Green v. eBay Inc.
Filing
38
ORDER AND REASONS - IT IS ORDERED that eBays Motion to Dismiss for lack of standing 20 be and hereby is GRANTED, and the Class Action Complaint is DISMISSED without prejudice. Signed by Judge Susie Morgan on 5/4/2015. (bwn)
UNITED STATES DISTRICT COURT
EASTERN DISTRICT OF LOUISIANA
COLLIN GREEN,
Plaintiff
CIVIL ACTION
VERSUS
NO. 14-1688
EBAY INC.,
Defendant
SECTION: “E” (4)
ORDER AND REASONS
Before the Court is Defendant eBay Inc.’s (“eBay”) Motion to Dismiss Plaintiff’s
Class Action Complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) and
12(b)(6).1 In its motion, eBay first argues the Class Action Complaint should be
dismissed pursuant to Rule 12(b)(1) because Plaintiff Collin Green, the sole named
Plaintiff in this action, has failed to allege a cognizable injury-in-fact; therefore, he lacks
Article III standing to pursue this case in federal court. In the alternative, eBay contends
the Class Action Complaint should be dismissed pursuant to Rule 12(b)(6) for failure to
state a claim upon which relief can be granted.
This case raises the issue of whether the increased risk of future identity theft or
identity fraud posed by a data security breach confers Article III standing on individuals
whose information has been compromised by the data breach but whose information
has not yet been misused. After considering the parties’ briefs and the relevant case law,
the Court finds itself positioned with the majority of district courts that have held the
answer is no. Because Plaintiff has failed to allege a cognizable Article III injury, the
1
R. Doc. 20.
1
Court grants eBay’s motion and dismisses the Class Action Complaint for lack of
standing.
BACKGROUND
eBay is a global e-commerce website that enables its over 120 million active users
to buy and sell in an online marketplace.2 In its normal course of business, eBay
maintains personal information of its users, including: names, encrypted passwords,
dates of birth, email addresses, physical addresses, and phone numbers.3 In February
and March 2014, unknown persons accessed eBay’s files containing this user
information (the “Data Breach”).4 On May 21, 2014, eBay notified its users of the Data
Breach and recommended that users change their passwords.5 Although eBay also
collects other information, including credit card and bank account information, there is
no indication that any financial information was accessed or stolen during the Data
Breach.6
Plaintiff Collin Green filed this 10-count consumer privacy putative class action
against eBay on behalf of himself and all eBay users in the United States whose personal
information was accessed during the Data Breach.7 Plaintiff alleges that as a direct and
proximate result of eBay’s conduct, “Plaintiff and the putative class members have
R. Doc. 1 ¶ 3.
Id. ¶ 4.
4 Id.
5 Id. ¶ 5.
6 Id. ¶¶ 19–20 (“At this time Plaintiff is unsure how much, if any, of these additional highly detailed
classes of personal information were also stolen due to eBay’s failures.”). Additionally, Plaintiff
incorporates by reference into his Complaint eBay’s Form 8-K for the period ending May 21, 2014, R. Doc.
1 ¶ 13 n.1, which eBay requested that the Court consider in conjunction with its motion to dismiss. R. Doc.
23. The Form 8-K incorporates by reference a press release issued by eBay on May 21, 2014, which states:
“The company said it has . . . no evidence of any unauthorized access to financial or credit card
information, which is stored separately in encrypted formats. . . . The company also said it has no
evidence of unauthorized access or compromises to personal or financial information for PayPal users.
PayPal data is stored separately on a secure network, and all PayPal financial information is encrypted.”
