Green v. eBay Inc., No. 2:2014cv01688 - Document 38 (E.D. La. 2015)
Court Description: ORDER AND REASONS - IT IS ORDERED that eBays Motion to Dismiss for lack of standing 20 be and hereby is GRANTED, and the Class Action Complaint is DISMISSED without prejudice. Signed by Judge Susie Morgan on 5/4/2015. (bwn)
Download PDF
<![CDATA[
Green v. eBay Inc. Doc. 38 U N ITED STATES D ISTRICT COU RT EASTERN D ISTRICT OF LOU ISIAN A COLLIN GREEN , Plain tiff CIVIL ACTION VERSU S N O. 14 -16 8 8 EBAY IN C., D e fe n d an t SECTION : “E” ( 4 ) ORD ER AN D REASON S Before the Court is Defendant eBay Inc.’s (“eBay”) Motion to Dism iss Plaintiff’s Class Action Com plaint pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6).1 In its m otion, eBay first argues the Class Action Com plaint should be dism issed pursuant to Rule 12(b)(1) because Plaintiff Collin Green, the sole nam ed Plaintiff in this action, has failed to allege a cognizable injury-in-fact; therefore, he lacks Article III standing to pursue this case in federal court. In the alternative, eBay contends the Class Action Com plaint should be dism issed pursuant to Rule 12(b)(6) for failure to state a claim upon which relief can be granted. This case raises the issue of whether the increased risk of future identity theft or identity fraud posed by a data security breach confers Article III standing on individuals whose inform ation has been com prom ised by the data breach but whose inform ation has not yet been m isused. After considering the parties’ briefs and the relevant case law, the Court finds itself positioned with the m ajority of district courts that have held the answer is no. Because Plaintiff has failed to allege a cognizable Article III injury, the 1 R. Doc. 20 . 1 Dockets.Justia.com Court grants eBay’s m otion and dism isses the Class Action Com plaint for lack of standing. BACKGROU N D eBay is a global e-comm erce website that enables its over 120 m illion active users to buy and sell in an online m arketplace.2 In its norm al course of business, eBay m aintains personal inform ation of its users, including: nam es, encrypted passwords, dates of birth, em ail addresses, physical addresses, and phone num bers.3 In February and March 20 14, unknown persons accessed eBay’s files containing this user inform ation (the “Data Breach”).4 On May 21, 20 14, eBay notified its users of the Data Breach and recom m ended that users change their passwords.5 Although eBay also collects other inform ation, including credit card and bank account inform ation, there is no indication that any financial inform ation was accessed or stolen during the Data Breach.6 Plaintiff Collin Green filed this 10 -count consum er privacy putative class action against eBay on behalf of him self and all eBay users in the United States whose personal inform ation was accessed during the Data Breach.7 Plaintiff alleges that as a direct and proxim ate result of eBay’s conduct, “Plaintiff and the putative class m em bers have 2 R. Doc. 1 ¶ 3. Id. ¶ 4. 4 Id. 5 Id. ¶ 5. 6 Id. ¶¶ 19– 20 (“At this tim e Plaintiff is unsure how m uch, if any, of these additional highly detailed classes of personal inform ation were also stolen due to eBay’s failures.”). Additionally, Plaintiff incorporates by reference into his Com plaint eBay’s Form 8-K for the period ending May 21, 20 14, R. Doc. 1 ¶ 13 n.1, which eBay requested that the Court consider in conjunction with its motion to dismiss. R. Doc. 23. The Form 8-K incorporates by reference a press release issued by eBay on May 21, 20 14, which states: “The com pany said it has . . . no evidence of any unauthorized access to financial or credit card inform ation, which is stored separately in encrypted form ats. . . . The com pany also said it has no evidence of unauthorized access or com prom ises to personal or financial inform ation for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial inform ation is encrypted.” R. Doc. 23-6. 7 R. Doc. 1 ¶ 123. 