Green v. eBay Inc.

Filing 38

ORDER AND REASONS - IT IS ORDERED that eBays Motion to Dismiss for lack of standing 20 be and hereby is GRANTED, and the Class Action Complaint is DISMISSED without prejudice. Signed by Judge Susie Morgan on 5/4/2015. (bwn)

Download PDF
UNITED STATES DISTRICT COURT EASTERN DISTRICT OF LOUISIANA COLLIN GREEN, Plaintiff CIVIL ACTION VERSUS NO. 14-1688 EBAY INC., Defendant SECTION: “E” (4) ORDER AND REASONS Before the Court is Defendant eBay Inc.’s (“eBay”) Motion to Dismiss Plaintiff’s Class Action Complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) and 12(b)(6).1 In its motion, eBay first argues the Class Action Complaint should be dismissed pursuant to Rule 12(b)(1) because Plaintiff Collin Green, the sole named Plaintiff in this action, has failed to allege a cognizable injury-in-fact; therefore, he lacks Article III standing to pursue this case in federal court. In the alternative, eBay contends the Class Action Complaint should be dismissed pursuant to Rule 12(b)(6) for failure to state a claim upon which relief can be granted. This case raises the issue of whether the increased risk of future identity theft or identity fraud posed by a data security breach confers Article III standing on individuals whose information has been compromised by the data breach but whose information has not yet been misused. After considering the parties’ briefs and the relevant case law, the Court finds itself positioned with the majority of district courts that have held the answer is no. Because Plaintiff has failed to allege a cognizable Article III injury, the 1 R. Doc. 20. 1 Court grants eBay’s motion and dismisses the Class Action Complaint for lack of standing. BACKGROUND eBay is a global e-commerce website that enables its over 120 million active users to buy and sell in an online marketplace.2 In its normal course of business, eBay maintains personal information of its users, including: names, encrypted passwords, dates of birth, email addresses, physical addresses, and phone numbers.3 In February and March 2014, unknown persons accessed eBay’s files containing this user information (the “Data Breach”).4 On May 21, 2014, eBay notified its users of the Data Breach and recommended that users change their passwords.5 Although eBay also collects other information, including credit card and bank account information, there is no indication that any financial information was accessed or stolen during the Data Breach.6 Plaintiff Collin Green filed this 10-count consumer privacy putative class action against eBay on behalf of himself and all eBay users in the United States whose personal information was accessed during the Data Breach.7 Plaintiff alleges that as a direct and proximate result of eBay’s conduct, “Plaintiff and the putative class members have R. Doc. 1 ¶ 3. Id. ¶ 4. 4 Id. 5 Id. ¶ 5. 6 Id. ¶¶ 19–20 (“At this time Plaintiff is unsure how much, if any, of these additional highly detailed classes of personal information were also stolen due to eBay’s failures.”). Additionally, Plaintiff incorporates by reference into his Complaint eBay’s Form 8-K for the period ending May 21, 2014, R. Doc. 1 ¶ 13 n.1, which eBay requested that the Court consider in conjunction with its motion to dismiss. R. Doc. 23. The Form 8-K incorporates by reference a press release issued by eBay on May 21, 2014, which states: “The company said it has . . . no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats. . . . The company also said it has no evidence of unauthorized access or compromises to personal or financial information for PayPal users. PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.” R. Doc. 23-6. 7 R. Doc. 1 ¶ 123. 2 3 2 suffered economic damages,”8 “actual identity theft, as well as (i) improper disclosures of their personal information; (ii) out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or identity fraud due to eBay’s failures; (iii) the value of their time spent mitigating identity theft and/or identity fraud, and/or the increased risk of identity theft and/or identity fraud; (iv) and deprivation of the value of their personal information.”9 The Class Action Complaint asserts federal causes of action under the Federal Stored Communications Act, Fair Credit Reporting Act, and GrammLeach-Bliley Act and several state law causes of action, including negligence, breach of contract, and violation of state privacy laws. eBay now moves to dismiss the Class Action Complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) for lack of standing and 12(b)(6) for failure to state a claim.10 ANALYSIS The gravamen of eBay’s motion to dismiss is that Plaintiff lacks Article III standing to bring this action in both his individual and representative capacities. eBay contends the Court lacks subject-matter jurisdiction because Plaintiff “has not alleged any cognizable injury whatsoever, and he thus lacks Article III standing.”11 eBay argues “Plaintiff does not allege that he has been injured by misuse of the stolen information[,] . . . that anyone has used his password, or that anyone has even tried to commit identity fraud with his information—let alone that anyone has actually succeeded in doing so— and that he has thereby suffered harm.”12 Instead, eBay claims “Plaintiff relies on vague, speculative assertions of possible future injury—that maybe at some point in the future, Id. ¶ 55. Id. ¶ 61. 10 R. Doc. 20. 11 R. Doc. 20-1 at p. 12. 12 Id. 8 9 3 he might be harmed. . . . But the speculative possibility of future injury does not constitute injury-in-fact.”13 eBay asserts that the Supreme Court recently made clear in Clapper v. Amnesty International USA that a future injury must be “certainly impending” to establish injury-in-fact, and “[b]ecause Plaintiff has not alleged specific facts constituting an injury that is present or ‘certainly impending,’ Plaintiff lacks standing and the Complaint must be dismissed.”14 In support, eBay points to numerous post-Clapper data breach cases where courts have held that neither the increased risk of identity theft nor expenses incurred to mitigate this speculative risk constitute injury-infact as required for Article III standing.15 Plaintiff argues eBay has misconstrued recent Supreme Court case law on standing and contends the Class Action Complaint sufficiently alleges injury-in-fact because Plaintiff and the putative class members are now subject to the “statistically certain threat” of identity theft or identity fraud, and they have incurred, or will incur, costs to mitigate that risk.16 Plaintiff states his personal information was stolen, along with that of all of the members of the putative class, and “[e]mpirical data shows a vast number of the class members will be significantly harmed.”17 Although Plaintiff concedes the entire class may not suffer injury,18 he argues the Fifth Circuit “has explained . . . that the fact a section of the class may not suffer the damages alleged is not sufficient to destroy Article III standing; it is the allegation of injury that determines at this phase.”19 Id. Id. (citing 133 S.Ct. 1138 (2013)). 15 R. Doc. 20-1 at pp. 17–18. For examples of such cases, see infra note 33. 16 R. Doc. 24. 17 Id. at pp. 13, 15. 18 Id. at p. 15. 19 Id. at p. 17. 13 14 4 “Article III of the United States Constitution limits the jurisdiction of federal courts to actual ‘Cases’ and ‘Controversies.’”20 “One element of the case-or-controversy requirement is that plaintiffs must establish that they have standing to sue.”21 Because standing is a matter of subject-matter jurisdiction, a motion to dismiss for lack of standing is properly brought pursuant to Federal Rule of Civil Procedure 12(b)(1).22 Federal courts must dismiss an action if, “at any time,” it is determined that subjectmatter jurisdiction is lacking.23 As the party invoking federal jurisdiction, the plaintiff constantly bears the burden of establishing the jurisdictional requirements, including standing.24 “To establish Article III standing, a plaintiff must show (1) an ‘injury in fact,’ (2) a sufficient ‘causal connection between the injury and the conduct complained of,’ and (3) a ‘likel[ihood]’ that the injury ‘will be redressed by a favorable decision.’”25 The first prong focuses on whether the plaintiff suffered harm, the second focuses on who inflicted that harm, and the third focuses on whether a favorable decision will likely Crane v. Johnson, ---F.3d---, No. 14-10049, 2015 WL 1566621, at *7 (5th Cir. Apr. 7, 2015) (citing U.S. CONST., art. III, § 2). 21 Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1146 (2013) (internal quotation marks and citation omitted). 