by Mike Masnick

Filed Under:
data breach, standing


Sony Beware: New Argument Seeks To Establish Standing In 'Harmless' Data Breach Lawsuits

from the people-suing-sony-should-pay-attention dept

Whoever is filing class action lawsuits against Sony for the PSN hack may want to pay attention to a totally different case in Northern California. You see, for years, we've noted that judges will toss out lawsuits about data breaches if the person suing can't show any actual harm. It's happened again and again and again. To some extent, you can understand the reasoning: if your data wasn't used to cause you any harm, should you really have much of a legal leg to stand on?

But, of course, the problem with that is that it lessens the damage that can hit companies for being downright careless with your private data. However, this case in the Northern District of California, involving Alan Claridge suing RockYou, has gone differently so far (found via Michael Scott), because Claridge made a different kind of argument:
While many plaintiffs in data breach cases (unsuccessfully) allege harm suffered based on an increased risk of identity theft as well as inconvenience and out-of-pocket expenses associated with credit monitoring, Plaintiff employed a unique argument. As the court described, “Plaintiff generally alleges that defendant’s customers, including plaintiff, ‘pay’ for the products and services they ‘buy’ from defendant by providing their PII [personally identifiable information], and that the PII constitutes valuable property that is exchanged not only for defendant’s products and services, but also in exchange for defendant’s promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant’s role in allegedly contributing to the breach of plaintiff’s PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data.”

According to the court, the alleged was enough for purposes of standing. “On balance, the court declines to hold at this juncture that, as a matter of law, plaintiff has failed to allege an injury in fact sufficient to support Article III standing . . . [T]he court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.”
The court is still skeptical of the argument, but is at least willing to hear things out. In other words, this is still very early, and it's at the district court level, so those who like this argument shouldn't get their hopes up yet. But, it's certainly making it a case worth watching.

And I'd be remiss in not mentioning that this is the kind of thing that we'll almost certainly be discussing at our upcoming dinner salon, since it very much taps into the theme of how companies need to act when their "customers" are also their "product," in terms of the information and data they collect...

Reader Comments

Subscribe: RSS

View by: Time | Thread

  • identicon
    AnonX, 2 May 2011 @ 3:38pm

    What about the harm of loss of access to their online network? It might be minimal, but it is enough harm to bring the lawsuit forward to trial. Also potential harm might be a factor. RIAA seems to succeed in that one with the damages they suggest in many of their filesharing lawsuits. We should all just copyright our primary contact information so we can file a copyright violation for Sony data sharing...

    reply to this | link to this | view in chronology ]

  • identicon
    big al, 2 May 2011 @ 5:01pm

    head to head fight!!!!

    now we have a problem.....

    1.last week the "high" court said that "binding arbitration takes president over class action suits"

    2.class action suits have a new twist ....

    3. sony says bring it on....You must go to binding's in your at a time please and we split the cost!!(about $980 per hour in my neck of the woods)
    plus the cost of a lower lawyer

    4. WHAT??? no takers i can"t imagine why???

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 2 May 2011 @ 6:00pm

    Mike, I think you came up with this story simply for the shameless plug.
    What steps will you be taking to protect the PII of the participants?

    reply to this | link to this | view in chronology ]

  • identicon
    Pixelation, 2 May 2011 @ 8:15pm

    It seems to me that a company should have some liability for any information regarding customers that they store. That liability should increase when it is stored beyond the point where it is absolutely necessary. Mainly stored CC#s and SS#s. If you want to store this information, you better be prepared for the consequences of having it cracked from your system. It needs to be unappealing.

    @Ironm@sk I was just funnin'.

    reply to this | link to this | view in chronology ]

  • icon
    anymouse (profile), 4 May 2011 @ 7:47am

    How is this different than Copyright Infringement? Oh, that's right the **AA's bought the laws

    So if individuals have to prove 'actual harm' when a company hands over all of their personal information (lets start calling it PIP - Personal Intellectual Property which is what it is after all). Why don't companies have to prove 'actual harm' when an individual hands one piece of their IP to someone else?

    Yes, I know it's because there is a law with a 'statutory damages' clause that makes this possible....

    So lets get a new law passed (anyone out there own a congress critter to get this going?) applying the same 'statutory damages' concept to companies infringing on individuals PIP. I think it would be fair to add a 'punitive damages' clause to PIP losses as well, since without these excessive damage awards, companies will never learn that they need to be careful with everyone's intellectual property, not just their own.

    If sharing one song is worth $150,000, I'm sure that sharing one individuals PIP would be worth at least $1,500,000 in statutory damages, and another $5,000,000 in punitive damages, after all one individual could have produced an infinite number of songs/movies/games/software/etc, if only their valuable personal intellectual property hadn't been stolen by those dirty rotten corporations....

    I'm not really serious.... or am i? /sarcasm off

    reply to this | link to this | view in chronology ]

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Special Affiliate Offer

Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Report this ad  |  Hide Techdirt ads
Recent Stories
Report this ad  |  Hide Techdirt ads


Email This

This feature is only available to registered users. Register or sign in to use it.