There are two important takeaways from the opinion dismissing the consolidated In re iPhone Application Litigation on September 20, 2011: (1) breach of privacy alone is not treated as a “injury in fact”; and (2) breach of privacy in data does not constitute the necessary economic “loss” required for a civil claim under the Computer Fraud and Abuse Act.
No Named Plaintiff Had An Actual “Injury in Fact”
The Plaintiffs advanced 3 arguments for how they suffered an injury in fact:
(1) misappropriation or misuse of personal information; (2) diminution in value of the personal information, which is an “asset of economic value” due to its scarcity; and (3)
“lost opportunity costs” in having installed the apps, and diminution in value of the iDevices because they are “less secure” and “less valuable” in light of the privacy concerns.
None of those arguments amounted to an injury in fact, according to the court on page 6 of the opinion. The primary reasoning was because they all argued that there were injuries in theory, so to speak, but none of the named Plaintiffs could say how they themselves had been injured by the breach in their own privacy by the access to or tracking of their own personal information.
Here is what we can take from this: the breach of one’s privacy alone–without something more to cause an actual harm beyond the breach itself–is not yet considered to be actionable damage.
Computer Fraud and Abuse Act
The court analyzed the Computer Fraud and Abuse Act claim and, on page 16 of the opinion found that the Plaintiffs’ failed to sufficiently allege economic damages to one or more persons during any one-year period aggregating at least $5,000 in value.
This should come as no surprise and is a fairly well settled reading of the CFAA. In fact, I actually predicted this same outcome in 3 separate blog posts last Spring:
Apple iTracking Case: will Apple be WINNING on Computer Fraud and Abuse Act claim?
Apple Should Win the Computer Fraud and Abuse Act Claims …
iTracking II: Apple Sued Again for Violating Computer Fraud and Abuse Act
So, when it comes to using the Computer Fraud and Abuse Act for privacy claims, I hate to say I told you so but, well, I told you so … we’re just not there yet. But, just because you can’t get there under the CFAA doesn’t mean all is lost — remember, Who’s Gonna Get It?
Related articles
- 3 Recent Computer Fraud and Abuse Act Cases Worth Noting (shawnetuma.com)
- Minimizing the risk of employee data breach and privacy mischief in the cloud (shawnetuma.com)
- comScore Lawsuit and that Pesky Loss Requirement of the Computer Fraud and Abuse Act (shawnetuma.com)
- Can stealing a CAR violate the Computer Fraud and Abuse Act? (shawnetuma.com)
- “What Does CFAA Mean and Why Should I Care?” – A Primer on the Computer Fraud and Abuse Act for Civil Litigators (shawnetuma.com)
I’ll apologise in advance for any silly statements, as I’m not a lawyer – nor at this moment, particularly quick-witted.
Would not the “damage” suffered from loss of personal data be along the lines of “pain and suffering” awards? They seem to me to be rough parallels. You can’t define “pain” in specific quantities, be it physical, mental, or emotional. In the same line, I would argue that “loss of value” of personal data would be hard to value but definitely present.
Or is that the core of the decision, that loss of personal data does not have any intrinsic value (barring any fraud committed with said data)?
Or am I just a bit over-medicated, and unable to see the answer standing boldly in front of my face? (A “yes” answer is perfectly acceptable and probably closest to the truth! 🙂 )
John, your second point hits it — the Court wasn’t saying that they could not in theory make a claim for such a damage but, rather, that they did not. Hypothetically speaking, perhaps if they had been driving a car and immediately had a panic attack, for their first time in their life, strike them the moment they learned of the personal data loss, which then caused them to crash the car, break their leg, total out their car, and spend the next year in therapy, they just might get there!