22 See FED. R. CIV. P. 12(b)(1). A motion to dismiss for lack of standing may be either ‘facial’ or ‘factual.’” Superior MRI Servs., Inc. v. Alliance Healthcare Servs., Inc., 778 F.3d 502, 504 (5th Cir. 2015) (citing Paterson v. Weinberger, 644 F.2d 521, 523 (5th Cir. 1981)). eBay does not “submit[] affidavits, testimony, or other evidentiary matters” to factually challenge the Court’s jurisdiction; rather, eBay attacks the sufficiency of the Class Action Complaint on the grounds that the pleaded facts do not establish Article III standing. Id.; R. Doc. 20. Accordingly, eBay’s motion is a facial attack, and the Court may consider only the allegations in the Class Action Complaint and any documents referenced therein or attached thereto when determining whether Plaintiff’s jurisdictional allegations are sufficient. See Paterson, 644 F.2d at 523. 23 See FED. R. CIV. P. 12(h)(3). 24 See Ramming v. United States, 281 F.3d 158, 161 (5th Cir. 2001) (citations omitted); Crane, 2015 WL 1566621, at *3. 25 Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (alteration in original) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992)). The fact that Plaintiff alleges statutory violations does not alone establish standing. See In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 WL 4759588, at *3 (N.D. Ill. Sept. 3, 2013) (“Even assuming the statutes have been violated by the delay or inadequacy of [Defendant’s] notification, breach of these statutes is insufficient to establish standing without any actual damages due to the breach. Plaintiffs must plead an injury beyond a statutory violation to meet the standing requirement of Article III.”). 20 5 alleviate that harm.26 Although all three elements are required for Article III standing, the injury-in-fact element is often determinative.27 In the class action context, “named plaintiffs who represent a class must allege and show that they personally have been injured, not that injury has been suffered by other, unidentified members of the class.”28 “[I]f none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendants, none may seek relief on behalf of himself or any other member of the class.”29 In this case, eBay contends Green, the only named Plaintiff, lacks standing because he has failed to allege a cognizable injury. The injury-in-fact element “helps ensure that the plaintiff has a personal stake in the outcome of the controversy.”30 Recently, the Supreme Court in Clapper v. Amnesty International USA provided guidance on the standard for establishing injury-in-fact:31 [A]n injury must be concrete, particularized, and actual or imminent . . . . Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes—that the injury is certainly impending. Thus, we have repeatedly reiterated that threatened injury must be certainly impending to constitute injury in fact, and that allegations of possible future injury are not sufficient.32 Following Clapper, the majority of courts faced with data breach class actions where complaints alleged personal information was accessed but where actual identity See Lujan, 504 U.S. at 560–61. See Toll Bros. v. Twp. of Readington, 555 F.3d 131, 138 (3d Cir. 2009); Bellow v. U.S. Dep’t of Health & Human Servs., No. 10-165, 2011 WL 2470456, at *5 (E.D. Tex. Mar. 21, 2011) report and recommendation adopted, No. 10-165, 2011 WL 2462205 (E.D. Tex. June 20, 2011). 28 Brown v. Protective Life Ins. Co., 353 F.3d 405, 407 (5th Cir. 2003) (internal quotation marks and citation omitted). 29 O’Shea v. Littleton, 414 U.S. 488, 494 (1974). 30 Susan B. Anthony List, 134 S. Ct. at 2341 (internal quotation marks and citation omitted). 31 133 S.Ct. 1138 (2013). 32 Id. at 1147 (alteration omitted) (internal quotation marks and citations omitted). 26 27 6 theft was not alleged have applied this “certainly impending” standard; notably, where plaintiffs have alleged their injury was the increased risk of identity theft, courts have dismissed the complaints for lack of Article III standing.33 These courts found that the mere increased risk of identity theft or identity fraud alone does not constitute a cognizable injury unless the harm alleged is certainly impending.34 For example, in Strautins v. Trustwave Holdings, Inc., a hacker infiltrated the South Carolina Department of Revenue, and “approximately 3.6 million Social Security numbers, 387,000 credit and debit card numbers, and tax records for 657,000 See, e.g., In re Horizon Healthcare Servs., Inc. Data Breach Litig., No. 13-7418, 