3 2 suffered econom ic dam ages,”8 “actual identity theft, as well as (i) im proper disclosures of their personal inform ation; (ii) out-of-pocket expenses incurred to m itigate the increased risk of identity theft and/ or identity fraud due to eBay’s failures; (iii) the value of their time spent m itigating identity theft and/ or identity fraud, and/ or the increased risk of identity theft and/ or identity fraud; (iv) and deprivation of the value of their personal inform ation.”9 The Class Action Com plaint asserts federal causes of action under the Federal Stored Com m unications Act, Fair Credit Reporting Act, and Gram mLeach-Bliley Act and several state law causes of action, including negligence, breach of contract, and violation of state privacy laws. eBay now m oves to dism iss the Class Action Com plaint pursuant to Federal Rules of Civil Procedure 12(b)(1) for lack of standing and 12(b)(6) for failure to state a claim .10 AN ALYSIS The gravam en of eBay’s m otion to dism iss is that Plaintiff lacks Article III standing to bring this action in both his individual and representative capacities. eBay contends the Court lacks subject-m atter jurisdiction because Plaintiff “has not alleged any cognizable injury whatsoever, and he thus lacks Article III standing.”11 eBay argues “Plaintiff does not allege that he has been injured by m isuse of the stolen inform ation[,] . . . that anyone has used his password, or that anyone has even tried to comm it identity fraud with his inform ation—let alone that anyone has actually succeeded in doing so— and that he has thereby suffered harm .”12 Instead, eBay claim s “Plaintiff relies on vague, speculative assertions of possible future injury—that m ay be at som e point in the future, 8 Id. ¶ 55. Id. ¶ 61. 10 R. Doc. 20 . 11 R. Doc. 20 -1 at p. 12. 12 Id. 9 3 he m ight be harm ed. . . . But the speculative possibility of future injury does not constitute injury-in-fact.”13 eBay asserts that the Suprem e Court recently m ade clear in Clapper v. Am nesty International USA that a future injury m ust be “certainly im pending” to establish injury-in-fact, and “[b]ecause Plaintiff has not alleged specific facts constituting an injury that is present or ‘certainly im pending,’ Plaintiff lacks standing and the Com plaint m ust be dism issed.”14 In support, eBay points to num erous post-Clapper data breach cases where courts have held that neither the increased risk of identity theft nor expenses incurred to m itigate this speculative risk constitute injury-infact as required for Article III standing.15 Plaintiff argues eBay has m isconstrued recent Suprem e Court case law on standing and contends the Class Action Com plaint sufficiently alleges injury-in-fact because Plaintiff and the putative class m em bers are now subject to the “statistically certain threat” of identity theft or identity fraud, and they have incurred, or will incur, costs to m itigate that risk.16 Plaintiff states his personal inform ation was stolen, along with that of all of the m em bers of the putative class, and “[e]m pirical data shows a vast num ber of the class m em bers will be significantly harm ed.”17 Although Plaintiff concedes the entire class m ay not suffer injury,18 he argues the Fifth Circuit “has explained . . . that the fact a section of the class m ay not suffer the dam ages alleged is not sufficient to destroy Article III standing; it is the allegation of injury that determ ines at this phase.”19 13 Id. Id. (citing 133 S.Ct. 1138 (20 13)). 15 R. Doc. 20 -1 at pp. 17– 18. For exam ples of such cases, see infra note 33. 16 R. Doc. 24. 17 Id. at pp. 13, 15. 18 Id. at p. 15. 19 Id. at p. 17. 