It well known that there are, unfortunately, many data breaches that frequently put private citizens’ data privacy in jeopardy. States have passed a variety of statutes aimed at addressing this problem in an attempt to provide data breach victims with some form of redress. Nonetheless, even where there has been a data breach, a plaintiff must meet certain requirements in order to have standing to bring a lawsuit in an Article III court. One such requirement, as the case described below illustrates, is that a plaintiff must have sufficiently pleaded injury-in-fact in his or her complaint.

According to the putative class action he brought against the well-known department store chain Macy’s in Massachusetts, Robert Hartigan (“Hartigan”) purchased products on Macy’s website using his VISA credit card on October 10, 2019. See Hartigan v. Macy’s Inc., Case No. 1:20-cv-10551-PBS, Dkt, No. 35 (D. Mass. Nov. 5, 2020). In so doing, Hartigan provided his home address, credit card information, and other personal information. Between October 7 and October 15, 2019, computer hackers installed malware on Macy’s website to gain access to Macy’s customers’ payment information. The personal information accessed included: (1) first and last names; (2) addresses; (3) phone numbers; (4) email addresses; and (5) credit card numbers.

Macy’s privacy policy stated that it “put in place various procedural, technical, and administrative measures to safeguard the information [Macy’s] collect[s] and use[s]” but warned users that “no security safeguards or standards are guaranteed to provide 100% security.” On November 14, 2019, Macy’s sent a Breach Notification Letter to Hartigan and its other customers about the data breach. Among other information, the breach notice informed Macy’s customers about the known risks of harm associated with data breaches and offered one year of complimentary credit monitoring services.

As a result of the data breach, Hartigan alleged in his complaint against Macy’s unreasonable interference with privacy in violation of M.G.L. c. 214, § 1B, negligence, breach of contract, unfair and deceptive business practices in violation of M.G.L. c. 93A, §2, and violation of M.G.L. c. 93H. Macy’s moved to dismiss the action for lack of standing pursuant to Fed. R. Civ. P. 12(b)(1) and for failure to state a claim pursuant to Fed. R. Civ. P. 12(b)(6). As to standing, Macy’s argued that Hartigan failed to sufficiently plead injury-in-fact because he did not allege economic harm, that his immutable personal information (e.g., social security number) had been misused, or that he faced an imminent risk of future identity theft.

To satisfy the requirements of Article III standing, a plaintiff must have suffered an injury-in-fact that is fairly traceable to the challenged conduct of the defendant and that is likely to be redressed by a favorable judicial decision. See Spokeo Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016). “To establish injury in fact, a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Id. at 1548 (citation omitted) (internal quotation marks omitted).

In its November 5, 2020 order, the district court granted Macy’s motion to dismiss, and agreed with Macy’s that Hartigan failed to sufficiently plead injury-in-fact. Hartigan did not allege sufficient facts to support a substantial risk of future harm. Hartigan’s complaint was devoid of any allegation of fraudulent use or attempted use of personal information to commit identity theft against any Macy’s customer whose credit information was stolen. Further, the information that was stolen was not highly sensitive or immutable, such as a social security number, and Hartigan could immediately cancel his credit card, which would “effectively eliminate risk of credit card fraud in the future.”

Hartigan did, however, also allege actual harm due to the cost of mitigation. Hartigan did not believe that the one year of complimentary credit monitoring services Macy’s offered was adequate and purchased additional protection. The district court noted that the First Circuit has held that incurring costs such as credit monitoring services can constitute injury-in-fact where plaintiffs’ credit card information has been misused after a data breach. If neither the plaintiff nor those similarly situated have experienced fraudulent charges, however, purchasing such credit monitoring services may be unreasonable and not recoverable. The court reasoned that, while Hartigan was the victim of a data breach, Hartigan did not allege misuse of his or any class member’s data. Hartigan’s purchase of credit monitoring services was, therefore, not based on a “reasonably impending threat” and did not constitute an injury-in-fact.

This case illustrates two broader points that apply to data privacy lawsuits brought in federal courts across the United States. First, not all victims of data breaches can successfully bring a lawsuit in federal court to seek redress. To do so, a data breach victim must have suffered a concrete injury-in-fact. Second, even if a data breach victim has suffered the right type of injury-in-fact, the victim-turned-plaintiff must sufficiently plead that fact in his or her complaint in order to satisfy the requirements of Article III standing.

Editor: Arsen Kourinian

Written by: Ari Feinstein & Jessica C. Sganga