The Central District of California recently dismissed a data breach class action for lack of standing, notwithstanding evidence that the stolen data of 40 million consumers had allegedly been offered for sale on the dark web. The court determined that the data breach could not possibly have caused a risk of identity theft, fraud, and attendant harms given the “essentially useless” nature of the data.
Burns v. Mammoth Media, Inc., No. 2:20-cv-04855-DDP (C.D. Cal.), involved a data breach arising from Mammoth Media, Inc.’s social media app Wishbone, which allows users to compare images and invite friends and followers to vote on their favorites. The plaintiff alleged that he downloaded the app when he was 14, created an account by selecting a username and password, and provided an email address.
Four years after creating the account, Mammoth informed the plaintiff that it suffered a data breach, and “usernames, emails, phone numbers, time zone/region, full name, bio, gender hashed (i.e., encrypted,] passwords, and profile pictures” may have been compromised. The plaintiff alleged that following the Wishbone data breach, his Spotify and Reddit accounts were compromised, he began receiving spam emails, and he spent over three hours mitigating the harm by changing online passwords, setting up fraud alerts, and reviewing his bank accounts for fraud. Because the stolen Wishbone data had been offered for sale on the dark web, the plaintiff alleged that the theft of his data “will result in” identity theft and fraud, lowered credit scores, loss of access to online and financial accounts, and the loss of time and enjoyment stemming from mitigation efforts.
The complaint stated, on behalf of a putative class, causes of action for negligence, declaratory judgment, breach of confidence, violation of California’s Unfair Competition Law, and violation of “data breach statutes of 38 states.” Mammoth moved to dismiss under Rule 12(b)(1) for lack of Article III standing.[1] In support of its motion, Mammoth submitted a declaration from its chief technology officer, Brian DeBoer, stating that the plaintiff’s compromised data did not include information, such as his birthdate, Social Security number, or financial account information. Critically, DeBoer’s declaration further asserted that the plaintiff’s compromised information “cannot be used to access Spotify, Reddit, or any other account.”
The district court emphasized that Mammoth’s standing challenge was factual, not merely facial, and the plaintiff had not responded with competent proof to rebut Mammoth’s evidence. The court rejected the plaintiff’s arguments that the factual questions regarding jurisdiction were “inextricably intertwined” with the merits, finding that even though there was “significant overlap of jurisdictional and substantive allegations,” there was “no corresponding intertwining of jurisdictional and merits-related, disputed facts.” (emphases in original). The court found that the plaintiff’s allegations “are impossible to square with DeBoer’s declaration that the plaintiff’s compromised information is essentially useless.” Concluding that DeBoer’s declaration — the only evidence in the record — established that the Mammoth data breach “could not possibly have caused the alleged risk of identity theft, fraud, and attendant harms,” the court dismissed the complaint for lack of standing (although it granted leave to amend).
Notably, the court did not cite to TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021), and the court’s analysis may be outdated in light of the Supreme Court’s recent opinion. The court implies that a “significant risk of identity theft, financial fraud, and other identity-related fraud into the indefinite future” would have supported Article III standing if the compromised data was the type that could facilitate these harms. Although this position is consistent with pre-Ramirez Ninth Circuit case law, see Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), it is tenuous at best now.
After Ramirez, a “risk of future harm” may be sufficient to establish standing in claims seeking forward-looking injunctive relief. Ramirez, 141 S. Ct. at 2210 (citing Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5 (2013)). But Ramirez distinguishes standing in claims for injunctive relief from cases in which plaintiffs seek to recover damages. The Supreme Court looked favorably on TransUnion’s argument that:
[I]f an individual is exposed to a risk of future harm, time will eventually reveal whether the risk materializes in the form of actual harm. If the risk of future harm materializes and the individual suffers a concrete harm, then the harm itself, and not the pre-existing risk, will constitute a basis for the person’s injury and damages. Id. at 2211.
The Court’s aversion to standing based on “risk of future harm” calls to mind cases like Tsao v. Captiva MVP Rest. Partners LLC, 986 F.3d 1332 (11th Cir. 2021), which we reported on here. Even though Ramirez was not a data breach case, its “concrete harm” analysis is not limited to a specific type of case. Thus, the circuit split that was acknowledged in Tsao and illustrated by Tsao and Krottner may now be resolved.
The case highlights trends in data breach cases, which are helpful to defendants. First, the type and nature of data implicated in a breach impacts the injury inquiry. As the district court in Burns recognized, much of the data compromised in data breaches, while personal to the user, is “essentially useless” and cannot be monetized or used to commit identity theft or fraud. Courts today are more willing to parse the nature of compromised data and find that theft that does not involve personal identifiers, such as Social Security numbers and date of birth, cannot cause injury. Second, given the frequency of data breaches and availability of personal data on the internet, it is becoming more difficult for plaintiffs to prove an injury that is traceable to the defendant. With hundreds of millions of consumers impacted in some of the nation’s larger data breaches and the proliferation of personal data available on the internet, proving that identify fraud occurred because of a particular data breach is becoming difficult, if not impossible, to establish with certainty. Finally, while some courts have recently shown reluctance to grant facial challenges to Article III standing, the Burns case demonstrates that in certain circumstances, a factual challenge can be made early in a case, even before extensive discovery occurs. A plaintiff who relies on mere allegations to respond to a factual challenge supported by declaration does so with peril. We will need to wait and see if this case gets refiled in California state court.
[1] Mammoth also moved to dismiss under Rule 12(b)(6), but the court did not address this argument, having already determined that DeBoer lacked Article III standing.