Sony Beware: New Argument Seeks To Establish Standing In 'Harmless' Data Breach Lawsuits

from the people-suing-sony-should-pay-attention dept

Whoever is filing class action lawsuits against Sony for the PSN hack may want to pay attention to a totally different case in Northern California. You see, for years, we've noted that judges will toss out lawsuits about data breaches if the person suing can't show any actual harm. It's happened again and again and again. To some extent, you can understand the reasoning: if your data wasn't used to cause you any harm, should you really have much of a legal leg to stand on?

But, of course, the problem with that is that it lessens the damage that can hit companies for being downright careless with your private data. However, this case in the Northern District of California, involving Alan Claridge suing RockYou, has gone differently so far (found via Michael Scott), because Claridge made a different kind of argument:
While many plaintiffs in data breach cases (unsuccessfully) allege harm suffered based on an increased risk of identity theft as well as inconvenience and out-of-pocket expenses associated with credit monitoring, Plaintiff employed a unique argument. As the court described, “Plaintiff generally alleges that defendant’s customers, including plaintiff, ‘pay’ for the products and services they ‘buy’ from defendant by providing their PII [personally identifiable information], and that the PII constitutes valuable property that is exchanged not only for defendant’s products and services, but also in exchange for defendant’s promise to employ commercially reasonable methods to safeguard the PII that is exchanged. As a result, defendant’s role in allegedly contributing to the breach of plaintiff’s PII caused plaintiff to lose the ‘value’ of their PII, in the form of their breached personal data.”

According to the court, the alleged was enough for purposes of standing. “On balance, the court declines to hold at this juncture that, as a matter of law, plaintiff has failed to allege an injury in fact sufficient to support Article III standing . . . [T]he court finds plaintiff’s allegations of harm sufficient at this stage to allege a generalized injury in fact.”
The court is still skeptical of the argument, but is at least willing to hear things out. In other words, this is still very early, and it's at the district court level, so those who like this argument shouldn't get their hopes up yet. But, it's certainly making it a case worth watching.

And I'd be remiss in not mentioning that this is the kind of thing that we'll almost certainly be discussing at our upcoming dinner salon, since it very much taps into the theme of how companies need to act when their "customers" are also their "product," in terms of the information and data they collect...
Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: data breach, standing
Companies: sony


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. identicon
    AnonX, 2 May 2011 @ 3:38pm

    What about the harm of loss of access to their online network? It might be minimal, but it is enough harm to bring the lawsuit forward to trial. Also potential harm might be a factor. RIAA seems to succeed in that one with the damages they suggest in many of their filesharing lawsuits. We should all just copyright our primary contact information so we can file a copyright violation for Sony data sharing...

    link to this | view in thread ]

  2. identicon
    big al, 2 May 2011 @ 5:01pm

    head to head fight!!!!

    now we have a problem.....

    1.last week the "high" court said that "binding arbitration takes president over class action suits"

    2.class action suits have a new twist ....

    3. sony says bring it on....You must go to binding arbitration..it's in your eula....one at a time please and we split the cost!!(about $980 per hour in my neck of the woods)
    plus the cost of a lower lawyer

    4. WHAT??? no takers i can"t imagine why???

    link to this | view in thread ]

  3. identicon
    Pixelation, 2 May 2011 @ 6:00pm

    Mike, I think you came up with this story simply for the shameless plug.
    What steps will you be taking to protect the PII of the participants?

    link to this | view in thread ]

  4. identicon
    IronM@sk, 2 May 2011 @ 7:34pm

    Response to: Pixelation on May 2nd, 2011 @ 6:00pm

    TROLL HARDER!

    link to this | view in thread ]

  5. identicon
    Pixelation, 2 May 2011 @ 8:15pm

    It seems to me that a company should have some liability for any information regarding customers that they store. That liability should increase when it is stored beyond the point where it is absolutely necessary. Mainly stored CC#s and SS#s. If you want to store this information, you better be prepared for the consequences of having it cracked from your system. It needs to be unappealing.

    @Ironm@sk I was just funnin'.

    link to this | view in thread ]

  6. icon
    The eejit (profile), 2 May 2011 @ 11:38pm

    Re:

    He'll be eating it on stage.

    link to this | view in thread ]

  7. icon
    anymouse (profile), 4 May 2011 @ 7:47am

    How is this different than Copyright Infringement? Oh, that's right the **AA's bought the laws

    So if individuals have to prove 'actual harm' when a company hands over all of their personal information (lets start calling it PIP - Personal Intellectual Property which is what it is after all). Why don't companies have to prove 'actual harm' when an individual hands one piece of their IP to someone else?

    Yes, I know it's because there is a law with a 'statutory damages' clause that makes this possible....

    So lets get a new law passed (anyone out there own a congress critter to get this going?) applying the same 'statutory damages' concept to companies infringing on individuals PIP. I think it would be fair to add a 'punitive damages' clause to PIP losses as well, since without these excessive damage awards, companies will never learn that they need to be careful with everyone's intellectual property, not just their own.

    If sharing one song is worth $150,000, I'm sure that sharing one individuals PIP would be worth at least $1,500,000 in statutory damages, and another $5,000,000 in punitive damages, after all one individual could have produced an infinite number of songs/movies/games/software/etc, if only their valuable personal intellectual property hadn't been stolen by those dirty rotten corporations....

    I'm not really serious.... or am i? /sarcasm off

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.