·  Legal News, Analysis, & Commentary


EBay Data Breach suit dismissed due to lack of Provable Harm

— May 6, 2015


On Monday, May 4th, Judge Susie Morgan of the Eastern District of Louisiana dismissed a class-action lawsuit filed on behalf of millions of American account-holders whose personal information was compromised during the 2014 EBay data breach. The breach, which occurred in late February or early March of last year, exposed passwords, names, mailing addresses, email addresses, and dates of birth for EBay users, however, no financial or payment information was compromised. The suit was filed in 2014 by Colin Green on behalf of all U.S. EBay users, claiming that the breach caused “actual damages” causing risk for future identity theft and the expense of protecting against it, as well as for lost time. Morgan cited the lack of concrete damages as the main factor in the dismissal, writing “The mere fact that plaintiff’s information was accessed during the data breach is insufficient to establish injury-in-fact. Thus, the potential threat of identity theft or identity fraud, to the extent any exists in this case, does not confer standing on plaintiff to pursue this action in federal court.”

In her opinion, Judge Morgan cited other similar cases in which dismissals were granted, and then used a 2013 case involving Adobe, which was allowed to proceed in Northern California District Court, as the delineation between actual and potential harm. The key component in the law regarding these cases is Article III of the U.S. Constitution and its interpretation of causality. Morgan elaborated in her opinion:

Judge Susie Morgan Dismissed a suit claiming damages from the 2014 EBay data breach on Monday, May 4th, 2015.
Judge Susie Morgan Dismissed a suit claiming damages from the 2014 EBay data breach on Monday, May 4th, 2015.

“This case raises the issue of whether the increased risk of future identity theft or identity fraud posed by a data security breach confers Article III standing on individuals whose information has been compromised by the data breach but whose information has not yet been misused. After considering the parties’ briefs and the relevant case law, the court finds itself positioned with the majority of district courts that have held the answer is no.”

Failure to establish Article III standing is the most common reason for such dismissals. King & Spalding partner, Barry Cohen, describes the legal term “standing” to mean “the ability to demonstrate a connection to – or harm resulting from – a law or action.” In the Adobe case as well as the massive Target data breach from 2013, credit and debit card information was also stolen. While the Adobe suit is ongoing, Target is currently in settlement negotiations to be reviewed by Minnesota’s U.S. District Court in November. Green’s lawyer, Charles Zimmer II blamed the dismissal on the common interpretation of the 2013 Supreme Court ruling in Clapper v. Amnesty International, which did not consider the risk of future identity theft as meeting Article III standards as unfairly discounting the danger that exposure of such information presents. Reacting to the dismissal, Zimmer said, “It’s hard to convince courts that there’s value there, even though people are risking jail time to steal this information and governments and companies are spending lots of money to prevent it.”


Govinfo Security – Matthew J. Schwartz

The Recorder – Ross Todd


Join the conversation!