2. Damages for contract breach
Non-economic loss is not compensable under contract principles. Damages are limited to economic loss that is the direct result of the contract breach.
"Plaintiffs' sole allegation on the element of contract damages consists of the statement that JetBlue's breach of the company privacy policy injured plaintiffs and members of the class and that JetBlue is therefore liable for 'actual damages in an amount to be determined at trial'.... At oral argument, when pressed to identify the 'injuries' or damages referred to in the Amended Complaint, counsel for plaintiffs stated that the 'contract damage could be the loss of privacy,' acknowledging that loss of privacy 'may' be a contract damage. The support for this proposition was counsel's proffer that he had never seen a case that indicates that loss of privacy cannot as a matter of law be a contract damage. In response to the Court's inquiry as to whether a further specification of damages could be set forth in a second amended complaint, counsel suggested only that perhaps it could be alleged or argued that plaintiffs were deprived of the 'economic value' of their information. Despite being offered the opportunity to expand their claim for damages, plaintiffs failed to proffer any other element or form of damages that they would seek if given the opportunity to amend the complaint.[1]
"[H]ad the cases brought in New York proceeded in state court, the contract actions would have been dismissed based upon state pleading rules.... Neither side has addressed whether the result would be the same or different under the pleading requirements of Rule 8 of the Federal Rules of Civil Procedure, which in fact applies to this proceeding.... Even if federal pleading rules require less specification, the result should not be different.[2]
"As plaintiffs' counsel concedes, the only damage that can be read into the present complaint is a loss of privacy. At least one recent case has specifically held that this is not a damage available in a breach of contract action. See Trikas v. Universal Card Services Corp., 351 F.Supp.2d 37, 46 (E.D.N.Y. 2005). This holding naturally follows from the well-settled principle that 'recovery in contract, unlike recovery in tort, allows only for economic losses flowing directly from the breach.' Young v. U.S. Dep't of Justice, 882 F.2d 633, 641 (2d Cir. 1989); see Katz v. Dime Savings Bank, FSB, 992 F.Supp 250, 255 (W.D.N.Y. 1997) (non-economic loss is not compensable in a contract action)."[3]
[Also Hadley v. Baxendale: liability only for damages reasonably foreseeable as resulting from breach of contract at the time the contract is formed;[4] and Katz v. Dime Sav. Bank, 992 F.Supp at 255: put plaintiff in the economic position they would be in had the contract been performed.[5]]
"[T]here is absolutely no support for the proposition that the personal information of an individual JetBlue passenger had any value for which that passenger could have expected to be compensated. It strains credulity to believe that, had JetBlue not provided the PNR data en masse to Torch, Torch would have gone to each individual JetBlue passenger and compensated him or her for access to his or her personal information. There is likewise no support for the proposition that an individual passenger's personal information has or had any compensable value in the economy at large."[6]
The court also rejected the plaintiff's Article III standing in Low v. LinkedIn for failure to establish economic injury or harm due to reduced market value of the plaintiff's personal information. However, the Low court followed Krottner v. Starbucks Corp. in recognizing injury-in-fact because of increased risk of future harm. The Low court also acknowledges that individuals theoretically have a property interest in their personal information.
