It was a good day for eBay in a federal court in Louisiana.
Judge Susie Morgan dismissed, without prejudice, a potential class action lawsuit that had filed in July 2014 by Collin Green against eBay over the data breach they had disclosed in 2014. At the time, eBay said it had no evidence that payment card data, which was encrypted, had been accessed or misused. Nor did it have any evidence that any PayPal data had been acquired or misused.
When the lawsuit was reported in the media, I had commented:
From the reporting, it is not clear whether the complaint alleges any actual harm occurred or only potential harm. If the latter, this lawsuit may go the way of most lawsuits that are dismissed.
And that appears to be exactly what happened. Green, who was the only named plaintiff, did not allege any cognizable injury-in-fact. His lawsuit, like so many others before his, basically argued the harm was the risk of future harm, as breach victims have statistically hire likelihood of becoming victims of ID theft. But as many courts before this one have held, without any demonstration that the plaintiff or anyone else had actually suffered any misuse of their data, and without a demonstration of “imminent” risk of injury, the court held that the plaintiff does not have Article III standing, and dismissed the case. The court never reached the third prong of the standing issue – whether the relief sought would alleviate the harm.
By now, it should be clear that attempts to sue where none of the named plaintiffs have incurred actual unreimbursed injury or can demonstrate truly “imminent” injury will not survive a challenge to standing. When will lawyers move on to another strategy?