Court Kicks Data Breach Claim Against Valve – Grigsby v. Valve

November 20, 2012 · by Venkat Balasubramani · in E-Commerce, Privacy/Security

Grigsby v. Valve Corp., No. C12-0553JLR (W.D. Wash. Nov. 14, 2012)

Valve is facing a putative class action over a hacking incident involving a breach of Valve’s security system and access to the personal information of “Steam” users. (See “Valve confirms Steam hack: credit cards, personal info may be stolen.”) This is an unexceptional ruling in a data breach class action: the court dismisses the claims (albeit with leave to amend).

The lawsuit was originally filed in the Central District of California, but the case was transferred to the Western District of Washington based on application of a forum selection clause in the Steam user agreement. data breach.jpg The court analyzes the allegations of harm in two different categories:

Allegations of future harm: First, there are allegations of future harm—i.e., plaintiffs said they would have to “spend money to ‘protect their privacy’”. (quotations in original) The court says (citing to Pisciotta and Ruiz v. Gap) that these are not cognizable damages.

Allegations of present harm: The allegations of present harm fall into a few categories: (1) loss of access to Valve’s service; (2) loss of data; and (3) loss of “the benefit of the bargain”. The court says that the present harm allegations do not give rise to the same unique issues and looks instead to the general principles applicable to pleadings, and the standards set forth by the Supreme Court in Iqbal and Twobmly. The court says that Twombly marked a shift, and together the two cases established a more stringent pleading requirement (the complaint must allege facts “with a sufficient level of specificity to raise entitlement to relief above the speculative level”). The court also says that the pleading requirements are particularly important in a putative class action such as this one where the loss of a 12b6 motion opens the door to discovery—that is likely to be resource-intensive and expensive for the defendant. In light of this, the court says: “plaintiffs’ complaint must rise to a higher plausibility threshold than it would if it were a garden-variety tort claim or a claim brought by Mr. Grigsby alone.” The court says that plaintiffs allegations fall “well short”:

[Plaintiffs] say nothing about which services were interrupted, which subscriptions or gaming networks they were unable to access, what data they ‘lost,’ how their data could have been ‘lost’ in this situation, or how they may have lost money by subscribing to Steam, which is free.

Although the court dismisses the complaint, the court gives plaintiffs 30 days leave to amend.

Not a surprising result. Courts have invoked Iqbal and Twombly in the past, but I don’t recall courts focusing so much on the discovery burdens imposed by class actions and how this warrants even more stringent pleading standards. This is closely related doctrinally to standing, but it’s just another tool courts have available to put the brakes on privacy class actions.

The plaintiff here does not appear to have suffered any effects from the misuse of his data, and this takes him outside the small category of recent cases where courts have declined to dismiss data breach claims. Any allegations based on diminution in value to plaintiff’s personal data are unlikely to gain any traction. Similarly, any allegations based on alleged deprivation of the benefit of the bargain are also unlikely to gain traction.

The court sends a pretty strong message to the plaintiff that it’s not enthused about his claims and will not let them move forward absent some more concrete allegations and more importantly, harm. We’ll see what the plaintiff comes back with. (The order does not contain any discussion of whether Valve offered standard credit monitoring services, but this obviously bears on the issue of whether plaintiff has cognizable damages.)

(h/t: PogoWasRIght)

Other coverage:

Data Privacy Monitor: Data Breach Class Action against Popular Video Game Developer Dismissed for Failure to Plead Adequate Damages

Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

New Essay: The Irony of Privacy Class Action Lawsuits

Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net

Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark