Skip to Content

Threat of Future Harm as a result of a Cyber Breach May be Sufficient to Confer Standing

October 22, 2014

The U.S. District Court for the Northern District of California has ruled that the threat of future harm alleged in a class action complaint is sufficient “injury” to satisfy the “case or controversy” requirement of Article III of the United States Constitution. The order denying the defendant’s motion to dismiss for lack of subject matter jurisdiction allows the class action lawsuit in In re Adobe Systems, Inc. Privacy Litigation, 2014 WL 4379916 (N.D.Cal) to proceed. The complaint filed in Adobe involves claims against Adobe Systems, Inc. stemming from a July 2013 data breach. According to the class action complaint, hackers spent several weeks inside Adobe’s network removing customer data and Adobe source code’s from Adobe’s network. Once discovered, Adobe announced that the hackers accessed the personal information of at least 38 million customers, including names, log in ID’s, passwords, credit, and debit card numbers, expiration dates, and mailing and e-mail addresses.

The Plaintiffs, customers of Adobe licensed products who provided Adobe with their personal information, alleged that they are all at an increased risk of future harm as a result of the 2013 data breach. In its motion to dismiss, Adobe cited the U.S. Supreme Court’s decision in Clapper v. Amnesty Intern. USA, 133 S.Ct. 1138, 185 L.Ed.2d 264 (U.S. 1913), noting that the Supreme Court had held that an “objectively reasonable likelihood” of future harm was inconsistent with precedent requiring that “threatened injury must be certainly impending to constitute injury in fact.” The Supreme Court emphasized that “allegations of possible future injury are not sufficient.”

The District Court advised that it did not believe the decision in Clapper required more than the allegations of future harm made by the Plaintiffs because the danger that Plaintiffs’ stolen data would be subject to misuse could be described as “certainly impending.” The Court noted the hackers deliberately targeted Adobe’s servers, used Adobe’s own systems to decrypt customer credit card numbers and that some of the stolen data had already surfaced on the Internet. According to the Court, “the threatened injury here could be more imminent only if Plaintiffs could allege that their stolen personal information had already been misused.” Requiring Plaintiffs to wait until they actually suffer identity theft or credit card fraud in order to have standing would, the Court advised, “run counter to the well-established principle that harm need not have already occurred or be ‘literally certain’ in order to constitute injury-in-fact.”

The Court’s decision runs counter to the majority of Courts addressing the issue of standing in data breach cases based solely on the threat of future injury. However, the holding is important for its efforts to distinguish the U.S. Supreme Court’s decision in Clapper using facts that are commonly found in data breach cases. If the basis for the decision is followed, the requirement that there be an actual “injury” to establish standing in data breach cases will become ephemeral, permitting speculative class action lawsuits filed long before the dust settles, and before any Plaintiff has identified a real “injury.”

If you have any questions or would like a copy of this case, please contact Matt Peaire orJohn Garaffa in our Tampa office.