District Court Finds Allegations That Data Breach Exposed Publicly Available and Non-Sensitive Personal Information Sufficient for Article III Standing

Potentially signaling an expansion of the scope of constitutional standing in data breach cases, a district court in the Northern District of California recently held that the exposure of users’ non-sensitive, publicly available personal information may be sufficient to establish an injury-in-fact.[1]

Background: The decision was issued in a class action lawsuit brought against Facebook, alleging breach of contract, negligence, and violation of the California Unfair Competition Law, among other state law claims, based on a 2018 data breach.   The breach resulted from a coding vulnerability that allowed hackers to steal information from 15 million users.  Though the stolen information included usernames and basic contact information (i.e., phone numbers and email addresses), and in some cases also included users’ birthdates, hometowns, workplaces, education information, religious views, and prior activities on Facebook, the plaintiffs did not allege the breach of information traditionally considered sensitive, such as social security numbers or credit card information. In its motion to dismiss the complaint, Facebook argued that the named plaintiffs had not established Article III standing because they had not alleged any particularized injury: the stolen information was publicly-available, and the only potential injury was the minimal time spent deleting phishing emails.  The court rejected Facebook’s argument, holding that one plaintiff had adequately alleged two injuries: (i) the substantial risk of future identity theft and (ii) the lost time responding to the data breach.

Regarding the risk of identity theft, the court rejected Facebook’s argument that the plaintiff had not suffered an injury-in-fact because the breach involved no sensitive information.  Despite recognizing that all of the information was otherwise publicly available, the court nonetheless determined that information “need not be sensitive to weaponize hackers in their quest to commit further fraud or identify theft.”  In the court’s view, an “‘increased risk of identity theft’” can occur even when the stolen information is not traditionally sensitive personal information, because the proper inquiry is not “the minutia” of what information had been taken, but whether the data “gave hackers the means to commit fraud or identify theft.”

Here, the court viewed the stolen information as equivalent to sensitive information because it was “immutable,” personally identifying, and of a nature and amount to “provide further ammo . . . to g[i]ve hackers the means to commit fraud or identity theft.”  The public availability of the information was “irrelevant,” because “constructing this information from random sources bit by bit” would be difficult for hackers.  The court also inferred that the goal of the breach was to facilitate fraud and identity theft, emphasizing the plaintiff’s receipt of phishing emails and text messages after the breach, and the hackers’ use of searches to cull information from millions of users.

The court also held that the lost time spent responding to the data breach could constitute an economic injury.  Under the court’s reasoning, even de minimis time spent sorting through phishing emails could be sufficient based on an expectation that “[m]ore phishing e‑mails will pile up” over time.

Takeaway: Courts remain split over the threshold for alleging standing in data breach cases.  Although the Second, Fourth, and Eighth Circuits have determined that allegations based on the risk of future harm are insufficient, the D.C., Third, Sixth, Seventh, Ninth, and Eleventh Circuits have held that alleging a substantial risk of future harm is sufficient to satisfy the Article III injury requirements.  But the question remains—when are allegations of future harm too “speculative” to constitute an injury?  This month’s decision in Schmidt v. Facebook answered that the exposure of a sufficient amount of public, non-sensitive information may create a future risk of harm that is as substantial and imminent as the exposure of social security numbers because it makes social engineering attacks easier.  Should this decision gain traction among other courts, it would ease plaintiffs’ burden to establish standing in a broad array of data breach lawsuits.

Footnotes

[1] Schmidt v. Facebook, Inc., No. C 18-05982 WHA (JSC), 2019 WL 2568799 (N.D. Cal. June 21, 2019).

Disclaimer

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law.  PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.