14 4 “Article III of the United States Constitution lim its the jurisdiction of federal courts to actual ‘Cases’ and ‘Controversies.’”20 “One elem ent of the case-or-controversy requirem ent is that plaintiffs m ust establish that they have standing to sue.”21 Because standing is a m atter of subject-m atter jurisdiction, a m otion to dism iss for lack of standing is properly brought pursuant to Federal Rule of Civil Procedure 12(b)(1).22 Federal courts m ust dism iss an action if, “at any tim e,” it is determ ined that subjectm atter jurisdiction is lacking.23 As the party invoking federal jurisdiction, the plaintiff constantly bears the burden of establishing the jurisdictional requirem ents, including standing.24 “To establish Article III standing, a plaintiff m ust show (1) an ‘injury in fact,’ (2) a sufficient ‘causal connection between the injury and the conduct com plained of,’ and (3) a ‘likel[ihood]’ that the injury ‘will be redressed by a favorable decision.’”25 The first prong focuses on whether the plaintiff suffered harm , the second focuses on who inflicted that harm , and the third focuses on whether a favorable decision will likely 20 Crane v. Johnson, ---F.3d---, No. 14-10 0 49, 20 15 WL 1566621, at *7 (5th Cir. Apr. 7, 20 15) (citing U.S. CONST., art. III, § 2). 21 Clapper v. Am nesty Int’l USA, 133 S. Ct. 1138, 1146 (20 13) (internal quotation m arks and citation om itted). 22 See F ED . R. CIV. P. 12(b)(1). A m otion to dism iss for lack of standing m ay be either ‘facial’ or ‘factual.’” Superior MRI Servs., Inc. v. Alliance Healthcare Servs., Inc., 778 F.3d 50 2, 50 4 (5th Cir. 20 15) (citing Paterson v. W einberger, 644 F.2d 521, 523 (5th Cir. 1981)). eBay does not “subm it[] affidavits, testimony, or other evidentiary m atters” to factually challenge the Court’s jurisdiction; rather, eBay attacks the sufficiency of the Class Action Com plaint on the grounds that the pleaded facts do not establish Article III standing. Id.; R. Doc. 20 . Accordingly, eBay’s m otion is a facial attack, and the Court m ay consider only the allegations in the Class Action Complaint and any documents referenced therein or attached thereto when determining whether Plaintiff’s jurisdictional allegations are sufficient. See Paterson, 644 F.2d at 523. 23 See F ED . R. CIV. P. 12(h)(3). 24 See Ram m ing v. United States, 281 F.3d 158, 161 (5th Cir. 20 0 1) (citations omitted); Crane, 20 15 WL 1566621, at *3. 25 Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (20 14) (alteration in original) (quoting Lujan v. Defenders of W ildlife, 50 4 U.S. 555, 560 – 61 (1992)). The fact that Plaintiff alleges statutory violations does not alone establish standing. See In re Barnes & Noble Pin Pad Litig., No. 12-8617, 20 13 WL 4759588, at *3 (N.D. Ill. Sept. 3, 20 13) (“Even assum ing the statutes have been violated by the delay or inadequacy of [Defendant’s] notification, breach of these statutes is insufficient to establish standing without any actual dam ages due to the breach. Plaintiffs m ust plead an injury beyond a statutory violation to m eet the standing requirem ent of Article III.”). 5 alleviate that harm .26 Although all three elements are required for Article III standing, the injury-in-fact elem ent is often determ inative.27 In the class action context, “nam ed plaintiffs who represent a class m ust allege and show that they personally have been injured, not that injury has been suffered by other, unidentified m em bers of the class.”28 “[I]f none of the nam ed plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none m ay seek relief on behalf of him self or any other m em ber of the class.”29 In this case, eBay contends Green, the only nam ed Plaintiff, lacks standing because he has failed to allege a cognizable injury. The injury-in-fact elem ent “helps ensure that the plaintiff has a personal stake in the outcom e of the controversy.”30 Recently, the Suprem e Court in Clapper v. Am nesty International USA provided guidance on the standard for establishing injury-in-fact: 31 [A]n injury m ust be concrete, particularized, and actual or im m inent . . . . Although im m inence is concededly a som ewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes—that the injury is certainly im pending. Thus, we have repeatedly reiterated that threatened injury m ust be