R. Doc. 23-6.
7 R. Doc. 1 ¶ 123.
2
3
2
suffered economic damages,”8 “actual identity theft, as well as (i) improper disclosures
of their personal information; (ii) out-of-pocket expenses incurred to mitigate the
increased risk of identity theft and/or identity fraud due to eBay’s failures; (iii) the value
of their time spent mitigating identity theft and/or identity fraud, and/or the increased
risk of identity theft and/or identity fraud; (iv) and deprivation of the value of their
personal information.”9 The Class Action Complaint asserts federal causes of action
under the Federal Stored Communications Act, Fair Credit Reporting Act, and GrammLeach-Bliley Act and several state law causes of action, including negligence, breach of
contract, and violation of state privacy laws. eBay now moves to dismiss the Class Action
Complaint pursuant to Federal Rules of Civil Procedure 12(b)(1) for lack of standing and
12(b)(6) for failure to state a claim.10
ANALYSIS
The gravamen of eBay’s motion to dismiss is that Plaintiff lacks Article III
standing to bring this action in both his individual and representative capacities. eBay
contends the Court lacks subject-matter jurisdiction because Plaintiff “has not alleged
any cognizable injury whatsoever, and he thus lacks Article III standing.”11 eBay argues
“Plaintiff does not allege that he has been injured by misuse of the stolen information[,]
. . . that anyone has used his password, or that anyone has even tried to commit identity
fraud with his information—let alone that anyone has actually succeeded in doing so—
and that he has thereby suffered harm.”12 Instead, eBay claims “Plaintiff relies on vague,
speculative assertions of possible future injury—that maybe at some point in the future,
Id. ¶ 55.
Id. ¶ 61.
10 R. Doc. 20.
11 R. Doc. 20-1 at p. 12.
12 Id.
8
9
3
he might be harmed. . . . But the speculative possibility of future injury does not
constitute injury-in-fact.”13 eBay asserts that the Supreme Court recently made clear in
Clapper v. Amnesty International USA that a future injury must be “certainly
impending” to establish injury-in-fact, and “[b]ecause Plaintiff has not alleged specific
facts constituting an injury that is present or ‘certainly impending,’ Plaintiff lacks
standing and the Complaint must be dismissed.”14 In support, eBay points to numerous
post-Clapper data breach cases where courts have held that neither the increased risk of
identity theft nor expenses incurred to mitigate this speculative risk constitute injury-infact as required for Article III standing.15
Plaintiff argues eBay has misconstrued recent Supreme Court case law on
standing and contends the Class Action Complaint sufficiently alleges injury-in-fact
because Plaintiff and the putative class members are now subject to the “statistically
certain threat” of identity theft or identity fraud, and they have incurred, or will incur,
costs to mitigate that risk.16 Plaintiff states his personal information was stolen, along
with that of all of the members of the putative class, and “[e]mpirical data shows a vast
number of the class members will be significantly harmed.”17 Although Plaintiff
concedes the entire class may not suffer injury,18 he argues the Fifth Circuit “has
explained . . . that the fact a section of the class may not suffer the damages alleged is
not sufficient to destroy Article III standing; it is the allegation of injury that determines
at this phase.”19
Id.
Id. (citing 133 S.Ct. 1138 (2013)).
15 R. Doc. 20-1 at pp. 17–18. For examples of such cases, see infra note 33.
16 R. Doc. 24.
17 Id. at pp. 13, 15.
18 Id. at p. 15.
19 Id. at p. 17.
13
14
4
“Article III of the United States Constitution limits the jurisdiction of federal
courts to actual ‘Cases’ and ‘Controversies.’”20 “One element of the case-or-controversy
requirement is that plaintiffs must establish that they have standing to sue.”21 Because
standing is a matter of subject-matter jurisdiction, a motion to dismiss for lack of
standing is properly brought pursuant to Federal Rule of Civil Procedure 12(b)(1).22
Federal courts must dismiss an action if, “at any time,” it is determined that subjectmatter jurisdiction is lacking.23 As the party invoking federal jurisdiction, the plaintiff
constantly bears the burden of establishing the jurisdictional requirements, including
standing.24
“To establish Article III standing, a plaintiff must show (1) an ‘injury in fact,’ (2)
a sufficient ‘causal connection between the injury and the conduct complained of,’ and
(3) a ‘likel[ihood]’ that the injury ‘will be redressed by a favorable decision.’”25 The first
prong focuses on whether the plaintiff suffered harm, the second focuses on who
inflicted that harm, and the third focuses on whether a favorable decision will likely
Crane v. Johnson, ---F.3d---, No. 14-10049, 2015 WL 1566621, at *7 (5th Cir. Apr. 7, 2015) (citing U.S.
CONST., art. III, § 2).
21 Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1146 (2013) (internal quotation marks and citation
omitted).
