Plaintiffs’ attorneys, like politicians, rarely let a good crisis go to waste. Digital crises, such as data-breach and hacking events, are no exception.
Defendants in data-breach-related lawsuits, however, have had a great deal of success beating back consumer-harm claims with motions to dismiss challenging plaintiffs’ lack of standing to sue. As in many of the food-labeling class actions that helped pave the way for data-breach suits, it is often hard for plaintiffs to identify any way that they were actually harmed—because typically they weren’t.
Some data-breach plaintiffs have begun to claim injury based on “overpayment.” Essentially, such plaintiffs argue that the seller of a good or service they purchased explicitly or implicitly promised protection of their personal information. That protection, the plaintiffs argue, is a part of the purchase price, and when sellers fall victim to malicious data hackers, consumers don’t get the full benefit of the money they paid for the product, i.e., they overpaid. Outside of the data-breach context, plaintiffs have attempted a similar harm theory in food– and beer– labeling class actions where they have claimed product labels omitted information which, had purchasers known, would have reduced the value of the product to them. Thankfully, in the world of data breaches, this overpayment theory has seen mixed results.
In one set of cases, plaintiffs have sued brick-and-mortar stores and restaurants after the credit and debit card numbers they used to purchase products from those establishments were stolen. Courts have explained that because the data breach affected the processing of the buyers’ payment, not the purchased product itself, data security was not a benefit of their bargain. Put another way, the goods that the plaintiffs received were not diminished as a result of the data breach because the two were unrelated. Therefore, they did not overpay for them.
Conversely, courts have upheld the overpayment theory of harm when the product plaintiffs purchased—online subscriptions—were governed by terms of service that included data-security obligations because the plaintiffs could plausibly allege that they considered the value of the terms of service in purchasing their memberships.
These two lines of cases intersected in a recent decision, In re VTech Data Breach Litigation. VTech Electronics sells internet-enabled educational toys for young children. Its products, which include tablet computers and other handheld electronics, can connect to VTech’s online store from which customers can download additional games, books, and music for their children’s toys. All VTech products function without connecting to the online store or downloading additional content. In order to access the store, parents need to create an account, thereby providing personal information, and agree to VTech’s terms and conditions, which include VTech’s promise of data security. In 2015, hackers accessed the online store’s database and stole the personal information of millions of VTech’s customers. In response, the plaintiffs filed a putative class action against VTech for failing to fulfill its security commitments, alleging that they received a less valuable product from VTech than they had purchased.
In its defense, VTech brought a motion to dismiss for lack of standing and failure to state a claim predicated on refuting plaintiffs’ injury theory. Citing the brick-and-mortar cases outlined above, VTech argued that the plaintiffs conducted two separate transactions: the first was to purchase VTech’s physical product, while the second was to register for VTech’s online services. The plaintiffs paid for the first transaction, while the data breach affected only the second. Therefore, the plaintiffs’ payment had no relation to the data breach.
The court rejected this argument as to standing; as described above, theoretically, the plaintiffs would have suffered an economic injury had they bargained for a more valuable product than they acquired. This theoretical injury satisfies Article III, the court held. However, when applying a failure-to-state-a-claim standard, the court agreed with VTech’s two-transaction theory. Ultimately, the court concurred that VTech essentially sold a physical product which could, but must not, be supplemented by a free online service. Without affirmative evidence that both parties anticipated data protection as part of the plaintiffs’ purchase price, the plaintiffs could not establish an overpayment injury. Finding none, the court granted VTech’s motion to dismiss.
While VTech was able to end the lawsuit on its motion to dismiss, the case also demonstrates how vulnerable the overpayment theory of harm is to arguments against class certification. The overpayment theory necessarily assumes that each and every member of the class made an individual decision that the subject product was only worth its purchase price because of the defendant’s data-security features. Such personal and individualized findings of fact ordinarily should preclude certification. Even if plaintiffs can adequately allege an overpayment injury, they will need to seek redress individually.
The entire purpose of litigation is to redress the injuries of an aggrieved party. The assumption that the suing party has actually been injured is implicit. So-called consumer-protection litigation can only be justified when it actually seeks to mitigate the harm suffered by consumers. Otherwise such lawsuits are just a tax on corporations and a means to enrich plaintiffs’ attorneys. In the case of data-breach lawsuits, it is important for courts to fastidiously police the injury-in-fact requirements, whether under Article III or 12(b)(6), to ensure that only injured parties can collect.
Also published by Forbes.com on WLF’s contributor page.