Recently, a federal court in California held that the loss of stored data, without more, is insufficient to establish Article III standing to withstand a motion to dismiss. In so doing, the court joined a number of other courts in holding that allegations of speculative harm devoid of allegations that personal information was stolen or hacked is likewise insufficient to establish an injury in fact.
In Riordan v. Western Digit. Corp., Plaintiffs brought a slew of claims against Western Digital arising out of an attack by third-party hackers on Western Digital’s legacy Internet-connected hard drives, My Book Live and My Book Live Duo (“Products”). 2022 U.S. Dist. LEXIS 101685, at *2 (N.D. Cal. June 7, 2022). The third-party hackers performed a factory reset of Western Digital’s Products, remotely erasing all data stored on the Products. Id.
Plaintiffs alleged two theories of injuries resulting from the breach. Plaintiffs generally alleged that due to the attack, they lost years’ worth of sensitive, intimate, and valuable personal, commercial, and/or proprietary information, including important financial information and priceless personal items, such as personal photographs. Id. at *2-3. Plaintiffs did not otherwise specify the types of information that were lost. Plaintiffs further alleged that they faced a risk of future data misuse “if [their personal data] has made its way into the hands of cyber-criminals.” Id. at *7.
In granting Western Digital’s motion to dismiss, the court held that Plaintiff’s blanket allegation that their data was deleted and could not be recovered from the Products did not allege an injury in fact. Id. at *8. The court reasoned that “[p]laintiffs failed to describe whether their data was permanently lost, and/or whether another copy of the data was stored elsewhere[,]” and “fail[ed] to describe the type of data lost, or explain why it was valuable and why its loss would cause harm.” Id.
The court likewise held that Plaintiffs’ allegation that their data may have “made its way into the hands of cyber-criminals” was insufficient. “Plaintiffs’ speculative allegations of harm do not establish an injury in fact.” Id. at *9. “Plaintiffs do not allege that through the breach, their specific personal information was stolen or that any harm resulted from the breach (i.e., through hackers).” Id.
This case is yet another example where courts have dismissed complaints that generally allege harm based on generalized, speculative injury for lack of Article III standing. With Riordan, federal courts continue to demonstrate their willingness to dismiss inadequately pleaded complaints in data privacy cases for lack of standing.
Stay tuned for more developments. CPW will keep you in the loop.