2015 WL 1472483 (D.N.J. Mar. 31, 2015) (unpublished); Peters v. St. Joseph Servs. Corp., ---F. Supp. 3d---, No. 14-2872, 2015 WL 589561 (S.D. Tex. Feb. 11, 2015); Storm v. Paytime, Inc., ---F. Supp. 3d---, No. 14-1138, 2015 WL 1119724 (M.D. Pa. Mar. 13, 2015); Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-4787, 2014 WL 7005097, at *4 (N.D. Ill. Dec. 10, 2014) (unpublished), appeal docketed, No. 14-3700 (7th Cir. Dec. 12, 2014); Remijas v. Neiman Marcus Grp., LLC, No. 14-1735, 2014 WL 4627893 (N.D. Ill. Sept. 16, 2014) (unpublished), appeal docketed, 14-3122 (7th Cir. Sept. 26, 2014); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014); Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871 (N.D. Ill. 2014); In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013). But see In re Target Corp. Data Sec. Breach Litig., ---F. Supp. 3d---, No. MDL 14-2522, 2014 WL 7192478, at *2 (D. Minn. Dec. 18, 2014) (finding the plaintiffs sufficiently alleged injury in a data breach case without citing Clapper or the certainly imminent standard). 34 Plaintiff cites three post-Clapper cases involving the threat of future identity theft or identity fraud where the courts found standing: Moyer v. Michaels Stores, Inc., No. 14-561, 2014 WL 3511500, at *5 (N.D. Ill. July 14, 2014) (unpublished); In re Adobe Sys., Inc. Privacy Litig., ---F. Supp. 3d---, No. 135226, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014); and In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014). In Moyer, the court concluded that the Supreme Court’s decision in Susan B. Anthony List v. Driehaus, a more recent opinion discussing the injury-in-fact requirement for standing, indicates Clapper’s imminence standard is a rigorous standing analysis to be applied only in cases that involve national security or constitutional issues. 2014 WL 3511500 (citing 134 S. Ct. 2334 (2014)). In Susan B. Anthony List, the Supreme Court stated: “An allegation of future injury may suffice if the threatened injury is ‘certainly impending,’ or there is a ‘“substantial risk”’ that the harm will occur.’” 134 S. Ct. at 2341 (quoting Clapper, 133 S.Ct. at 1147, 1150, n.5). Although there are conflicting readings of the Clapper standard in light of Susan B. Anthony List, the underlying facts in this case lead to the conclusion that Plaintiff lacks standing under either the certainly impending or substantial risk standard. Additionally, all three cases Plaintiff points to are distinguishable from the instant case. Those courts analyzed the cases under pre-Clapper circuit precedent, finding Clapper did not overrule the precedent by setting forth a new Article III framework. Both In re Sony and In re Adobe cite the Ninth Circuit’s opinion in Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 2010). 996 F. Supp. 2d at 961–62; 2014 WL 4379916, at *6. Moyer cites the Seventh Circuit’s opinion in Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007). 2014 WL 3511500, at *6. Additionally, all three cases involved stolen financial information, such as credit or debit card numbers, whereas Plaintiff in this case has not alleged any financial information was stolen. 33 7 businesses had been exposed.”35 The plaintiff filed a class action claiming she and the other class members incurred the following injuries: (1) untimely and/or inadequate notification of the Data Breach; (2) improper disclosure of [personal identifying information]; (3) loss of privacy; (4) out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or identity fraud pressed upon them by the Data Breach; (5) the value of time spent mitigating identity theft and/or identity fraud and/or the increased risk of identity theft and/or identity fraud; (6) deprivation of the value of [personal identifying information]; and (7) violations of rights under the Fair Credit Reporting Act.36 The court in Strautins stated that “[t]hese claims of injury, however, are too speculative to permit the complaint to go forward.”37 This is because under Clapper, “allegations of possible future injury are not sufficient to establish standing. . . . [T]he threatened injury must be certainly impending.”38 Even where actual fraudulent credit card charges are made after a data breach, courts have held the injury requirement still is not satisfied if the plaintiffs were not held financially responsible for paying such charges. For example, in