22 See FED. R. CIV. P. 12(b)(1). A motion to dismiss for lack of standing may be either ‘facial’ or ‘factual.’”
Superior MRI Servs., Inc. v. Alliance Healthcare Servs., Inc., 778 F.3d 502, 504 (5th Cir. 2015) (citing
Paterson v. Weinberger, 644 F.2d 521, 523 (5th Cir. 1981)). eBay does not “submit[] affidavits, testimony,
or other evidentiary matters” to factually challenge the Court’s jurisdiction; rather, eBay attacks the
sufficiency of the Class Action Complaint on the grounds that the pleaded facts do not establish Article III
standing. Id.; R. Doc. 20. Accordingly, eBay’s motion is a facial attack, and the Court may consider only
the allegations in the Class Action Complaint and any documents referenced therein or attached thereto
when determining whether Plaintiff’s jurisdictional allegations are sufficient. See Paterson, 644 F.2d at
523.
23 See FED. R. CIV. P. 12(h)(3).
24 See Ramming v. United States, 281 F.3d 158, 161 (5th Cir. 2001) (citations omitted); Crane, 2015 WL
1566621, at *3.
25 Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (alteration in original) (quoting Lujan
v. Defenders of Wildlife, 504 U.S. 555, 560–61 (1992)). The fact that Plaintiff alleges statutory violations
does not alone establish standing. See In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 WL
4759588, at *3 (N.D. Ill. Sept. 3, 2013) (“Even assuming the statutes have been violated by the delay or
inadequacy of [Defendant’s] notification, breach of these statutes is insufficient to establish standing
without any actual damages due to the breach. Plaintiffs must plead an injury beyond a statutory violation
to meet the standing requirement of Article III.”).
20
5
alleviate that harm.26 Although all three elements are required for Article III standing,
the injury-in-fact element is often determinative.27
In the class action context, “named plaintiffs who represent a class must allege
and show that they personally have been injured, not that injury has been suffered by
other, unidentified members of the class.”28 “[I]f none of the named plaintiffs
purporting to represent a class establishes the requisite of a case or controversy with the
defendants, none may seek relief on behalf of himself or any other member of the
class.”29
In this case, eBay contends Green, the only named Plaintiff, lacks standing
because he has failed to allege a cognizable injury. The injury-in-fact element “helps
ensure that the plaintiff has a personal stake in the outcome of the controversy.”30
Recently, the Supreme Court in Clapper v. Amnesty International USA provided
guidance on the standard for establishing injury-in-fact:31
[A]n injury must be concrete, particularized, and actual or imminent . . . .
Although imminence is concededly a somewhat elastic concept, it cannot
be stretched beyond its purpose, which is to ensure that the alleged injury
is not too speculative for Article III purposes—that the injury is certainly
impending. Thus, we have repeatedly reiterated that threatened injury
must be certainly impending to constitute injury in fact, and that
allegations of possible future injury are not sufficient.32
Following Clapper, the majority of courts faced with data breach class actions
where complaints alleged personal information was accessed but where actual identity
See Lujan, 504 U.S. at 560–61.
See Toll Bros. v. Twp. of Readington, 555 F.3d 131, 138 (3d Cir. 2009); Bellow v. U.S. Dep’t of Health &
Human Servs., No. 10-165, 2011 WL 2470456, at *5 (E.D. Tex. Mar. 21, 2011) report and
recommendation adopted, No. 10-165, 2011 WL 2462205 (E.D. Tex. June 20, 2011).
28 Brown v. Protective Life Ins. Co., 353 F.3d 405, 407 (5th Cir. 2003) (internal quotation marks and
citation omitted).
29 O’Shea v. Littleton, 414 U.S. 488, 494 (1974).
30 Susan B. Anthony List, 134 S. Ct. at 2341 (internal quotation marks and citation omitted).
31 133 S.Ct. 1138 (2013).