certainly im pending to constitute injury in fact, and that allegations of possible future injury are not sufficient.32 Following Clapper, the m ajority of courts faced with data breach class actions where com plaints alleged personal inform ation was accessed but where actual identity 26 See Lujan, 50 4 U.S. at 560 – 61. See Toll Bros. v. Tw p. of Readington, 555 F.3d 131, 138 (3d Cir. 20 0 9); Bellow v. U.S. Dep’t of Health & Hum an Servs., No. 10 -165, 20 11 WL 2470 456, at *5 (E.D. Tex. Mar. 21, 20 11) report and recom m endation adopted, No. 10 -165, 20 11 WL 246220 5 (E.D. Tex. J une 20 , 20 11). 28 Brow n v. Protective Life Ins. Co., 353 F.3d 40 5, 40 7 (5th Cir. 20 0 3) (internal quotation m arks and citation om itted). 29 O’Shea v. Littleton, 414 U.S. 488, 494 (1974). 30 Susan B. Anthony List, 134 S. Ct. at 2341 (internal quotation m arks and citation om itted). 31 133 S.Ct. 1138 (20 13). 32 Id. at 1147 (alteration om itted) (internal quotation m arks and citations om itted). 27 6 theft was not alleged have applied this “certainly im pending” standard; notably, where plaintiffs have alleged their injury was the increased risk of identity theft, courts have dism issed the com plaints for lack of Article III standing.33 These courts found that the m ere increased risk of identity theft or identity fraud alone does not constitute a cognizable injury unless the harm alleged is certainly im pending.34 For exam ple, in Strautins v. Trustw ave Holdings, Inc., a hacker infiltrated the South Carolina Departm ent of Revenue, and “approxim ately 3.6 m illion Social Security num bers, 387,0 0 0 credit and debit card num bers, and tax records for 657,0 0 0 33 See, e.g., In re Horizon Healthcare Servs., Inc. Data Breach Litig., No. 13-7418, 20 15 WL 1472483 (D.N.J . Mar. 31, 20 15) (unpublished); Peters v. St. Joseph Servs. Corp., ---F. Supp. 3d---, No. 14-2872, 20 15 WL 589561 (S.D. Tex. Feb. 11, 20 15); Storm v. Pay tim e, Inc., ---F. Supp. 3d---, No. 14-1138, 20 15 WL 1119724 (M.D. Pa. Mar. 13, 20 15); Lew ert v. P.F. Chang’s China Bistro, Inc., No. 14-4787, 20 14 WL 70 0 50 97, at *4 (N.D. Ill. Dec. 10 , 20 14) (unpublished), appeal docketed, No. 14-370 0 (7th Cir. Dec. 12, 20 14); Rem ijas v. N eim an Marcus Grp., LLC, No. 14-1735, 20 14 WL 4627893 (N.D. Ill. Sept. 16, 20 14) (unpublished), appeal docketed, 14-3122 (7th Cir. Sept. 26, 20 14); Galaria v. Nationw ide Mut. Ins. Co., 998 F. Supp. 2d 646 (S.D. Ohio 20 14); Strautins v. Trustw ave Holdings, Inc., 27 F. Supp. 3d 871 (N.D. Ill. 20 14); In re Barnes & Noble Pin Pad Litig., No. 12-8617, 20 13 WL 4759588 (N.D. Ill. Sept. 3, 20 13). But see In re Target Corp. Data Sec. Breach Litig., ---F. Supp. 3d---, No. MDL 14-2522, 20 14 WL 7192478, at *2 (D. Minn. Dec. 18, 20 14) (finding the plaintiffs sufficiently alleged injury in a data breach case without citing Clapper or the certainly im m inent standard). 34 Plaintiff cites three post-Clapper cases involving the threat of future identity theft or identity fraud where the courts found standing: Moy er v. Michaels Stores, Inc., No. 14-561, 20 14 WL 351150 0 , at *5 (N.D. Ill. J uly 14, 20 14) (unpublished); In re Adobe Sy s., Inc. Privacy Litig., ---F. Supp. 3d---, No. 135226, 20 14 WL 4379916 (N.D. Cal. Sept. 4, 20 14); and In re Sony Gam ing N etw orks & Custom er Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 20 14). In Moy er, the court concluded that the Supreme Court’s decision in Susan B. Anthony List v. Driehaus, a m ore recent opinion discussing the injury-in-fact requirem ent for standing, indicates Clapper’s im m inence standard is a rigorous standing analysis to be applied only in cases that involve national security or constitutional issues. 20 14 WL 351150 0 (citing 134 S. Ct. 2334 (20 14)). In Susan B. Anthony List, the Suprem e Court stated: “An allegation of future injury m ay suffice if the threatened injury is ‘certainly im pending,’ or there is a ‘“substantial risk”’ that the harm will occur.’” 