When a company's computer systems are raided by hackers, all
too often it must brace itself for being victimized a second time
by the class action bar. Plaintiffs frequently target such
companies for class actions on behalf of the consumers whose data
might have been exposed as a result of the potential data
The fact that the consumers rarely have experienced any real harm can be the Achilles' heel of these data-breach class actions. "World of Warcraft" creator Blizzard Entertainment Inc. was able to capitalize on this vulnerability when a court dismissed most of a putative class action against the company, finding that plaintiffs had failed to allege sufficient harm as to a number of claims. See Bell v. Blizzard Entertainment Inc. (pdf), No. 2:12-cv-09475 (C.D. Cal. July 11, 2013).
The suit arose after hackers breached Blizzard's Battle.net system in August 2012 and stole user information. Two gamers responded by filing a putative class action, seeking to represent 10 million players worldwide. The plaintiffs alleged that Blizzard should have emailed or called affected users to notify them of the breach rather than simply posting a notice on its website. And the plaintiffs asserted that Blizzard should have better informed customers that they should buy a separate "authenticator," a program that provides an extra layer of protection for user information.
None of the plaintiffs, however, could allege that he or she was the victim of identity theft—or even that the hackers had obtained his or her information. This omission led Judge Beverly Reid O'Connell to tell plaintiffs' counsel at the hearing on Blizzard's motion to dismiss, "I don't understand your claim for harm." The plaintiffs contended that Blizzard profited by selling the "authenticators." And they asserted that Blizzard's security procedures subjected them to the risk of having their data exposed to hackers (with the concomitant risk of identity theft)—which (they said) diminished the value of the games they bought from Blizzard. But Judge O'Connell concluded that plaintiffs did not satisfy the harm element required for their negligence and breach of contract claims. Plaintiffs could not identity any authority for the proposition that "an increased risk" of future harm from identity theft was "a type of harm sufficient to support a negligence claim." And because it was not possible to resell Blizzard's various online games played through Battle.net, the court concluded that any alleged reduction in the value of the plaintiffs' games could not have harmed them. Accordingly, the court granted a motion for judgment on the pleadings with respect to those claims.
This ruling is in line with many other federal court dismissals of data-breach claims for failure to allege concrete, tangible harms, although many of those decisions rest on Article III standing rather than the merits. See, e.g., In re Sony Gaming Networks and Customer Data Sec. Breach Litig. (pdf), 903 F. Supp. 2d 942 (S.D. Cal. 2012) (putative class action against manufacturer of computer gaming systems for theft of personal information dismissed for failure to allege any injury-in-fact); In re LinkedIn User Privacy Litig. (pdf), 2013 WL 844291 (N.D. Cal. Mar. 6, 2013) (putative class action alleging that LinkedIn failed to adequately protect user information dismissed because claims for economic harm were insufficient to satisfy standing requirement); Claridge v. RockYou, Inc. (pdf), 785 F. Supp. 2d 855 (N.D. Cal. 2011) (despite finding Article III standing, court found that user who sued developer for failing to secure users' personally-identifiable information had failed to allege the more particularized elements of injury required for his causes of action).
That said, the court left room for plaintiffs to amend their complaints as to certain claims, and did allow two claims under Delaware's Consumer Fraud Act to survive. But the lesson for defendants is clear: When a plaintiff cannot allege tangible harm from data breach claims, courts are willing to narrow or dismiss a lawsuit at the pleading stage.
Visit us at mayerbrown.com
Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.
© Copyright 2013. The Mayer Brown Practices. All rights reserved.
This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.