In In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK (N.D. Cal. Sept. 4, 2014), Judge Koh found that plaintiffs in a consolidated class action suit had standing to sue defendant Adobe Systems, Inc., despite plaintiffs’ failure to allege actual improper use of stolen personal information. This holding is particularly significant because the U.S. Supreme Court in Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013), drove many other courts across the country to dismiss similar causes of action based on a lack of standing. Judge Koh’s decision may give renewed vigor to data breach plaintiffs nationwide.
For those unfamiliar with the facts of the Adobe breach, in July 2013, hackers accessed Adobe’s servers and spent several weeks undetected, removing customer names, login IDs, passwords, credit and debit card numbers, expiration dates, and mailing and e-mailing addresses. Plaintiffs, as both customers of Adobe licensed products and Creative Cloud subscribers, filed suit alleging violations of Sections 1798.81.5 and 1798.82 of the California Civil Code, and seeking injunctive and declaratory relief.
Like many other data breach defendants who have relied on Clapper, Adobe moved to dismiss all claims, arguing that plaintiffs lacked standing to sue. Following Clapper, Adobe argued that data breach plaintiffs must assert “certainly impending” injuries and reiterated that allegations of possible future injuries are insufficient. A slight impediment was the Ninth Circuit’s decision in Krottner v. Starbucks Corp., which had acknowledged that the possibility of future injury was sufficient to confer standing. 628 F.3d 1139 (9th Cir. 2010). Adobe argued that Clapper essentially overruled Krottner, but Judge Koh disagreed, finding that Clapper did not change established standing requirements. Rather, the court explained that Krottner remains controlling precedent in the Circuit and, although the cases use differing language to describe the degree of injury a plaintiff must allege in order to have standing, these differences are not irreconcilable. Furthermore, Judge Koh reiterated that even if Krottner were no longer good law, the harm threatened by the Adobe breach was sufficiently concrete and imminent to satisfy Clapper.
Judge Koh emphasized that the hackers deliberately targeted Adobe’s servers and spent several weeks collecting the plaintiffs’ personal information. As such, the danger that plaintiffs’ stolen data would be subject to...