134 S. Ct. at 2341 (quoting Clapper, 133 S.Ct. at 1147, 1150 , n.5). Although there are conflicting readings of the Clapper standard in light of Susan B. Anthony List, the underlying facts in this case lead to the conclusion that Plaintiff lacks standing under either the certainly im pending or substantial risk standard. Additionally, all three cases Plaintiff points to are distinguishable from the instant case. Those courts analyzed the cases under pre-Clapper circuit precedent, finding Clapper did not overrule the precedent by setting forth a new Article III fram ework. Both In re Sony and In re Adobe cite the Ninth Circuit’s opinion in Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 20 10 ). 996 F. Supp. 2d at 961– 62; 20 14 WL 4379916, at *6. Moy er cites the Seventh Circuit’s opinion in Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 20 0 7). 20 14 WL 351150 0 , at *6. Additionally, all three cases involved stolen financial inform ation, such as credit or debit card numbers, whereas Plaintiff in this case has not alleged any financial inform ation was stolen. 7 businesses had been exposed.”35 The plaintiff filed a class action claim ing she and the other class m em bers incurred the following injuries: (1) untim ely and/ or inadequate notification of the Data Breach; (2) im proper disclosure of [personal identifying information]; (3) loss of privacy; (4) out-of-pocket expenses incurred to m itigate the increased risk of identity theft and/ or identity fraud pressed upon them by the Data Breach; (5) the value of tim e spent m itigating identity theft and/ or identity fraud and/ or the increased risk of identity theft and/ or identity fraud; (6) deprivation of the value of [personal identifying inform ation]; and (7) violations of rights under the Fair Credit Reporting Act.36 The court in Strautins stated that “[t]hese claim s of injury, however, are too speculative to perm it the com plaint to go forward.”37 This is because under Clapper, “allegations of possible future injury are not sufficient to establish standing. . . . [T]he threatened injury m ust be certainly im pending.”38 Even where actual fraudulent credit card charges are m ade after a data breach, courts have held the injury requirem ent still is not satisfied if the plaintiffs were not held financially responsible for paying such charges. For exam ple, in Peters v. St. Joseph Services Corp., hackers infiltrated a health care service provider’s network and accessed personal inform ation of patients and em ployees, including nam es, social security num bers, birthdates, addresses, m edical records, and bank account inform ation.39 Even though there was an attem pted purchase on the plaintiff’s credit card, which was declined by the plaintiff when she received a fraud alert, the court held the plaintiff did not have standing.40 The Court found the plaintiff’s theory based on a certainly im pending or substantial risk of identity theft/ fraud was too speculative and attenuated 35 27 F. Supp. 3d 871, 872 (N.D. Ill. 20 14). Id. at 875. 37 Id. 38 Id. (internal quotation m arks and citations om itted). 39 No. 14-2872, 20 15 WL 589561 (S.D. Tex. Feb. 11, 20 15). 40 Id. 36 8 to constitute injury-in-fact because she was unable to “describe how [she would] be injured without beginning the explanation with the word ‘if.’”41 Sim ilarly, the court in Rem ijas v. Neim an Marcus Group, LLC found the com plaint did not adequately allege standing on the basis of increased risk of future identity theft.42 Despite the fact that thousands of Neim an Marcus custom ers had actual fraudulent charges on their credit cards, the court found the plaintiffs failed to allege that any of the fraudulent charges were unreim bursed, and the court was “not persuaded that unauthorized credit card charges for which none of the plaintiffs are financially responsible qualify as ‘concrete’ injuries.”43 Although Plaintiff’s Class Action Com plaint states all m em bers of the putative class “have suffered actual