A key issue for any business facing class action litigation in response to a data breach is whether the plaintiffs, particularly consumers, will have standing to sue. Standing to sue in a data breach class action suit, largely turns on whether plaintiffs establish that they have suffered an “injury-in-fact” resulting from the data breach. Plaintiffs in data breach class actions are often not able to demonstrate that they have suffered financial or other actual damages resulting from a breach of their personal information. Instead, plaintiffs will allege that a heightened “risk of future harm” such as identity theft or fraudulent charges is enough to establish an “injury-in-fact”.
Federal circuits court over the past few years have struggled with the question whether plaintiffs in a data breach class action can establish standing if they only allege a heightened “risk of future harm”. For example,the 3rd, 6th, 7th, 11th, and D.C. circuits have generally found standing, while the 1st, 2nd, 4th, 5th, 8th and 9th circuits have generally found no standing where a plaintiff only alleges a heightened “risk of future harm”. This circuit court split is in large part to due to lack of clarity following the U.S. Supreme Court’s decision in Spokeo, Inc. v. Robins which held that even if a statute has been violated, plaintiffs must demonstrate that an “injury-in-fact” has occurred that is both concrete and particularized, but which failed to clarify whether a “risk of future harm” qualifies as such an injury.
California Senate Tackles Issue of Standing in Data Breach Class Action Suits
While businesses await the U.S. Supreme Court to address this issue, it looks like the California legislature may take matters into its own hands. Senator Bill Dodd (D.) recently introduced a bill, S.B. 1121 Personal Information (an amendment to the California Customer Records Act) that would allow consumers to sue a business in response to a data breach without any showing of harm at all. The California Senate recently passed the bill in a vote of 22-13, after accepting an amendment from the Assembly to create a safe harbor for businesses that protect consumer’s personal data. The bill now moves to the California Assembly that must vote on the bill by August 31st. If the bill passes the Assembly, Governor Jerry Brown will have 30 days to sign or veto the bill.
Key Aspects of the S.B. 1121 Personal Information Include:
- Each consumer could recover damages in an amount of not less than $200 and not greater than $1,000 per incident or for actual damages, whichever sum is greater.
- Defines “breach” as “unauthorized access, use, modification, or disclosure of personal information.”
- Consumers would have up to 4 years to sue for violation of the California Customer Records Act if their personal information was breached.
- The current California Customer Records narrowly defines “customer” as an individual who provides personal information to a business for the purpose of purchasing or leasing a product or obtaining a service from the business. This bill would instead make those provisions applicable to consumers and consumer records, and define “consumer” for purposes of those provisions broadly to include any natural person.
- A safe harbor for businesses that have implemented and maintained reasonable security procedures and practices appropriate to the nature of the information.
Response to Senator Dodd’s Bill
S.B. 1121 Personal Information if passed would substantially lower (if not eliminate) the standing threshold in data breach consumer class action lawsuits. While consumer groups including the Consumer Attorneys of California, the California Public Interest Research Group, and others have come out in support, business organizations are, strongly opposed to the bill. Opposition includes a coalition of over 70 groups (and growing) including the
Senator Dodd in his introduction of S.B. 1121 stressed the importance of providing consumers a measure to sue following a data breach of their personal information, however Senator Dodd has said he is open to amendments of the bill to prevent “a mecca for lawsuits when no harm has been done”.
S.B. 1121 Personal Information is only one example of a wider trend in both the state and federal legislatures attempting to provide greater protection to consumer’s personal information, in response to both large-scale breaches, and the E.U.’s General Data Protection Regulation. Recent amendments strengthening state data breach notification laws (e.g. Louisiana, Colorado, Arizona, South Dakota and Alabama) and federal legislative proposals such as the Consumer Privacy Protection Act of 2017 or the Data Security and Breach Notification Act (see our blog post Senate Bill Introduced to Protect Personally Identifiable Information) are further indications of this growing trend.