The Atlanta Lawyer August/September 2016 | Page 21

LEGAL MINUTE Article III Standing Remains a Hotly Litigated Issue within Compelling Data Privacy Breach Cases Sam Crochet Hall Booth Smith, P.C. [email protected] Due to the recent proliferation of widely publicized data breach cases, defense attorneys have focused heavily on early-stage motions to dismiss for lack of Article III standing. Meanwhile, the plaintiffs' bar has countered this approach by generating creative theories of injury in an attempt to sidestep the constitutional requirement. In recent months, federal courts have delivered controversial rulings on standing, which reflect the unpredictable and ever-changing legal framework behind the issue. In mid-July of this year, the defense community scored a victory in the ongoing debate as to when theft of an individual’s data becomes a concrete injury for purposes of establishing standing to sue. In Torres v. Wendy's, A Florida plaintiff filed a federal class action against Wendy’s following an early-2016 data breach. To support his case, the plaintiff claimed he experienced two fraudulent charges on his debit card, but offered no evidence they were not reimbursed by his bank. The plaintiff further argued he suffered a concrete injury due to identity theft alone, which he contended was sufficient to trigger standing. The Court granted Wendy's Motion to Dismiss, reasoning that, since the plaintiff did not allege personal monetary harm stemming from the two fraudulent charges, he failed to allege actual harm sufficient to establish an injury-in-fact. The Court also addressed the plaintiff's claim he had standing due to the threat of future harm given the potential fraud and identity theft. Traditionally, courts have ruled harm must be "certainly impending," if it has not yet manifested, in order to confer standing. The Court relied on this precedent, ruling the “plaintiff’s alleged harm [was] highly speculative and the asserted injuries [did] not appear 'certainly impending'." injury, is not enough to trigger standing. In June, the New York Court denied a Motion to Dismiss where the defendant violated a state privacy statute, even though the harm amounted to only invasion of privacy and unjust enrichment (no concrete financial loss). In this case, Boelter v. Hearst Communications, Inc., the plaintiff subscribed to the defendant's magazine. The plaintiff alleged the defendant violated a state privacy statute (Michigan's Video Rental Privacy Act) by selling her personal information to a third party. The defendant immediately requested the Judge dismiss the complaint for lack of standing, arguing the plaintiff's allegations failed to assert a concrete injury-in-fact and alleged only bare procedural violations of the law. In response, the plaintiff argued the defendant's sale