32 Id. at 1147 (alteration omitted) (internal quotation marks and citations omitted).
26
27
6
theft was not alleged have applied this “certainly impending” standard; notably, where
plaintiffs have alleged their injury was the increased risk of identity theft, courts have
dismissed the complaints for lack of Article III standing.33 These courts found that the
mere increased risk of identity theft or identity fraud alone does not constitute a
cognizable injury unless the harm alleged is certainly impending.34
For example, in Strautins v. Trustwave Holdings, Inc., a hacker infiltrated the
South Carolina Department of Revenue, and “approximately 3.6 million Social Security
numbers, 387,000 credit and debit card numbers, and tax records for 657,000
See, e.g., In re Horizon Healthcare Servs., Inc. Data Breach Litig., No. 13-7418, 2015 WL 1472483
(D.N.J. Mar. 31, 2015) (unpublished); Peters v. St. Joseph Servs. Corp., ---F. Supp. 3d---, No. 14-2872,
2015 WL 589561 (S.D. Tex. Feb. 11, 2015); Storm v. Paytime, Inc., ---F. Supp. 3d---, No. 14-1138, 2015 WL
1119724 (M.D. Pa. Mar. 13, 2015); Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-4787, 2014 WL
7005097, at *4 (N.D. Ill. Dec. 10, 2014) (unpublished), appeal docketed, No. 14-3700 (7th Cir. Dec. 12,
2014); Remijas v. Neiman Marcus Grp., LLC, No. 14-1735, 2014 WL 4627893 (N.D. Ill. Sept. 16, 2014)
(unpublished), appeal docketed, 14-3122 (7th Cir. Sept. 26, 2014); Galaria v. Nationwide Mut. Ins. Co.,
998 F. Supp. 2d 646 (S.D. Ohio 2014); Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871 (N.D. Ill.
2014); In re Barnes & Noble Pin Pad Litig., No. 12-8617, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013). But
see In re Target Corp. Data Sec. Breach Litig., ---F. Supp. 3d---, No. MDL 14-2522, 2014 WL 7192478, at
*2 (D. Minn. Dec. 18, 2014) (finding the plaintiffs sufficiently alleged injury in a data breach case without
citing Clapper or the certainly imminent standard).
34 Plaintiff cites three post-Clapper cases involving the threat of future identity theft or identity fraud
where the courts found standing: Moyer v. Michaels Stores, Inc., No. 14-561, 2014 WL 3511500, at *5
(N.D. Ill. July 14, 2014) (unpublished); In re Adobe Sys., Inc. Privacy Litig., ---F. Supp. 3d---, No. 135226, 2014 WL 4379916 (N.D. Cal. Sept. 4, 2014); and In re Sony Gaming Networks & Customer Data
Sec. Breach Litig., 996 F. Supp. 2d 942 (S.D. Cal. 2014). In Moyer, the court concluded that the Supreme
Court’s decision in Susan B. Anthony List v. Driehaus, a more recent opinion discussing the injury-in-fact
requirement for standing, indicates Clapper’s imminence standard is a rigorous standing analysis to be
applied only in cases that involve national security or constitutional issues. 2014 WL 3511500 (citing 134
S. Ct. 2334 (2014)). In Susan B. Anthony List, the Supreme Court stated: “An allegation of future injury
may suffice if the threatened injury is ‘certainly impending,’ or there is a ‘“substantial risk”’ that the harm
will occur.’” 134 S. Ct. at 2341 (quoting Clapper, 133 S.Ct. at 1147, 1150, n.5). Although there are
conflicting readings of the Clapper standard in light of Susan B. Anthony List, the underlying facts in this
case lead to the conclusion that Plaintiff lacks standing under either the certainly impending or
substantial risk standard. Additionally, all three cases Plaintiff points to are distinguishable from the
instant case. Those courts analyzed the cases under pre-Clapper circuit precedent, finding Clapper did
not overrule the precedent by setting forth a new Article III framework. Both In re Sony and In re Adobe
cite the Ninth Circuit’s opinion in Krottner v. Starbucks, 628 F.3d 1139 (9th Cir. 2010). 996 F. Supp. 2d at
961–62; 2014 WL 4379916, at *6. Moyer cites the Seventh Circuit’s opinion in Pisciotta v. Old National
Bancorp, 499 F.3d 629 (7th Cir. 2007). 2014 WL 3511500, at *6. Additionally, all three cases involved
stolen financial information, such as credit or debit card numbers, whereas Plaintiff in this case has not
alleged any financial information was stolen.