Peters v. St. Joseph Services Corp., hackers infiltrated a health care service provider’s network and accessed personal information of patients and employees, including names, social security numbers, birthdates, addresses, medical records, and bank account information.39 Even though there was an attempted purchase on the plaintiff’s credit card, which was declined by the plaintiff when she received a fraud alert, the court held the plaintiff did not have standing.40 The Court found the plaintiff’s theory based on a certainly impending or substantial risk of identity theft/fraud was too speculative and attenuated 27 F. Supp. 3d 871, 872 (N.D. Ill. 2014). Id. at 875. 37 Id. 38 Id. (internal quotation marks and citations omitted). 39 No. 14-2872, 2015 WL 589561 (S.D. Tex. Feb. 11, 2015). 40 Id. 35 36 8 to constitute injury-in-fact because she was unable to “describe how [she would] be injured without beginning the explanation with the word ‘if.’”41 Similarly, the court in Remijas v. Neiman Marcus Group, LLC found the complaint did not adequately allege standing on the basis of increased risk of future identity theft.42 Despite the fact that thousands of Neiman Marcus customers had actual fraudulent charges on their credit cards, the court found the plaintiffs failed to allege that any of the fraudulent charges were unreimbursed, and the court was “not persuaded that unauthorized credit card charges for which none of the plaintiffs are financially responsible qualify as ‘concrete’ injuries.”43 Although Plaintiff’s Class Action Complaint states all members of the putative class “have suffered actual identity theft,”44 Plaintiff makes this conclusory statement without any allegations of actual incidents of identity theft that any class member has suffered, let alone that Plaintiff himself has suffered. Plaintiff does not allege that any of the information accessed was actually misused or that there has even been an attempt to use it. Plaintiff has not alleged that his password was decrypted and utilized or that any of his other personal information has been leveraged in any way. As Plaintiff’s opposition makes clear, his true argument is that his injury-in-fact is the increased risk of future identity theft or identity fraud—not actual identity theft or identity fraud.45 Thus, for Plaintiff to have standing under Article III, the threat of identity theft or Id. at *5 (internal quotation marks and citation omitted). The plaintiff also alleged other injuries tied to the data breach. She alleged that someone attempted to access her Amazon account by using her son’s name, which plaintiff claimed could have only been obtained from the names and next-of-kin information she provided to the health care service provider. Id. at *2. Additionally, she claimed the data breach was the reason she received daily phone solicitations from medical products and service providers. Id. She further complained her email account and mailing address were compromised. Id. 42 No. 14-1735, 2014 WL 4627893, at *3 (N.D. Ill. Sept. 16, 2014). 43 Id. 44 R. Doc. 1 ¶¶ 61, 77, 87, 91, 120. 45 R. Doc. 24. 41 9 identity fraud must be concrete, particularized, and imminent—meaning the harm must be certainly impending.46 The Court finds Plaintiff has failed to allege an injury-in-fact: the allegations in the Complaint fail to demonstrate a concrete and particularized actual or threatened injury that is certainly impending. In most data breach cases, the complaints allege sensitive information was stolen, such as financial information or Social Security numbers.47 In such cases, courts nonetheless have found that the mere risk of identity theft is insufficient to confer standing, even in cases where there were actual attempts to use the stolen information.48 In this case, there is no evidence that any financial information or Social Security numbers were accessed during the Data Breach. Additionally, the fact there is no evidence of actual or even attempted identity theft or identity fraud further supports the Court’s finding that Plaintiff has failed to show the alleged future injury is certainly impending. Furthermore, “[i]t is well settled that ‘[a] claim of injury generally is too conjectural or hypothetical to confer standing when the injury’s existence depends on the decisions of third parties,’”49 and the existence of Plaintiff’s alleged injury in this case rests on whether third parties decide to do anything with the information. If they choose to do nothing, there will never be an injury. See Crane v. Johnson, ---F.3d---, No. 14-10049, 2015 WL 1566621, at *6 (5th Cir. Apr. 7, 2015) (citing Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013) and Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014)). 