identity theft,”44 Plaintiff m akes this conclusory statem ent without any allegations of actual incidents of identity theft that any class m em ber has suffered, let alone that Plaintiff him self has suffered. Plaintiff does not allege that any of the inform ation accessed was actually m isused or that there has even been an attem pt to use it. Plaintiff has not alleged that his password was decrypted and utilized or that any of his other personal inform ation has been leveraged in any way. As Plaintiff’s opposition m akes clear, his true argum ent is that his injury-in-fact is the increased risk of future identity theft or identity fraud—not actual identity theft or identity fraud.45 Thus, for Plaintiff to have standing under Article III, the threat of identity theft or 41 Id. at *5 (internal quotation m arks and citation om itted). The plaintiff also alleged other injuries tied to the data breach. She alleged that som eone attem pted to access her Am azon account by using her son’s nam e, which plaintiff claim ed could have only been obtained from the nam es and next-of-kin inform ation she provided to the health care service provider. Id. at *2. Additionally, she claim ed the data breach was the reason she received daily phone solicitations from m edical products and service providers. Id. She further com plained her em ail account and m ailing address were com prom ised. Id. 42 No. 14-1735, 20 14 WL 4627893, at *3 (N.D. Ill. Sept. 16, 20 14). 43 Id. 44 R. Doc. 1 ¶¶ 61, 77, 87, 91, 120 . 45 R. Doc. 24. 9 identity fraud m ust be concrete, particularized, and im m inent—m eaning the harm m ust be certainly im pending.46 The Court finds Plaintiff has failed to allege an injury-in-fact: the allegations in the Com plaint fail to dem onstrate a concrete and particularized actual or threatened injury that is certainly im pending. In m ost data breach cases, the com plaints allege sensitive inform ation was stolen, such as financial inform ation or Social Security num bers.47 In such cases, courts nonetheless have found that the m ere risk of identity theft is insufficient to confer standing, even in cases where there were actual attem pts to use the stolen inform ation.48 In this case, there is no evidence that any financial inform ation or Social Security num bers were accessed during the Data Breach. Additionally, the fact there is no evidence of actual or even attem pted identity theft or identity fraud further supports the Court’s finding that Plaintiff has failed to show the alleged future injury is certainly im pending. Furtherm ore, “[i]t is well settled that ‘[a] claim of injury generally is too conjectural or hypothetical to confer standing when the injury’s existence depends on the decisions of third parties,’”49 and the existence of Plaintiff’s alleged injury in this case rests on whether third parties decide to do anything with the inform ation. If they choose to do nothing, there will never be an injury. 46 See Crane v. Johnson, ---F.3d---, No. 14-10 0 49, 20 15 WL 1566621, at *6 (5th Cir. Apr. 7, 20 15) (citing Clapper v. Am nesty Int’l USA, 133 S. Ct. 1138, 1147 (20 13) and Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (20 14)). 47 See, e.g., In re Horizon Healthcare Servs., Inc. Data Breach Litig., No. 13-7418, 20 15 WL 1472483 (D.N.J . Mar. 31, 20 15) (unpublished); Lew ert v. P.F. Chang’s China Bistro, Inc., No. 14-4787, 20 14 WL 70 0 50 97, at *4 (N.D. Ill. Dec. 10 , 20 14) (unpublished); Strautins v. Trustw ave Holdings, Inc., 27 F. Supp. 3d 871, 872 (N.D. Ill. 20 14). 48 See, e.g., Peters v. St. Joseph Servs. Corp., No. 14-2872, 20 15 WL 589561 (S.D. Tex. Feb. 11, 20 15); Rem ijas v. N eim an Marcus Grp., LLC, No. 14-1735, 20 14 WL 4627893, at *3 (N.D. Ill. Sept. 16, 20 14); In Re Barnes & N oble Pin Pad Litigation, 20 13 WL 4759588 (N.D. Ill. Sept. 3, 20 13). 49 Hotze v. Burw ell, ---F.3d---, No. 14-20 0 39, 20 15 WL 1881418, at *9 (5th Cir. Apr. 24, 20 15) (second alteration in original) (quoting Little v. KPMG LLP, 575 F.3d 533, 540 (5th Cir. 20 0 9) and citing Clapper, 133 S.Ct. at 1150 ). 