33
7
businesses had been exposed.”35 The plaintiff filed a class action claiming she and the
other class members incurred the following injuries:
(1) untimely and/or inadequate notification of the Data Breach; (2)
improper disclosure of [personal identifying information]; (3) loss of
privacy; (4) out-of-pocket expenses incurred to mitigate the increased risk
of identity theft and/or identity fraud pressed upon them by the Data
Breach; (5) the value of time spent mitigating identity theft and/or identity
fraud and/or the increased risk of identity theft and/or identity fraud; (6)
deprivation of the value of [personal identifying information]; and (7)
violations of rights under the Fair Credit Reporting Act.36
The court in Strautins stated that “[t]hese claims of injury, however, are too speculative
to permit the complaint to go forward.”37 This is because under Clapper, “allegations of
possible future injury are not sufficient to establish standing. . . . [T]he threatened injury
must be certainly impending.”38
Even where actual fraudulent credit card charges are made after a data breach,
courts have held the injury requirement still is not satisfied if the plaintiffs were not held
financially responsible for paying such charges. For example, in Peters v. St. Joseph
Services Corp., hackers infiltrated a health care service provider’s network and accessed
personal information of patients and employees, including names, social security
numbers, birthdates, addresses, medical records, and bank account information.39 Even
though there was an attempted purchase on the plaintiff’s credit card, which was
declined by the plaintiff when she received a fraud alert, the court held the plaintiff did
not have standing.40 The Court found the plaintiff’s theory based on a certainly
impending or substantial risk of identity theft/fraud was too speculative and attenuated
27 F. Supp. 3d 871, 872 (N.D. Ill. 2014).
Id. at 875.
37 Id.
38 Id. (internal quotation marks and citations omitted).
39 No. 14-2872, 2015 WL 589561 (S.D. Tex. Feb. 11, 2015).
40 Id.
35
36
8
to constitute injury-in-fact because she was unable to “describe how [she would] be
injured without beginning the explanation with the word ‘if.’”41 Similarly, the court in
Remijas v. Neiman Marcus Group, LLC found the complaint did not adequately allege
standing on the basis of increased risk of future identity theft.42 Despite the fact that
thousands of Neiman Marcus customers had actual fraudulent charges on their credit
cards, the court found the plaintiffs failed to allege that any of the fraudulent charges
were unreimbursed, and the court was “not persuaded that unauthorized credit card
charges for which none of the plaintiffs are financially responsible qualify as ‘concrete’
injuries.”43
Although Plaintiff’s Class Action Complaint states all members of the putative
class “have suffered actual identity theft,”44 Plaintiff makes this conclusory statement
without any allegations of actual incidents of identity theft that any class member has
suffered, let alone that Plaintiff himself has suffered. Plaintiff does not allege that any of
the information accessed was actually misused or that there has even been an attempt to
use it. Plaintiff has not alleged that his password was decrypted and utilized or that any
of his other personal information has been leveraged in any way. As Plaintiff’s
opposition makes clear, his true argument is that his injury-in-fact is the increased risk
of future identity theft or identity fraud—not actual identity theft or identity fraud.45
Thus, for Plaintiff to have standing under Article III, the threat of identity theft or
Id. at *5 (internal quotation marks and citation omitted). The plaintiff also alleged other injuries tied to
the data breach. She alleged that someone attempted to access her Amazon account by using her son’s
name, which plaintiff claimed could have only been obtained from the names and next-of-kin information
she provided to the health care service provider. Id. at *2. Additionally, she claimed the data breach was
the reason she received daily phone solicitations from medical products and service providers. Id. She
further complained her email account and mailing address were compromised. Id.
42 No. 14-1735, 2014 WL 4627893, at *3 (N.D. Ill. Sept. 16, 2014).
43 Id.
44 R. Doc. 1 ¶¶ 61, 77, 87, 91, 120.
45 R. Doc. 24.
41
9
identity fraud must be concrete, particularized, and imminent—meaning the harm must
be certainly impending.46
The Court finds Plaintiff has failed to allege an injury-in-fact: the allegations in
the Complaint fail to demonstrate a concrete and particularized actual or threatened
injury that is certainly impending. In most data breach cases, the complaints allege
sensitive information was stolen, such as financial information or Social Security
numbers.47 In such cases, courts nonetheless have found that the mere risk of identity
theft is insufficient to confer standing, even in cases where there were actual attempts to
use the stolen information.48 In this case, there is no evidence that any financial
information or Social Security numbers were accessed during the Data Breach.
Additionally, the fact there is no evidence of actual or even attempted identity theft or
identity fraud further supports the Court’s finding that Plaintiff has failed to show the
alleged future injury is certainly impending. Furthermore, “[i]t is well settled that ‘[a]
claim of injury generally is too conjectural or hypothetical to confer standing when the
injury’s existence depends on the decisions of third parties,’”49 and the existence of
Plaintiff’s alleged injury in this case rests on whether third parties decide to do anything
with the information. If they choose to do nothing, there will never be an injury.
See Crane v. Johnson, ---F.3d---, No. 14-10049, 2015 WL 1566621, at *6 (5th Cir. Apr. 7, 2015) (citing
Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147 (2013) and Susan B. Anthony List v. Driehaus, 134 S.
Ct. 2334, 2341 (2014)).
47 See, e.g., In re Horizon Healthcare Servs., Inc. Data Breach Litig., No. 13-7418, 2015 WL 1472483
(D.N.J. Mar. 31, 2015) (unpublished); Lewert v. P.F. Chang’s China Bistro, Inc., No. 14-4787, 2014 WL
7005097, at *4 (N.D. Ill. Dec. 10, 2014) (unpublished); Strautins v. Trustwave Holdings, Inc., 27 F. Supp.
3d 871, 872 (N.D. Ill. 2014).
48 See, e.g., Peters v. St. Joseph Servs. Corp., No. 14-2872, 2015 WL 589561 (S.D. Tex. Feb. 11, 2015);
Remijas v. Neiman Marcus Grp., LLC, No. 14-1735, 2014 WL 4627893, at *3 (N.D. Ill. Sept. 16, 2014); In
Re Barnes & Noble Pin Pad Litigation, 2013 WL 4759588 (N.D. Ill. Sept. 3, 2013).
49 Hotze v. Burwell, ---F.3d---, No. 14-20039, 2015 WL 1881418, at *9 (5th Cir. Apr. 24, 2015) (second
alteration in original) (quoting Little v. KPMG LLP, 575 F.3d 533, 540 (5th Cir. 2009) and citing Clapper,
133 S.Ct. at 1150).
46
10
Indeed, Plaintiff’s Complaint makes clear that he does not face a certainly
impending risk of future identity theft or identity fraud. For example, the Complaint
states: “Criminals who now possess Plaintiffs’ [sic] and the class members’ personal
information may hold the information for later use, or continue to sell it between
identity thieves. Thus, Plaintiff and the class members must be vigilant for many years
in checking for fraud in their name, and be prepared to deal with the steep costs
associated with identity fraud.”50 Additionally, the Complaint states: “Studies indicate
that individuals whose personal information is stolen are approximately 9.5 times more
likely than other people to suffer identity fraud. Moreover, it can take time before the
identity thieves use the stolen information.”51 However, an increase in the risk of harm
is irrelevant—the true question is whether the harm is certainly impending.52 Just as in
Peters v. St. Joseph Sevices Corp., the allegations in Plaintiff’s Class Action Complaint
make clear that “[t]he misuse of the accessed information could take any number of
forms, at any point in time. . . . It may even be impossible to determine whether the
misused information was obtained from exposure caused by the Data Breach or from
some other source. Ultimately, [Plaintiff’s] theory of standing ‘relies on a highly
attenuated chain of possibilities.’ As such, it fails to satisfy the requirement that
‘threatened injury be certainly impending to constitute injury in fact.’”53
Although Plaintiff claims “[t]he only purpose to steal the information [from eBay]
is to profit from it,”54 nothing in the Complaint indicates the threat of future identity
theft or identity fraud is certainly impending. The potential injury in this case is far too
R. Doc. 1 ¶¶ 33–34 (emphasis added).
Id. ¶ 33.
52 See In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 25
(D.D.C. 2014).
