of academic interest. The case is an important reminder to companies worried about data breaches that good policies and swift action (to notify consumers, offer credit monitoring, and notify law enforcement) can protect consumers, minimize harm, and thus reduce litigation risk.