47 See, e.g., In re Horizon Healthcare Servs., Inc. Data Breach Litig., No. 13-7418, 2015 WL 1472483 (D.N.J. Mar. 31, 2015) (unpublished); Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-4787, 2014 WL 7005097, at *4 (N.D. Ill. Dec. 10, 2014) (unpublished); Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871, 872 (N.D. Ill. 2014). 48 See, e.g., Peters v. St. Joseph Servs. Corp., No. 14-2872, 2015 WL 589561 (S.D. Tex. Feb. 11, 2015); Remijas v. Neiman Marcus Grp., LLC, No. 14-1735, 2014 WL 4627893, at *3 (N.D. Ill. Sept. 16, 2014); In Re Barnes & Noble Pin Pad Litigation, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013). 49 Hotze v. Burwell, ---F.3d---, No. 14-20039, 2015 WL 1881418, at *9 (5th Cir. Apr. 24, 2015) (second alteration in original) (quoting Little v. KPMG LLP, 575 F.3d 533, 540 (5th Cir. 2009) and citing Clapper, 133 S.Ct. at 1150). 46 10 Indeed, Plaintiff’s Complaint makes clear that he does not face a certainly impending risk of future identity theft or identity fraud. For example, the Complaint states: “Criminals who now possess Plaintiffs’ [sic] and the class members’ personal information may hold the information for later use, or continue to sell it between identity thieves. Thus, Plaintiff and the class members must be vigilant for many years in checking for fraud in their name, and be prepared to deal with the steep costs associated with identity fraud.”50 Additionally, the Complaint states: “Studies indicate that individuals whose personal information is stolen are approximately 9.5 times more likely than other people to suffer identity fraud. Moreover, it can take time before the identity thieves use the stolen information.”51 However, an increase in the risk of harm is irrelevant—the true question is whether the harm is certainly impending.52 Just as in Peters v. St. Joseph Sevices Corp., the allegations in Plaintiff’s Class Action Complaint make clear that “[t]he misuse of the accessed information could take any number of forms, at any point in time. . . . It may even be impossible to determine whether the misused information was obtained from exposure caused by the Data Breach or from some other source. Ultimately, [Plaintiff’s] theory of standing ‘relies on a highly attenuated chain of possibilities.’ As such, it fails to satisfy the requirement that ‘threatened injury be certainly impending to constitute injury in fact.’”53 Although Plaintiff claims “[t]he only purpose to steal the information [from eBay] is to profit from it,”54 nothing in the Complaint indicates the threat of future identity theft or identity fraud is certainly impending. The potential injury in this case is far too R. Doc. 1 ¶¶ 33–34 (emphasis added). Id. ¶ 33. 52 See In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 25 (D.D.C. 2014). 53 No. 14-2872, 2015 WL 589561, at *5 (S.D. Tex. Feb. 11, 2015) (quoting Clapper, 133 S.Ct. at 1147–48). 54 R. Doc. 24 at p. 15. 50 51 11 hypothetical or speculative to meet Clapper’s certainly impending standard.55 Whether Plaintiff and other class members actually become victims of identity theft depends on numerous variables, including whether their data was actually taken when it was accessed, whether certain information was decrypted, whether the data was actually misused or transferred to another third party and misused, and whether or not the third party succeeded in misusing the information. The mere fact that Plaintiff’s information was accessed during the Data Breach is insufficient to establish injury-in-fact. Thus, the potential threat of identity theft or identity fraud, to the extent any exists in this case, does not confer standing on Plaintiff to pursue this action in federal court.56 The Complaint also alleges that Plaintiff and the putative class members have spent, or will need to spend, both time and out-of-pocket expenses to protect themselves from identity theft or identity fraud and/or the increased risk of either occurring.57 As the Supreme Court made clear in Clapper, mitigation expenses