10 Indeed, Plaintiff’s Com plaint m akes clear that he does not face a certainly im pending risk of future identity theft or identity fraud. For exam ple, the Com plaint states: “Crim inals who now possess Plaintiffs’ [sic] and the class m em bers’ personal inform ation m ay hold the inform ation for later use, or continue to sell it between identity thieves. Thus, Plaintiff and the class m em bers m ust be vigilant for m any y ears in checking for fraud in their nam e, and be prepared to deal with the steep costs associated with identity fraud.”50 Additionally, the Com plaint states: “Studies indicate that individuals whose personal inform ation is stolen are approxim ately 9.5 tim es m ore likely than other people to suffer identity fraud. Moreover, it can take tim e before the identity thieves use the stolen inform ation.”51 However, an increase in the risk of harm is irrelevant—the true question is whether the harm is certainly im pending.52 J ust as in Peters v. St. Joseph Sevices Corp., the allegations in Plaintiff’s Class Action Com plaint m ake clear that “[t]he m isuse of the accessed information could take any num ber of form s, at any point in tim e. . . . It m ay even be im possible to determ ine whether the m isused inform ation was obtained from exposure caused by the Data Breach or from som e other source. Ultim ately, [Plaintiff’s] theory of standing ‘relies on a highly attenuated chain of possibilities.’ As such, it fails to satisfy the requirem ent that ‘threatened injury be certainly im pending to constitute injury in fact.’”53 Although Plaintiff claim s “[t]he only purpose to steal the inform ation [from eBay] is to profit from it,”54 nothing in the Com plaint indicates the threat of future identity theft or identity fraud is certainly im pending. The potential injury in this case is far too 50 R. Doc. 1 ¶¶ 33– 34 (em phasis added). ¶ 33. 52 See In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 25 (D.D.C. 20 14). 53 No. 14-2872, 20 15 WL 589561, at *5 (S.D. Tex. Feb. 11, 20 15) (quoting Clapper, 133 S.Ct. at 1147– 48). 54 R. Doc. 24 at p. 15. 51 Id. 11 hypothetical or speculative to meet Clapper’s certainly im pending standard.55 Whether Plaintiff and other class m em bers actually becom e victim s of identity theft depends on num erous variables, including whether their data was actually taken when it was accessed, whether certain inform ation was decrypted, whether the data was actually m isused or transferred to another third party and m isused, and whether or not the third party succeeded in m isusing the inform ation. The m ere fact that Plaintiff’s inform ation was accessed during the Data Breach is insufficient to establish injury-in-fact. Thus, the potential threat of identity theft or identity fraud, to the extent any exists in this case, does not confer standing on Plaintiff to pursue this action in federal court. 56 The Com plaint also alleges that Plaintiff and the putative class m em bers have spent, or will need to spend, both tim e and out-of-pocket expenses to protect them selves from identity theft or identity fraud and/ or the increased risk of either occurring.57 As the Suprem e Court m ade clear in Clapper, m itigation expenses do not qualify as injuryin-fact when the alleged harm is not im m inent.58 Therefore, Plaintiff’s allegations relating to costs already incurred or that m ay be incurred to m onitor against future identity theft or identity fraud likewise fail to constitute injury-in-fact for standing purposes.59 55 See Clapper, 133 S.Ct. at 1148; Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (20 14) (“An injury m ust be concrete and particularized and actual or im m inent, not conjectural or hypothetical.” (internal quotation m arks and citation om itted)). To the extent there is any relevant difference between the “certainly im pending” and “substantial risk” standards, Plaintiff in this case has not dem onstrated either. 