Plaintiffs in a class action data breach lawsuit brought against Yahoo! Inc. have survived the defendant’s motions to dismiss various claims after an order was entered by Judge Lucy Koh on Friday, March 9 in U.S. District Court in San Jose, California. While Judge Koh did dismiss some of the claims in the lawsuit, she refused to dismiss many of the claims, most notably the plaintiffs’ claims for negligence and breach of contract. The plaintiffs in this case are a group of Yahoo Mail users who were victims of a series of three data breaches that occurred over the course of four years, from 2013 to 2016. These users allege that Yahoo was not quick enough to disclose this series of data breaches, and that because Yahoo was so slow, they were at an increased risk of suffering from identity theft, which required these users to spend time and money taking protective measures. In response, Yahoo maintains that it has always been a target of these types of cyber attacks and that while it works tirelessly to defend against “constantly evolving security threats,” the plaintiffs here have the benefit of “20/20 hindsight.” In her order, Judge Koh wrote that the plaintiffs’ complaint was sufficient to show that they would have acted differently, and possibly not chosen to use Yahoo Mail, had they been aware of the security deficiencies in the system. Taking aim at the terms of the contract itself, Judge Koh also hinted that Yahoo’s attempt to limit its own liability in its terms of service could be shown to be “unconscionable” given Yahoo’s awareness of its own security weaknesses.
Judge Koh’s order marks a slight departure from the typical way in which data breach cases are analyzed. All plaintiffs must satisfying the standing requirements from Article III of the U.S. Constitution, which limits jurisdiction in federal courts to actual cases and controversies. The Supreme Court furthered the Article III standing analysis back in 2016 when it held that a plaintiffs injury must be “concrete and particularized” and “actual or imminent, not conjectural or hypothetical” in Spokeo, Inc. v. Robins. Following the Spokeo decision, there has been some controversy over what is actually a controversy, so to speak. In In re OPM, a federal judge in the D.C. Circuit Court dismissed a multidistrict data breach lawsuit ruling that mere theft of data alone was not enough to establish standing. Even though the personal data of 21.5 million former, current, and future government employees had been stolen in that data breach, the judge ruled that plaintiffs’ money spent to protect from identity theft, emotional distress from the breach, and possible exposure to identity theft in the future were not injuries sufficient to confer standing. An Eighth Circuit District Court held similarly last year in In re SuperValu, where the court dismissed claims for all but one plaintiff in a class action suit against the grocery retailer in the wake of a credit card data breach. The sole plaintiff whose claim was preserved was the only one who actually suffered identity theft, in the form of credit card fraud.
Judge Koh’s recent order in the Yahoo case seems to espouse a form of valuation of personal data that extends beyond the dollars and cents of subsequent identity theft following a data breach.
Her comments, as mentioned above, imply that there is some inherent value in keeping one’s personal data safe and secure. Indeed, with data security discussions arising with each new breach, the value of securing one’s personal information seems to be increasing. With the claims preserved, hopefully we will find guidance in the future about how we might value mere theft of data alone, if at all.