While eBay’s lawyers may be celebrating the fact that the company is off the hook in a lawsuit relating to a data breach that occurred last year, eBay’s marketing team may not be pleased, since coverage of a court’s decision to dismiss the lawsuit is reminding shoppers once again that their personal information may be in the hands of criminals.
Collin Green sued eBay last July and sought class status, but a judge said the plaintiff failed to show injury. “In most data breach cases, the complaints allege sensitive information was stolen, such as financial information or Social Security numbers,” the judge wrote. “In such cases, courts nonetheless have found that the mere risk of identity theft is insufficient to confer standing, even in cases where there were actual attempts to use the stolen information.”
And, she wrote in in her order to dismiss, “Even where actual fraudulent credit card charges are made after a data breach, courts have held the injury requirement still is not satisfied if the plaintiffs were not held financially responsible for paying such charges.”
But what about the costs of what the lawsuit called “years of identity protection services and credit checks even if they are never subject to active identity fraud”?
After all, the plaintiff argued, “Studies indicate individuals whose personal information is stolen are approx.. 9.5 times more likely to suffer identity fraud; thus, the plaintiff and class members must be vigilant for many years in checking for fraud in their name, and be prepared to deal with the steep costs associated with identity fraud.”
The court said, “As the Supreme Court made clear in Clapper, mitigation expenses do not qualify as injury-in-fact when the alleged harm is not imminent. Therefore, Plaintiff’s allegations relating to costs already incurred or that may be incurred to monitor against future identity theft or identity fraud likewise fail to constitute injury-in-fact for standing purposes.”
The plaintiff lambasted eBay in its original complaint, alleging the breach was the result of “inadequate security in regard to protecting identity information of its millions of customers,” and citing an expert who said it was “inexcusable” that eBay had failed to encrypt much of the personal information stolen.
The court was unswayed, citing Article III of the United States Constitution that limits the jurisdiction of federal courts to actual “Cases” and “Controversies.”
“One element of the case-or-controversy requirement is that plaintiffs must establish that they have standing to sue,” the court said, stating that the “injury-in-fact element is often determinative.”
Govinfosecurity.com said rulings such as these are common in class action lawsuits involving data breaches, but it noted not all cases have been dismissed. “U.S. District Judge Paul Magnuson, for example, allowed several class action lawsuits lodged against Target, in the wake of its massive data breach in 2013.”