do not qualify as injuryin-fact when the alleged harm is not imminent.58 Therefore, Plaintiff’s allegations relating to costs already incurred or that may be incurred to monitor against future identity theft or identity fraud likewise fail to constitute injury-in-fact for standing purposes.59 See Clapper, 133 S.Ct. at 1148; Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (“An injury must be concrete and particularized and actual or imminent, not conjectural or hypothetical.” (internal quotation marks and citation omitted)). To the extent there is any relevant difference between the “certainly impending” and “substantial risk” standards, Plaintiff in this case has not demonstrated either. 56 Because the Court finds Plaintiff has not satisfied the injury-in-fact element required for him to have standing, the Court need not address the traceability or redressability elements. 57 R. Doc. 1 ¶ 61. 58 See Clapper, 133 S.Ct. at 1155 (stating plaintiffs “cannot manufacture standing by incurring costs in anticipation of non-imminent harm”). 59 Additionally, because there have been no reported incidences of actual identity theft or identity fraud as a result of the Data Breach and since no financial information or Social Security numbers were accessed during the Data Breach, there is no reason to believe such mitigation costs are necessary. The Complaint also alleges “deprivation of the value of their personal information.” R. Doc. 1 ¶ 61, 77, 87, 91, 120. Even if the Court were to find that personal information has an inherent value and the deprivation of such value 55 12 Based on Plaintiff’s failure to allege facts showing he has suffered an actual or imminent injury, the Court must dismiss the Class Action Complaint for lack of standing. This disposition is in line with the vast majority of post-Clapper data breach cases where no actual identity theft or identity fraud was alleged.60 Plaintiff lacks standing to sue in federal court unless and until he suffers an actual injury or faces an imminent injury traceable to the Data Breach that can be fully compensated with money damages, and there is simply no compensable injury at this time. Given the Court’s lack of original jurisdiction over Plaintiff’s federal claims, the Court declines to exercise supplemental jurisdiction over the state law claims pursuant to 28 U.S.C. § 1367. Thus, the state law claims are dismissed without prejudice.61 CONCLUSION Based on the foregoing analysis and discussion, Plaintiff has not adequately alleged Article III standing. For that reason, the case must be dismissed for want of subject-matter jurisdiction.62 Accordingly, IT IS ORDERED that eBay’s Motion to Dismiss for lack of standing (R. Doc. 20) be and hereby is GRANTED, and the Class Action Complaint is DISMISSED without prejudice. is an injury sufficient to confer standing, Plaintiff has failed to allege facts indicating how the value of his personal information has decreased as a result of the Data Breach. See Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646, 659 (S.D. Ohio 2014) (“A few courts have concluded plaintiffs’ PII does not have inherent monetary value. Others hold that even if PII has value, the deprivation of which could confer standing, plaintiffs must allege facts in their Complaint which show they were actually deprived of that value in order to have standing.” (internal quotation marks and citations omitted)). Neither has Plaintiff alleged an injury-in-fact with respect to overpayment. See Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-4787, 2014 WL 7005097, at *2 (N.D. Ill. Dec. 10, 2014) (unpublished). 60 See supra note 33; see also In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 27–28 (D.D.C. 2014) (“This is not to say that courts have uniformly denied standing in data-breach cases. Most cases that found standing in similar circumstances, however, were decided preClapper or rely on pre-Clapper precedent and are, at best, thinly reasoned.” (citations omitted)). 61 The Court expresses no opinion on the viability of Plaintiff’s state law claims. 62 It is thus unnecessary for the Court to consider eBay’s remaining arguments under Federal Rule of Civil Procedure 12(b)(6). 13 New Orleans, Louisiana, this 4th day of May, 2015. _____________________ _________ SUSIE MORGAN UNITED STATES DISTRICT JUDGE 14

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?