Cases Flashcards
1
Q
Clapper v. Amnesty International, 568 U.S. 398 (2013)
A
- No standing
- Summary judgment
- Sets standard!
- No standing because too attenuated; involved a federal statute for wiretapping overseas people who Amnesty Int’l lawyers occasionally had to speak to; required several independent actors to make sequential decisions
- Sets forward the “certainly impending” standard, but contemplated the substantial risk
- Susan B. Anthony List (2014) sets forward the substantial risk standard
2
Q
In re Zappos, 888 F.3d 1020 (9th Cir. 2018)
A
- Found standing
- Motion to Dismiss
- Names, account numbers, phone #s, CC #s
- 24 million customers
- No actual ID theft among this class; harm purely based on the breach
- “injury in fact based on a substantial risk that the Zappos hackers will commit identity fraud or identity theft”
3
Q
Attias v. Carefirst, 865 F.3d 620 (D.C. Cir. 2017)
A
- Found standing
- Motion to dismiss
- Names, birthdates, email addresses, SSNs, CCs
- Relies on Remijas; no actual identity theft
- “A3 standing doesn’t require the defendant be the most immediate cause, or even a proximate cause; just that it be fairly traceable.”
- Members of the other putative class from the same breach had experienced identity theft
4
Q
In re Horizon Healthcare, 846 F.3d 625 (3d Cir. 2017)
A
- Found standing; statutory claim under FCRA
- Facial, not factual, challenge to standing
- “FCRA: remedy for unauthorized transfer of personal information”
- At least one class member had experienced identity theft: false tax return filed, and a fraudulent CC use
5
Q
Galaria v. Nationwide Mutual, 663 F. App’x 384 (6th Cir. 2016)
A
- Found standing
- Motion to dismiss
- Names, DOBs, marital status, gender, jobs, SSN, DL #s
- Uses “substantial risk,” not “certainly impending”
- Courts applying have narrowed the decision
- No actual harm
6
Q
Remijas v. Neiman Marcus, 794 F.3d 688 (7th Cir. 2015)
A
- Found standing
- Motion to dismiss
- Customers had incurred fraudulent charges!
- 9200 of 350,000 cards were used fraudulently
7
Q
Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 2010)
A
- Found standing
- Motion to dismiss
- Data on a stolen laptop; more clearly shows malicious intent
- Stolen but not misused—seems to be a CA9 thing
8
Q
Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 n.3 (7th Cir. 2007)
A
- Used in majority (decision in Dashon’s favor) to compare data breach to toxic substances
- To distinguish, rely on ability of science to more accurately measure exposure & likelihood of actualized harm
9
Q
Friends of the Earth v. Gaston Copper, 204 F.3d 149, 160 (4th Cir. 2000)
A
- Also used to compare to environmental harm
- Distinguish using ability of science to more accurately measure likelihood of harm
- Also rely on the fact that we don’t know the ID of the hackers, so we can’t judge their malicious intent
10
Q
In re OPM, 928 F.3d 42 (D.C. Cir. 2019)
A
- Found standing
- Motion to dismiss
- Distinguish on NatSec grounds—this was a gov’t agency protecting SSNs, birthdates, addresses, fingerprints, etc. of “a staggering number” of gov’t employees
- Capacity for blackmail
11
Q
Resnick v. AvMed, 693 F.3d 1317 (11th Cir. 2012)
A
- Found standing
- Motion to dismiss
- Only used in majority for “fairly traceable”
- Traceability here was because laptops were stolen—here, data could come from a different breach
12
Q
In re SuperValu, 870 F.3d 763 (8th Cir. 2017)
A
- Found standing despite no substantial risk of ID theft
- Motion to Dismiss
- “Crucial to the outcome” was that one plaintiff experienced a fraudulent charge shortly after shopping at a particular SuperValu location
- Notes that cases finding standing turned on the facts of each case, not on a unifying principle
- Study: of 24 largest breaches over a 6 year period, only 4 resulted in any form identity theft
- Only upheld standing for the plaintiff who had experienced a fraudulent charge
13
Q
Whalen v. Michael’s Stores, 689 F. App’x 89 (2d Cir. 2017)
A
- No standing
- District court refused to extend without actual charges on CCs, and 2d Cir. affirmed on de novo review
- Implied there may be standing if other personally identifying information was stolen
14
Q
Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017)
A
- Refused standing with no actual ID theft or fraudulent charges
- Data included names, birthdates, last 4 of SSNs, and physical descriptors
- Data was unencrypted
- “In Galaria, Remijas, and Pisciotta, the data thief intentionally targeted the personal information compromised in the data breaches.” Here, it could have easily been IP
- Even if 33% of victims of a breach will become victims, 66% will not
15
Q
Katz v. Pershing, 672 F.3d 64 (1st Cir. 2012)
A
- No standing
- Motion to Dismiss
- “This omission is fatal: because she does not identify any incident in which her data has ever been accessed by an unauthorized person, she cannot satisfy Article III’s requirement of actual or impending injury.”
- Increased risk that someone may access her data, and that once accessed, it may increase the risk of identity theft
- brokerage account-holder’s increased risk of unauthorized access and identity theft theory insufficient to constitute “actual or impending injury” after defendant failed to properly maintain an electronic platform containing her account information, because plaintiff failed to “identify any incident in which her data has ever been accessed by an unauthorized person”
