Incident & Breach Response , Managed Detection & Response (MDR) , Security Operations
eBay Breach-Related Lawsuit DismissedJudge Rules Injury Was Not Proven
A federal judge has dismissed a class action lawsuit filed against eBay in the wake of a 2014 data breach that exposed encrypted passwords and personal information for 145 million users.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
After eBay discovered the cyber-attack - which occurred between late February and early March 2014 - it notified its users and advised them to change their passwords. The database that was exposed during the breach contained users' encrypted passwords, as well as their names, e-mail addresses, mailing addresses, phone numbers and dates of birth, eBay said. But eBay - which owns PayPal - said that the database contained no financial information.
The lawsuit was filed in July 2014 by Collin Green on behalf of all eBay users in the United States whose personal information was exposed by the breach (see eBay Faces Breach Class Action Suit). The lawsuit alleged that the breach resulted in "economic damages" for eBay users, "actual identity theft," as well as damages resulting from having to mitigate an increased risk of identity theft, as well as lost time.
For such a lawsuit to be successful, however, legal experts say plaintiffs must typically prove - per what's known as Article III standing - that they suffered an actual or threatened injury. But eBay said there was no evidence that payment card data had been compromised, or users harmed, and the judge presiding over the case appeared to agree.
"This case raises the issue of whether the increased risk of future identity theft or identity fraud posed by a data security breach confers Article III standing on individuals whose information has been compromised by the data breach but whose information has not yet been misused," U.S. District Court Judge Susie Morgan wrote in a May 4 order. "After considering the parties' briefs and the relevant case law, the court finds itself positioned with the majority of district courts that have held the answer is no."
As a result, Morgan granted eBay's request to dismiss the case, saying that Green "has not adequately alleged Article III standing."
A Common Issue
Such a ruling in a class action lawsuit filed over data breaches is common. "The failure to establish an injury-in-fact sufficient to support Article III standing has been a key issue in data breach class actions," says Barry Goheen, a partner in the litigation practice group at the Atlanta-based law firm King & Spalding, in a blog post published prior to Morgan dismissing the case.
In legal terms, "standing" refers to the ability to demonstrate a connection to - or harm resulting from - a law or action, and "over the last several years, federal courts have dismissed the majority of these types of cases for lack of standing," Goheen says.
The lack of standing results from judges ruling that plaintiffs - such as Green - cannot prove that they suffered some tangible or imminent "injury," such as economic harm. "His lawsuit, like so many others before his, basically argued the harm was the risk of future harm, as breach victims have statistically higher likelihood of becoming victims of ID theft," says the privacy blogger known as "Dissent."
Lawsuit Exception: Target
But when it comes to class action lawsuits filed in the wake of data breaches, not all cases have been dismissed. U.S. District Judge Paul Magnuson, for example, allowed several class action lawsuits lodged against Target, in the wake of its massive data breach in 2013 - which involved the theft of payment card data, and resulting cases of fraud - to continue. Target has agreed on a provisional settlement of one of those suits that would award $10 million to affected consumers (see Judge OK's Target Breach Settlement).
Attorneys for Target had filed a motion to dismiss the lawsuits. "In consumer cases that have been brought across the country, the vast majority of them have been dismissed. The kinds of injury they claim is really the threat or risk of future harm, and courts have pretty universally found that to be insufficient," Target attorney Wendy Wildung, partner at Faegre Baker Daniels, said in a document filed with the court.
Magnuson, however, denied that request, and ruled that the cases would proceed. Subsequently, Target reached its provisional settlement agreement for one lawsuit filed on behalf of consumers, which the judge plans to review in a Nov. 10 hearing, so he can assess how related claims have been handled.
Still, it's not clear whether the judge would have ruled in Target's favor, had the case not been settled. Some experts said that Target - which had $2.2 billion in cash on the books as of Jan. 31, 2015 - may have agreed to the settlement simply to make the consumer case go away. As of February, the company reported that it had already spent $252 million on breach-related expenses, about $90 million of which was offset by the company's insurance policies.
Meanwhile, a class action lawsuit filed by financial institutions against Target seeking reimbursement for breach-related expenses is still pending (see Target Settlement: What About the Banks?).
And a group of financial institutions affected by the Target data breach that exposed at least 40 million payment cards is asking a court for a preliminary injunction to block the proposed settlement between the retailer and MasterCard that would provide $19 million to card issuers (see Banks Try to Block Target Settlement). In documents filed on April 21 in Minnesota U.S. District Court, the banks allege that "the total losses actually suffered by card-issuing financial institutions are astronomically higher than the $19 million offered under the proposed settlement."