Ninth Circuit Sides With Plaintiffs Claiming Compensable Harm From Data Breaches

Joshua L. Young

Last week, the Ninth Circuit held that the victims of a 2012 data breach of (“Zappos”) faced a “substantial risk” of future identity theft that was sufficient to meet the injury in fact requirement for Article III standing.  Stevens v., Inc. (In re, Inc., Customer Data Sec. Breach Litig.), 2018 U.S. App. LEXIS 5841 (Mar. 8, 2018).

Sometime before January 16, 2012, hackers breached Zappos’s servers and allegedly stole more than 24 million customers’ names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information.  Following the breach, customers around the country filed class action lawsuits against Zappos, alleging negligence, breach of contract, unjust enrichment and breach of the covenant of good faith and fair dealing, as well as violations of various states’ deceptive trade practices, consumer protection acts, and data breach notification statutes.  In June 2012, six of the class action suits were consolidated in the U.S. District Court for the District of Nevada.  Some plaintiffs had alleged that they had already suffered financial losses from identity theft resulting from the breach.  Other plaintiffs had alleged that although they had not yet suffered financial losses from identity theft, there was an “imminent” risk they would suffer such harms in the future.  Zappos moved to dismiss the plaintiffs’ claims for lack of Article III standing. 

In May 2016, the district court granted in part and denied in part Zappos’s motion to dismiss the plaintiffs’ Third Amended Consolidated Complaint.  The district court found that “the first group of plaintiffs had Article III standing because they alleged ‘that actual fraud occurred as a direct result of the breach,’” but the second group plaintiffs lacked standing because they “‘failed to allege instances of actual identity theft or fraud.’”  Id. at *5-6.  The plaintiffs appealed.

The Ninth Circuit focused its analysis on a case the district court did not consider, Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).  “In Krottner, a thief stole a laptop containing ‘the unencrypted names, addresses, and social security numbers of approximately 97,000 Starbucks employees.’”  Id. at *6-7 (citing Krottner, 628 F.3d at 1140).  The plaintiffs in Krottner successfully alleged an Article III harm because the “increased risk of future identity theft” amounted to “‘a credible threat of real and immediate harm’ because the laptop with their [personally identifiable information] had been stolen.’”  Id. at *7 (citing Krottner, 628 F.3d at 1143). 

Zappos argued that Krottner fell short of the standards set forth in Clapper v. Amnesty International USA, which held that a “threatened injury must be certainly impending to constitute injury in fact.”  568 U.S. 398, 401 (2013) (citations omitted).  In Clapper, a group of “‘attorneys and human rights, labor, legal, and media organizations whose work allegedly require[d] them to engage in sensitive and sometimes privileged telephone and e-mail communications with . . . individuals located abroad,’” challenged surveillance procedures authorized by the Foreign Intelligence Surveillance Act of 1978 (“FISA”).  Id. at *8 (citing Clapper, 568 U.S. at 401, 406).  The plaintiffs argued they had standing under Article III because there was an objectively reasonable likelihood that the government would use FISA to acquire their communications in the future.  Clapper, 568 U.S. at 401.  The Supreme Court found that the plaintiffs’ “theory of standing, which relies on a highly attenuated chain of possibilities, does not satisfy the requirement that threatened injury must be certainly impending.”  Clapper, 568 U.S. at 410 (citations omitted).

The Ninth Circuit rejected Zappos’ argument that Krottner conflicted with Clapper.

Unlike in Clapper, the plaintiffs’ alleged injury in Krottner did not require a speculative multi-link chain of inferences. See Krottner, 628 F.3d at 1143.  The Krottner laptop thief had all the information he needed to open accounts or spend money in the plaintiffs’ names—actions that Krottner collectively treats as “identity theft.” Id. at 1142.  Moreover, Clapper’s standing analysis was “especially rigorous” because the case arose in a sensitive national security context involving intelligence gathering and foreign affairs, and because the plaintiffs were asking the courts to declare actions of the executive and legislative branches unconstitutional. Clapper, 568 U.S. at 408 (quoting Raines v. Byrd, 521 U.S. 811, 819 (1997)).  Krottner presented no such national security or separation of powers concerns.

Id. at *10.  The Ninth Circuit then pointed out other cases where the Supreme Court had found that a “substantial risk” of injury satisfied Article III, including Susan B. Anthony List v. Driehaus.  In that case, the Supreme Court stated that “[a]n allegation of future injury may suffice if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk that the harm will occur.’”  Id. at 10-11 (citing Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (quoting Clapper, 568 U.S. at 414 & n.5)).

