Email This Post Email This Post

eBay Security Breach Makes Headlines Again

While eBay’s lawyers may be celebrating the fact that the company is off the hook in a lawsuit relating to a data breach that occurred last year, eBay’s marketing team may not be pleased, since coverage of a court’s decision to dismiss the lawsuit is reminding shoppers once again that their personal information may be in the hands of criminals.

Collin Green sued eBay last July and sought class status, but a judge said the plaintiff failed to show injury. “In most data breach cases, the complaints allege sensitive information was stolen, such as financial information or Social Security numbers,” the judge wrote. “In such cases, courts nonetheless have found that the mere risk of identity theft is insufficient to confer standing, even in cases where there were actual attempts to use the stolen information.”

And, she wrote in in her order to dismiss, “Even where actual fraudulent credit card charges are made after a data breach, courts have held the injury requirement still is not satisfied if the plaintiffs were not held financially responsible for paying such charges.”

But what about the costs of what the lawsuit called “years of identity protection services and credit checks even if they are never subject to active identity fraud”?

After all, the plaintiff argued, “Studies indicate individuals whose personal information is stolen are approx.. 9.5 times more likely to suffer identity fraud; thus, the plaintiff and class members must be vigilant for many years in checking for fraud in their name, and be prepared to deal with the steep costs associated with identity fraud.”

Sponsored Link

The court said, “As the Supreme Court made clear in Clapper, mitigation expenses do not qualify as injury-in-fact when the alleged harm is not imminent. Therefore, Plaintiff’s allegations relating to costs already incurred or that may be incurred to monitor against future identity theft or identity fraud likewise fail to constitute injury-in-fact for standing purposes.”

The plaintiff lambasted eBay in its original complaint, alleging the breach was the result of “inadequate security in regard to protecting identity information of its millions of customers,” and citing an expert who said it was “inexcusable” that eBay had failed to encrypt much of the personal information stolen.

The court was unswayed, citing Article III of the United States Constitution that limits the jurisdiction of federal courts to actual “Cases” and “Controversies.”

“One element of the case-or-controversy requirement is that plaintiffs must establish that they have standing to sue,” the court said, stating that the “injury-in-fact element is often determinative.”

Govinfosecurity.com said rulings such as these are common in class action lawsuits involving data breaches, but it noted not all cases have been dismissed. “U.S. District Judge Paul Magnuson, for example, allowed several class action lawsuits lodged against Target, in the wake of its massive data breach in 2013.”

Ina Steiner on EmailIna Steiner on LinkedinIna Steiner on Twitter
Ina Steiner
Ina Steiner
Ina Steiner is co-founder and Editor of EcommerceBytes and has been reporting on ecommerce since 1999. She's a widely cited authority on marketplace selling and is author of "Turn eBay Data Into Dollars" (McGraw-Hill 2006). Her blog was featured in the book, "Blogging Heroes" (Wiley 2008). Follow her on Twitter at @ecommercebytes and send news tips to ina@ecommercebytes.com.