56 Because the Court finds Plaintiff has not satisfied the injury-in-fact element required for him to have standing, the Court need not address the traceability or redressability elem ents. 57 R. Doc. 1 ¶ 61. 58 See Clapper, 133 S.Ct. at 1155 (stating plaintiffs “cannot m anufacture standing by incurring costs in anticipation of non-im m inent harm ”). 59 Additionally, because there have been no reported incidences of actual identity theft or identity fraud as a result of the Data Breach and since no financial inform ation or Social Security num bers were accessed during the Data Breach, there is no reason to believe such mitigation costs are necessary. The Com plaint also alleges “deprivation of the value of their personal inform ation.” R. Doc. 1 ¶ 61, 77, 87, 91, 120 . Even if the Court were to find that personal inform ation has an inherent value and the deprivation of such value 12 Based on Plaintiff’s failure to allege facts showing he has suffered an actual or im m inent injury, the Court m ust dism iss the Class Action Com plaint for lack of standing. This disposition is in line with the vast m ajority of post-Clapper data breach cases where no actual identity theft or identity fraud was alleged.60 Plaintiff lacks standing to sue in federal court unless and until he suffers an actual injury or faces an im m inent injury traceable to the Data Breach that can be fully com pensated with m oney dam ages, and there is sim ply no com pensable injury at this tim e. Given the Court’s lack of original jurisdiction over Plaintiff’s federal claim s, the Court declines to exercise supplem ental jurisdiction over the state law claim s pursuant to 28 U.S.C. § 1367. Thus, the state law claim s are dism issed without prejudice.61 CON CLU SION Based on the foregoing analysis and discussion, Plaintiff has not adequately alleged Article III standing. For that reason, the case m ust be dism issed for want of subject-m atter jurisdiction.62 Accordingly, IT IS ORD ERED that eBay’s Motion to Dism iss for lack of standing (R. Doc. 20 ) be and hereby is GRAN TED , and the Class Action Com plaint is D ISMISSED without prejudice. is an injury sufficient to confer standing, Plaintiff has failed to allege facts indicating how the value of his personal inform ation has decreased as a result of the Data Breach. See Galaria v. Nationw ide Mut. Ins. Co., 998 F. Supp. 2d 646, 659 (S.D. Ohio 20 14) (“A few courts have concluded plaintiffs’ PII does not have inherent monetary value. Others hold that even if PII has value, the deprivation of which could confer standing, plaintiffs m ust allege facts in their Com plaint which show they were actually deprived of that value in order to have standing.” (internal quotation m arks and citations om itted)). Neither has Plaintiff alleged an injury-in-fact with respect to overpaym ent. See Lew ert v. P.F. Chang’s China Bistro, Inc., No. 14-4787, 20 14 WL 70 0 50 97, at *2 (N.D. Ill. Dec. 10 , 20 14) (unpublished). 60 See supra note 33; see also In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 27– 28 (D.D.C. 20 14) (“This is not to say that courts have uniform ly denied standing in data-breach cases. Most cases that found standing in sim ilar circum stances, however, were decided preClapper or rely on pre-Clapper precedent and are, at best, thinly reasoned.” (citations omitted)). 61 The Court expresses no opinion on the viability of Plaintiff’s state law claim s. 62 It is thus unnecessary for the Court to consider eBay’s rem aining argum ents under Federal Rule of Civil Procedure 12(b)(6). 13 N e w Orle an s , Lo u is ian a, th is 4th d ay o f May, 2 0 15. _____________________ _________ SU SIE MORGAN U N ITED STATES D ISTRICT JU D GE 14
]]>
Some case metadata and case summaries were written with the help of AI, which can produce inaccuracies. You
should read the full case before relying on it for legal research purposes.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.
