Christmas came early this year for an online gift shop that was named as a defendant in data breach litigation. Fus v. Cafepress, Inc., 2020 U.S. Dist. LEXIS 223077 (N.D. Ill. Nov. 30, 2020). In Fus, the court kicked plaintiffs’ claims concerning a data breach for lack of standing. Fus joins the growing number of cases this year that have been tossed for lack of subject matter jurisdiction, before reaching the merits of plaintiffs’ claims. Read on to hear about how it all went down.
As readers of CPW already know, in order for a data privacy litigation to proceed in federal court, plaintiffs are required to show that they satisfy the requirements of Article III standing. Based on Supreme Court precedent, there are three elements which together constitute the “irreducible constitutional minimum” of standing. A “plaintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Where a plaintiff does not have Article III standing, a federal district court lacks subject-matter jurisdiction to hear his or her claims.
As alleged in Fus, the defendant runs an online gift shop and ships its merchandise nationwide. In February 2019, defendant’s online databases were hacked, exposing the data associated with a total of 23,205,290 user accounts. The compromised data purportedly included users’ email addresses, passwords, names, addresses, phone numbers, the last four digits of their credit card numbers, credit card expiration dates, and Social Security numbers.
Plaintiff filed suit raising negligence and state consumer protection statutes, seeking to represent a class of consumers whose data was disclosed in the breach. The plaintiff personally alleged that, upon receiving the notification of data breach, he spent time and money to mitigate potential harm by employing a credit monitoring service and freezing his credit. Plaintiff also alleged additional future impositions on his time, as he will “spend time and effort making phone calls to his bank and credit card company, monitoring his financial accounts, searching for fraudulent activity, and reviewing his credit reports.” The plaintiff claimed that had he known of defendant’s inadequate data security practices, he would never have patronized its website.
The court at the onset noted that standing was a “threshold” issue in determine whether plaintiff could bring the action. The defendant in Fus mounted a “factual” challenge to standing. This involves circumstances, the court explained, “where the complaint is formally sufficient but the contention is that there is in fact no subject matter jurisdiction. Where a defendant mounts a factual challenge, “the court may look beyond the pleadings and view any evidence submitted to determine if subject matter jurisdiction exists.”
Defendant in support of its motion attached declarations from employees who had searched the defendant’s databases for transactions involving the plaintiff. This examination revealed only two transactions: one from 2008 and the other from December 2014. In regards to the 2008 transaction, nearly all plaintiff’s personal information was permanently deleted by defendant in 2018—i.e., prior to the data breach—as part of a clean-up of old information. And with respect to the 2014 transaction, the plaintiff used a third party to pay for the purchase and then had the item shipped to his employer. According to defendant, the two declarations demonstrated that plaintiff did not have standing because the data breach did not cause him an injury-in-fact. Specifically, defendant asserted none of plaintiff’s non-public personal or financial information could have been exposed in the February 2019 data breach because defendant no longer possessed such information relating to plaintiff at the time of the breach.
The court agreed, holding that plaintiff’s information exposed in the data breach was not “particularly sensitive”. And the court also found that none of the arguments or evidence plaintiff raised in response sufficed for purposes of meeting plaintiff’s burden under Article III. As such, the case had to be dismissed for lack of subject matter jurisdiction.
So there you have it-another day, another data privacy litigation tossed by a federal court for procedural shortcomings that are unrelated to the merits of plaintiffs’ claims. Stay tuned.