Cases

Question 1

Clapper v. Amnesty International, 568 U.S. 398 (2013)

Answer 1

• No standing
• Summary judgment
• Sets standard!
• No standing because too attenuated; involved a federal statute for wiretapping overseas people who Amnesty Int’l lawyers occasionally had to speak to; required several independent actors to make sequential decisions
• Sets forward the “certainly impending” standard, but contemplated the substantial risk
• Susan B. Anthony List (2014) sets forward the substantial risk standard

Question 2

In re Zappos, 888 F.3d 1020 (9th Cir. 2018)

Answer 2

• Found standing
• Motion to Dismiss
• Names, account numbers, phone #s, CC #s
• 24 million customers
• No actual ID theft among this class; harm purely based on the breach
• “injury in fact based on a substantial risk that the Zappos hackers will commit identity fraud or identity theft”

Question 3

Attias v. Carefirst, 865 F.3d 620 (D.C. Cir. 2017)

Answer 3

• Found standing
• Motion to dismiss
• Names, birthdates, email addresses, SSNs, CCs
• Relies on Remijas; no actual identity theft
• “A3 standing doesn’t require the defendant be the most immediate cause, or even a proximate cause; just that it be fairly traceable.”
• Members of the other putative class from the same breach had experienced identity theft

Question 4

In re Horizon Healthcare, 846 F.3d 625 (3d Cir. 2017)

Answer 4

• Found standing; statutory claim under FCRA
• Facial, not factual, challenge to standing
• “FCRA: remedy for unauthorized transfer of personal information”
• At least one class member had experienced identity theft: false tax return filed, and a fraudulent CC use

Question 5

Galaria v. Nationwide Mutual, 663 F. App’x 384 (6th Cir. 2016)

Answer 5

• Found standing
• Motion to dismiss
• Names, DOBs, marital status, gender, jobs, SSN, DL #s
• Uses “substantial risk,” not “certainly impending”
• Courts applying have narrowed the decision
• No actual harm

Question 6

Remijas v. Neiman Marcus, 794 F.3d 688 (7th Cir. 2015)

Answer 6

• Found standing
• Motion to dismiss
• Customers had incurred fraudulent charges!
• 9200 of 350,000 cards were used fraudulently

Question 7

Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 2010)

Answer 7

• Found standing
• Motion to dismiss
• Data on a stolen laptop; more clearly shows malicious intent
• Stolen but not misused—seems to be a CA9 thing

Question 8

Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 n.3 (7th Cir. 2007)

Answer 8

• Used in majority (decision in Dashon’s favor) to compare data breach to toxic substances
• To distinguish, rely on ability of science to more accurately measure exposure & likelihood of actualized harm

Question 9

Friends of the Earth v. Gaston Copper, 204 F.3d 149, 160 (4th Cir. 2000)

Answer 9

• Also used to compare to environmental harm
• Distinguish using ability of science to more accurately measure likelihood of harm
• Also rely on the fact that we don’t know the ID of the hackers, so we can’t judge their malicious intent

Question 10

In re OPM, 928 F.3d 42 (D.C. Cir. 2019)

Answer 10

• Found standing
• Motion to dismiss
• Distinguish on NatSec grounds—this was a gov’t agency protecting SSNs, birthdates, addresses, fingerprints, etc. of “a staggering number” of gov’t employees
• Capacity for blackmail

Question 11

Resnick v. AvMed, 693 F.3d 1317 (11th Cir. 2012)

Answer 11

• Found standing
• Motion to dismiss
• Only used in majority for “fairly traceable”
• Traceability here was because laptops were stolen—here, data could come from a different breach

Question 12

In re SuperValu, 870 F.3d 763 (8th Cir. 2017)

Answer 12

• Found standing despite no substantial risk of ID theft
• Motion to Dismiss
• “Crucial to the outcome” was that one plaintiff experienced a fraudulent charge shortly after shopping at a particular SuperValu location
• Notes that cases finding standing turned on the facts of each case, not on a unifying principle
• Study: of 24 largest breaches over a 6 year period, only 4 resulted in any form identity theft
• Only upheld standing for the plaintiff who had experienced a fraudulent charge

Question 13

Whalen v. Michael’s Stores, 689 F. App’x 89 (2d Cir. 2017)

Answer 13

• No standing
• District court refused to extend without actual charges on CCs, and 2d Cir. affirmed on de novo review
• Implied there may be standing if other personally identifying information was stolen

Question 14

Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017)

Answer 14

• Refused standing with no actual ID theft or fraudulent charges
• Data included names, birthdates, last 4 of SSNs, and physical descriptors
• Data was unencrypted
• “In Galaria, Remijas, and Pisciotta, the data thief intentionally targeted the personal information compromised in the data breaches.” Here, it could have easily been IP
• Even if 33% of victims of a breach will become victims, 66% will not

Question 15

Katz v. Pershing, 672 F.3d 64 (1st Cir. 2012)

Answer 15

• No standing
• Motion to Dismiss
• “This omission is fatal: because she does not identify any incident in which her data has ever been accessed by an unauthorized person, she cannot satisfy Article III’s requirement of actual or impending injury.”
• Increased risk that someone may access her data, and that once accessed, it may increase the risk of identity theft
• brokerage account-holder’s increased risk of unauthorized access and identity theft theory insufficient to constitute “actual or impending injury” after defendant failed to properly maintain an electronic platform containing her account information, because plaintiff failed to “identify any incident in which her data has ever been accessed by an unauthorized person”

Question 16

Reilly v. Ceridian Corp, 664 F.3d 38 (3d Cir. 2011)

Answer 16

• No standing
• No evidence suggested past or future misuse of data; not known whether hacker read, copied, or understood the breached data
• “The present test is actuality, not hypothetical speculations concerning the possibility of future injury”
• BUT pre-Clapper/SBA List

Question 17

Hutton v. National Board of Examiners in Optometry, 892 F.3d 613 (4th Cir. 2018)

Answer 17

• Standing!
• Relied on Beck, though
• Injury must be “fairly traceable,” not “plausibly traceable;” that is, you must plausibly allege that the injury is fairly traceable
• In distinguishing from Beck, notes that (1) ID theft and CC fraud occurred here; and (2) false CCs open.

Question 18

Public Citizen v. National Highway Traffic Safety Admin, 489 F.3d 1279, 1298 (D.C. Cir. 2007)

Answer 18

• Admin case; deals with tire pressure monitors
• if “‘all purely speculative increased risks [were] deemed injurious, the entire requirement of actual or imminent injury would be rendered moot, because all hypothesized, non-imminent injuries could be dressed up as increased risk of future injury.’”
• Frame as an illustration of speculative harm undermining A3

Question 19

Summers v. Tice

Answer 19

• State law tort case
• Illustrates that multiple actors that could be causes can make it impossible to prove any one of the actors was responsible
• Case where multiple people shot towards a person, but only one actually shot him—impossible to tell who