In Kylie S. v. Pearson Plc, No. 19 C 5936, 2020 U.S. Dist. LEXIS 133299 (N.D. Ill. July 28, 2020), Judge Lee dismissed a data breach class action for absence of Article III standing. The facts were as follows:
Sometime in late 2018, hackers penetrated AIMSweb’s defenses and gained access to the data stored on the platform. Am. Compl. ¶ 1. But it was not until early 2019, when the FBI detected the incident, that Pearson realized that AIMSweb had been compromised. Id. ¶ 41. In a preliminary analysis, the FBI estimated that the intruders could have accessed information related to roughly 900,000 students at about 13,000 schools. Id. The disclosed data included “first name, last name, and in some instances . . . date of birth and/or email address,” along with students'”unique student identification numbers.” Id. ¶ 47. About four months after the FBI discovered the problem, Pearson issued a public notice acknowledging that a data breach had occurred. Id. ¶¶ 43, 46. Pearson assured customers that it “do[es] “not have any evidence that th[e] information has been misused.” Id. ¶ 48. “[A]s a precaution,” however, it “offer[ed] to compensate victims in the form of one year of complimentary credit monitoring services.” Id. ¶¶ 48-49.
Judge Lee found no compensable loss due to the need for credit monitoring that conferring Article III standing.
To see why this is so, it is helpful to put oneself in the shoes of the hackers responsible for the Pearson breach. They now have a list of students’ names, birthdays, and email addresses. But they have no way of knowing which students hold bank or credit card accounts at which company. And, even if the hackers guess that a specific student patronizes a particular financial institution, they will need to persuade that institution’s IT staff that they represent the student. Given that names, birthdays, and emails are not usually viewed as reliable indicators of identity in and of themselves, that will be a difficult task. Should the hackers succeed, IT staff may still refuse to disclose sensitive information over the phone, preferring to send it to the students’ email or physical addresses, over which the hackers have no control. As this example illustrates, Plaintiffs’ social engineering theory involves a “long sequence of uncertain contingencies involving multiple independent actors.” Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017). In other words, social engineering only poses a threat if exceptionally determined hackers encounter especially credulous IT personnel. While that combination is theoretically possible, nothing in the complaint establishes that it exposes Plaintiffs to a substantial risk. See Whitmore v. Ark., 495 U.S. 149, 158 (1990) (“Allegations of possible future injury do not satisfy the requirements of Art[icle] III.”). Plaintiffs’ inability to identify any consequences of the data breach reinforces that conclusion. More than a year after the breach, Plaintiffs cannot point to a single instance of identity theft affecting any of the 900,000 members of the putative class. Am. Compl. ¶ 1. By comparison, the Remijas plaintiffs alleged that thousands of shoppers had reported fraudulent charges on their credit card statements. 794 F.3d at 690. And, although Plaintiffs cite an FBI warning that “collection of student data could have . . . safety implications” for children, they do not spotlight any safety incident attributable to the Pearson breach. Am. Compl. ¶ 32. Nor do they “allege that the hacker is a predator, or that the hacker disseminated the information broadly, to predators or anyone else who would harm the children.” Vtech, 2017 WL 2880102, at *4. Ultimately, Plaintiffs’ failure to describe any “fallout” underscores the relatively minimal danger posed by the data breach. Id. at *3-4. In resisting that conclusion, Plaintiffs make much of Pearson’s offer to supply students with free credit monitoring services in the wake of the breach. In Remijas, the court interpreted a similar offer as an admission that the risk of identity theft was not “so ephemeral that it can safely be disregarded.” 794 F.3d at 694. Seizing on that language, Plaintiffs read Remijas as holding that a firm’s provision of identity protection services is enough to establish that a breach poses a material danger. But neither Seventh Circuit case law nor common sense support that conclusion. When the Remijas court analyzed the risk of identity theft, it repeatedly highlighted the sensitive nature of the compromised data and the actual incidences of fraudulent charges, much more so than the fact that the defendant had offered credit monitoring services to its customers. See, e.g., id. at 690, 691, 692. And in subsequent opinions, the Court of Appeals has assessed the threat posed by data breaches without even mentioning the presence or absence of any offers to provide credit monitoring. See Lewert, 819 F.3d at 967; Tierney v. Advocate Health & Hosps. Corp., 797 F.3d 449, 451 (7th Cir. 2015). At most, Seventh Circuit precedent suggests that the provision of credit monitoring plays a minor part in standing analysis, not the decisive role Plaintiffs’ envision. Two practical considerations confirm the wisdom of that approach. First, the availability of free credit monitoring is an unreliable indicator of risk. The premise underlying Plaintiffs’ argument is that firms only offer post-breach services when identity theft poses a serious threat. But firms may have other incentives to offer such services even when a data breach presents little or no risk, such as the need to placate and retain customers. According to a report cited in the complaint, for example, engaging those services has emerged as the “standard” response to data breaches in some industries. Am. Compl. ¶ 29 n.8 (citing Government Accountability Office, Data Breaches—Range of Consumer Risks Highlights Limitations of Identity Theft Services, at *11, https://www.gao.gov/assets/700/697985.pdf.). It follows that the provision of free services reveals relatively little about the degree of risk created by a breach. Second, recognizing an injury-in-fact whenever firms supply identity protection services would create perverse incentives. Most of the time, courts “exclude[ ] evidence of subsequent remedial measures as proof of an admission of fault.” Fed. R. Evid. 407, advisory committee’s notes. A contrary rule would “discourag[e] [defendants] from taking steps in furtherance of added safety.” Id. As the Third and Fourth Circuits have recognized, similar logic militates against placing substantial weight on a firm’s decision to offer post-breach services. See In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 634 n.12 (3d Cir. 2017); Beck v. McDonald, 848 F.3d 262, 276 (4th Cir. 2017). To do otherwise risks “disincentiviz[ing] companies from offering [free] services in the wake of a breach.” Horizon, 946 F.3d at 634 n.12. In short, Plaintiffs’ theory fails because the disclosed data is not sensitive enough to materially increase the risk of identity theft. That none of the affected students seems to have suffered adverse consequences from the breach confirms this diagnosis, and Pearson’s provision of credit monitoring services is not a reliable enough indicator of risk to undermine it. The result is that Plaintiffs cannot demonstrate Article III standing on this basis.
Nor was Judge Lee convinced that the data hacked had diminished in value to the putative class.
In the alternative, Plaintiffs assert that the data breach reduced the market value of their personal information. “[A]n economic market existed for Plaintiffs’ and Class Members’ [data],” their theory goes, and “the value of that data decreased as a result of its availability on the black market.” Pls.’ Resp. at 12, ECF No. 33. What is missing from the complaint, however, are any allegations that the Pearson hackers have attempted to trade the compromised data for anything of value. See, e.g., In re Yahoo! Inc. Customer Data. Sec. Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *14 (N.D. Cal. Aug. 30, 2017) (identifying an injury-in fact because the complaint “include[d] several examples of hackers selling [personal identification information] from Yahoo accounts on the dark web”). Nor do Plaintiffs plead that they have ever sold their data or that they would even consider doing so. See Am. Compl. ¶ 26; Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 533 (D. Md. 2016). Those deficiencies make this theory “too speculative” to confer standing. See Clapper, 568 U.S. at 401.