53 No. 14-2872, 2015 WL 589561, at *5 (S.D. Tex. Feb. 11, 2015) (quoting Clapper, 133 S.Ct. at 1147–48).
54 R. Doc. 24 at p. 15.
50
51
11
hypothetical or speculative to meet Clapper’s certainly impending standard.55 Whether
Plaintiff and other class members actually become victims of identity theft depends on
numerous variables, including whether their data was actually taken when it was
accessed, whether certain information was decrypted, whether the data was actually
misused or transferred to another third party and misused, and whether or not the third
party succeeded in misusing the information. The mere fact that Plaintiff’s information
was accessed during the Data Breach is insufficient to establish injury-in-fact. Thus, the
potential threat of identity theft or identity fraud, to the extent any exists in this case,
does not confer standing on Plaintiff to pursue this action in federal court.56
The Complaint also alleges that Plaintiff and the putative class members have
spent, or will need to spend, both time and out-of-pocket expenses to protect themselves
from identity theft or identity fraud and/or the increased risk of either occurring.57 As
the Supreme Court made clear in Clapper, mitigation expenses do not qualify as injuryin-fact when the alleged harm is not imminent.58 Therefore, Plaintiff’s allegations
relating to costs already incurred or that may be incurred to monitor against future
identity theft or identity fraud likewise fail to constitute injury-in-fact for standing
purposes.59
See Clapper, 133 S.Ct. at 1148; Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (“An
injury must be concrete and particularized and actual or imminent, not conjectural or hypothetical.”
(internal quotation marks and citation omitted)). To the extent there is any relevant difference between
the “certainly impending” and “substantial risk” standards, Plaintiff in this case has not demonstrated
either.
56 Because the Court finds Plaintiff has not satisfied the injury-in-fact element required for him to have
standing, the Court need not address the traceability or redressability elements.
57 R. Doc. 1 ¶ 61.
58 See Clapper, 133 S.Ct. at 1155 (stating plaintiffs “cannot manufacture standing by incurring costs in
anticipation of non-imminent harm”).
59 Additionally, because there have been no reported incidences of actual identity theft or identity fraud as
a result of the Data Breach and since no financial information or Social Security numbers were accessed
during the Data Breach, there is no reason to believe such mitigation costs are necessary. The Complaint
also alleges “deprivation of the value of their personal information.” R. Doc. 1 ¶ 61, 77, 87, 91, 120. Even if
the Court were to find that personal information has an inherent value and the deprivation of such value
55
12
Based on Plaintiff’s failure to allege facts showing he has suffered an actual or
imminent injury, the Court must dismiss the Class Action Complaint for lack of
standing. This disposition is in line with the vast majority of post-Clapper data breach
cases where no actual identity theft or identity fraud was alleged.60 Plaintiff lacks
standing to sue in federal court unless and until he suffers an actual injury or faces an
imminent injury traceable to the Data Breach that can be fully compensated with money
damages, and there is simply no compensable injury at this time.
Given the Court’s lack of original jurisdiction over Plaintiff’s federal claims, the
Court declines to exercise supplemental jurisdiction over the state law claims pursuant
to 28 U.S.C. § 1367. Thus, the state law claims are dismissed without prejudice.61
CONCLUSION
Based on the foregoing analysis and discussion, Plaintiff has not adequately
alleged Article III standing. For that reason, the case must be dismissed for want of
subject-matter jurisdiction.62 Accordingly,
IT IS ORDERED that eBay’s Motion to Dismiss for lack of standing (R. Doc.
20) be and hereby is GRANTED, and the Class Action Complaint is DISMISSED
without prejudice.
is an injury sufficient to confer standing, Plaintiff has failed to allege facts indicating how the value of his
personal information has decreased as a result of the Data Breach. See Galaria v. Nationwide Mut. Ins.
Co., 998 F. Supp. 2d 646, 659 (S.D. Ohio 2014) (“A few courts have concluded plaintiffs’ PII does not have
inherent monetary value. Others hold that even if PII has value, the deprivation of which could confer
standing, plaintiffs must allege facts in their Complaint which show they were actually deprived of that
value in order to have standing.” (internal quotation marks and citations omitted)). Neither has Plaintiff
alleged an injury-in-fact with respect to overpayment. See Lewert v. P.F. Chang’s China Bistro, Inc., No.
14-4787, 2014 WL 7005097, at *2 (N.D. Ill. Dec. 10, 2014) (unpublished).
60 See supra note 33; see also In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45
F. Supp. 3d 14, 27–28 (D.D.C. 2014) (“This is not to say that courts have uniformly denied standing in
data-breach cases. Most cases that found standing in similar circumstances, however, were decided preClapper or rely on pre-Clapper precedent and are, at best, thinly reasoned.” (citations omitted)).
61 The Court expresses no opinion on the viability of Plaintiff’s state law claims.
62 It is thus unnecessary for the Court to consider eBay’s remaining arguments under Federal Rule of Civil
Procedure 12(b)(6).
13
New Orleans, Louisiana, this 4th day of May, 2015.
_____________________ _________
SUSIE MORGAN
UNITED STATES DISTRICT JUDGE
14
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?