There are two important takeaways from the opinion dismissing the consolidated In re iPhone Application Litigation on September 20, 2011: (1) breach of privacy alone is not treated as a “injury in fact”; and (2) breach of privacy in data does not constitute the necessary economic “loss” required for a civil claim under the Computer Fraud and Abuse Act.
No Named Plaintiff Had An Actual “Injury in Fact”
The Plaintiffs advanced 3 arguments for how they suffered an injury in fact:
(1) misappropriation or misuse of personal information; (2) diminution in value of the personal information, which is an “asset of economic value” due to its scarcity; and (3)
“lost opportunity costs” in having installed the apps, and diminution in value of the iDevices because they are “less secure” and “less valuable” in light of the privacy concerns.
None of those arguments amounted to an injury in fact, according to the court on page 6 of the opinion. The primary reasoning was because they all argued that there were injuries in theory, so to speak, but none of the named Plaintiffs could say how they themselves had been injured by the breach in their own privacy by the access to or tracking of their own personal information.
Here is what we can take from this: the breach of one’s privacy alone–without something more to cause an actual harm beyond the breach itself–is not yet considered to be actionable damage.
Computer Fraud and Abuse Act
The court analyzed the Computer Fraud and Abuse Act claim and, on page 16 of the opinion found that the Plaintiffs’ failed to sufficiently allege economic damages to one or more persons during any one-year period aggregating at least $5,000 in value.
This should come as no surprise and is a fairly well settled reading of the CFAA. In fact, I actually predicted this same outcome in 3 separate blog posts last Spring:
So, when it comes to using the Computer Fraud and Abuse Act for privacy claims, I hate to say I told you so but, well, I told you so … we’re just not there yet. But, just because you can’t get there under the CFAA doesn’t mean all is lost — remember, Who’s Gonna Get It?
- 3 Recent Computer Fraud and Abuse Act Cases Worth Noting (shawnetuma.com)
- Minimizing the risk of employee data breach and privacy mischief in the cloud (shawnetuma.com)
- comScore Lawsuit and that Pesky Loss Requirement of the Computer Fraud and Abuse Act (shawnetuma.com)
- Can stealing a CAR violate the Computer Fraud and Abuse Act? (shawnetuma.com)
- “What Does CFAA Mean and Why Should I Care?” – A Primer on the Computer Fraud and Abuse Act for Civil Litigators (shawnetuma.com)