Having determined that Krottner did not conflict with Clapper, the Ninth Circuit explained that in Krottner “the sensitivity of the personal information, combined with its theft, led us to conclude that the plaintiffs had adequately alleged an injury in fact supporting standing.”  Stevens, 2018 U.S. App. LEXIS 5841 at *11 (citing Krottner, 628 F.3d at 1143).  The Ninth Circuit then found that the data stolen from Zappos’s servers was sensitive enough to give “hackers the means to commit fraud or identity theft” and was thus similar enough the data stolen in Krottner to support a finding that the plaintiffs who had not yet experienced fraud as a result of the breach had adequately alleged an injury in fact.  Id. at 11-12.  The court further noted that the existence of a different class of plaintiffs that allegedly had already experienced fraud as a result of the breach, “undermines Zappos’s assertion that the data stolen in the breach cannot be used for fraud or identity theft.”  Id. at *13.  The Ninth Circuit remanded the case to the district court for further proceedings.

Stevens is one of the most recent Ninth Circuit cases to address standing in the context of data breach and privacy violations.  While standing remains a substantial hurdle for data breach plaintiffs, Stevens and Krottner demonstrate that when a thief or hacker acquires information sensitive enough to perpetrate future identity fraud, the risk of harm is likely substantial enough to satisfy the injury in fact requirement for Article III standing.

Federal Circuit Unwinds PTAB Decision, Rejects Secondary Reference As Not Analogous Art

By: Gene Cherng 

In a rare occurrence, the Federal Circuit overturned an invalidity determination on the basis that one of the references was not in a field of art “analogous” to the art of the patent at issue. Smith & Nephew, Inc. v. Hologic, Inc., No. 2017-1008 (Fed. Cir. January 30, 2018) (nonprecedential).

The patent at issue was directed to a surgical instrument “with a cutting member for semi-rigid tissue” capable of simultaneous rotation, translation, and reciprocation to enable it to cut into semi-rigid tissue without bouncing away. The obviousness rejection was based on a combination of three references – one of which (“Galloway”) was directed at an apparatus with a reciprocating apparatus used in the production and winding of glass fibers.

The PTAB determined that the challenged claims and Galloway both were relevant to solving the technical problem of converting “rotational motion into simultaneous rotational, translational, and reciprocal motions,” and found that a person of ordinary skill in the art would have found Galloway “reasonably pertinent to the technical problem with which the inventor was involved.” Hologic, Inc. v. Smith & Nephew, Inc., No. 2015-007845 (P.T.A.B. Jan. 20, 2016) (citations omitted).

Not so, held the Federal Circuit. Citing to In re Clay, 966 F.2d 656, 658 (Fed. Cir. 1992), the Federal Circuit reiterated that “[a] reference is reasonably pertinent if, even though it may be in a different field from that of the inventor’s endeavor, it is one which, because of the matter with which it deals, logically would have commended itself to an inventor’s attention in considering his problem.”  The court held that PTAB erred in reducing the problem solved by invention in the challenged claim to a simple mechanical problem:

The inventors of the ’459 patent focused on solving the difficulty in cutting large amounts of semi-rigid tissue. Galloway, in contrast, is directed to winding glass fiber. Even though both ended up with similar mechanical solutions, it is beyond a stretch to say that Galloway ‘logically would have commended itself to an inventor’s attention in considering his problem.’  [In re Clay, 966 F.2d] at 659.

Smith & Nephew, slip. op. at 11.

Unfortunately, the Federal Circuit’s opinion was not all good news for the patentee. Other than the three claims rejected based on Galloway that were reversed, the invalidity determinations as to the remaining nineteen challenged claims were affirmed.  Two of the three claim rejections that were reversed were remanded back to the Board to reconsider the patentability of these “surviving” claims under other rejections.

Notwithstanding the outcome for the patentee, Smith & Nephew provides an analytical framework for litigants to consider in connection with evaluating the value of prior art that is far afield from the art relevant to the patent in suit.  Because whether a reference is analogous art is a question of fact, In re Clay, 966 F.2d at 658, Smith & Nephew also suggests a potential role for expert testimony or other factual evidence to support (or refute) a claim that a particular reference is in an “analogous art.”