Courts Split Over Impact of Supreme Court Decision
The Southern District of California last month let 8 out of 51 claims survive in a putative class action arising out of the 2011 breach of the Sony PlayStation network. In re Sony Gaming Networks & Customer Data Sec. Breach Litig., MDL 11MD2258 AJB MDD, 2014 WL 223677 (S.D. Cal. Jan. 21, 2014) (Sony II). In doing so, the court contradicted widespread expectations, and developing law from other circuits (including a Feb. 10 decision from the Southern District of Ohio in the Nationwide Insurance breach litigation), in finding that plaintiffs alleging only the possibility of future harm had standing in light of the U.S. Supreme Court’s recent decision in Clapper v. Amnesty International, 133 S. Ct. 1138 (2013). The court determined that the Sony Plaintiffs had standing merely because they alleged that their information had been wrongfully disclosed, without an allegation that it had been misused. In contrast, less than three weeks after the Sony decision, the District Court for the Southern District of Ohio determined that plaintiffs in the Nationwide Insurance breach litigation did not have standing when all they could allege was a unauthorized disclosure of their information, a holding it based explicitly on Clapper, and declined to follow the reasoning employed by the Ninth Circuit.
This update first summarizes the Sony case, as it may well serve as a magnet to draw data breach and other consumer class action litigation into courts within the Ninth Circuit. It then briefly discusses the Nationwide case as the most recent application of post-Clapper law.
The Sony breach was widely reported in 2011 and involved a criminal attack on servers used for online services that connected to Sony’s PlayStation consoles. Hackers accessed Sony’s network, stealing the personal information of millions of customers, including credit card information. Sony shut the PlayStation network down for several weeks, during which time customers were unable to access Sony services or various third-party services available through the network (such as Netflix). Multiple lawsuits quickly followed in the wake of the breach, alleging misrepresentations regarding Sony’s security as well as the circumstances of the breach and injuries flowing from the loss of online services, overpayment for the consoles in light of Sony’s misrepresentations, and likely identity theft resulting from the unauthorized disclosure of personal information.
The lawsuits were consolidated through the MDL process before the Southern District of California. The original consolidated class action complaint raised seven claims on behalf of five named plaintiffs. The court dismissed that complaint in October 2012 in its entirety—finding standing based on likelihood of future harm, though plaintiffs did not allege sufficient injury. In re Sony Gaming Networks & Customer Data Sec. Breach Litig., 903 F. Supp. 2d 942 (S.D. Cal. 2012). Plaintiffs filed a greatly expanded amended complaint in December 2012, raising 51 claims on behalf of 11 named plaintiffs. The new claims largely involved state law claims for the nine different states comprising the homes of the proposed named plaintiffs.
Plaintiffs’ Claims
The 51 claims in the amended complaint in Sony II can be broke down into 9 claim categories: (1) negligence; (2) negligent misrepresentation; (3) breach of express warranty; (4) breach of implied warranty; (5) unjust enrichment; (6) violation of state consumer protection statutes; (7) violation of the California Database Breach Act; (8) violation of the federal Fair Credit Reporting Act; and (9) partial performance/breach of the covenant of good faith and fair dealing. (This last one also survived because it deals with factual issues regarding a settlement agreement between the parties.)
Although most of these claims failed for lack of sufficiently concrete injury, some claims based on unfair competition survived Sony’s motion to dismiss—including some claims for damages.
Sony was successful in getting 43 claims dismissed using a variety of strategies:
- Most of the negligence and negligent misrepresentation claims, as well as the consumer protection claims seeking damages, were unsuccessful because of failure to allege injury caused by the breach. Either the timing was wrong (plaintiffs could not have seen most of the disclosures before purchasing their consoles, so could not claim the price of the console as damages), the injury was insufficient (loss of free services, for example) or simply not alleged. The economic loss doctrine also barred claims in California and Massachusetts, even where the pleading was more specific.
- Breach of Implied Waiver claims were dismissed because they were disclaimed in the terms and privacy policy.
- Breach of Warranty claims were dismissed because they were made under the laws of states other than California, while still explicitly based on Sony’s user agreements, which require interpretation under California law.
- Unjust Enrichment claims were...