"Low alleges that his browsing history is personal property with market value and that he has 'relinquished this valuable personal property without compensation to which he was due'.... Plaintiff is alleging that his personal information has an independent economic value, and that he was not justly compensated for LinkedIn's transfer of his personal data to third party data aggregators.[7]
"These allegations, however, appear to be too abstract and hypothetical to support Article III standing. The recent case of Specific Media is instructive. See LaCourt v. Specific Media, Inc., 2011 U.S. Dist. LEXIS 50543, at *9-12 (C.D. Cal. Apr. 28, 2011). In Specific Media, plaintiffs accused an online third party ad network, Specific Media, of installing 'cookies' on their computers to circumvent user privacy controls and track internet use without user knowledge or consent. The court held that plaintiffs lacked Article III standing in part because they had not alleged any 'particularized example' of economic injury or harm to their computers. The Court noted that while Plaintiffs may theoretically have had some property interest in their personal information, they had not 'identif[ied] a single individual who was foreclosed from entering into a "value-for-value exchange" as a result of [Defendant's] alleged conduct,' and they had not explained 'how they were "deprived" of the economic value of their personal information simply because their unspecified personal information was purportedly collected by a third party.' Other cases, analyzing similar legal issues, have held that unauthorized collection of personal information does not create an economic loss. See In re iPhone Application Litig., No. 11-MDL-02250, 2011 U.S. Dist. LEXIS 106865 (N.D. Cal. Sept. 20, 2011); In re Doubleclick, Inc., Privacy Litig., 154 F. Supp. 2d 497, 525 (S.D.N.Y. 2001) (holding that unauthorized collection of personal information by a third party is not 'economic loss'); see also In re JetBlue Airways Corp., Privacy Litig., 379 F. Supp. 2d 299, 327 (E.D.N.Y. 2005) (explaining that airline's disclosure of passenger data to third party in violation of airline's privacy policy had no compensable value)....[8]
"Low relies upon allegations that the data collection industry generally considers consumer information valuable, and that he relinquished his valuable personal information without the compensation to which he was due. But Low, like the plaintiffs in Specific Media, has failed to allege facts that demonstrate that he was economically harmed by LinkedIn's practices. Low has failed to allege how he was foreclosed from capitalizing on the value of his personal data or how he was 'deprived of the economic value of [his] personal information simply because [his] unspecified personal information was purportedly collected by a third party.' 2011 U.S. Dist. LEXIS 50543, 2011 WL 1661532 at *5.[9]
"Plaintiff relies on Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), to argue that the loss of personal information may be sufficient to confer Article III standing.... Plaintiffs in Krottner were Starbucks employees that had had their personal information, including names, addresses, and social security numbers, compromised as the result of the theft of a company laptop.... Class members brought an action against Starbucks, alleging negligence and breach of contract.... The Ninth Circuit held that the plaintiffs satisfied the injury-in-fact requirement through their allegations of increased risk of future identify theft because they had 'alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data'....
"In reaching its decision, the Ninth Circuit relied on analogous reasoning in environmental claims, wherein a plaintiff may allege a future injury in order to comply with the injury-in-fact requirement... (quoting Cent. Delta Water Agency v. United States, 306 F.3d 938, 948-50 (9th Cir. 2002). The Ninth Circuit explained that:
'[T]he injury in fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions...'
"(quoting Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007). Thus, where sensitive personal data, such as names, addresses, social security numbers and credit card numbers, is improperly disclosed or disseminated into the public, increasing the risk of future harm, injury-in-fact has been recognized. See Krottner, 628 F.3d 1139; see also Doe 1 v. AOL, 719 F. Supp. 2d 1102, 1109-1111 (2010) (holding that past publication of sensitive personal information, including credit card numbers, social security numbers, financial account numbers, and information regarding AOL members' personal issues, including sexuality, mental illness, alcoholism, incest, rape, and domestic violence and continuing collection and dissemination of this same sensitive information is sufficient to establish standing)."[10]
In Low v. LinkedIn, the court establishes that increasing the risk of future harm constitutes injury-in-fact in a breach-of-contract action. The Krottner "highly sensitive" requirement can be extended to the tracking information commonly collected by Web services because of the increasing detail and consequent value of the services' user profiles.
When Web services collect, resell, and reuse their customers' personal information, they increase the risk of future harm by making it more likely that the private data will be used against the customers' best interests. More importantly, customers haven't waived their property right to the information even though they have lost dominion and control over their private data.
[1] In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 326 (E.D.N.Y. 2005).
[2] Id.
[3] Id. at 326-327.
[4] Hadley v. Baxendale, 9 Ex. 341, 156 Eng.Rep. 145 (1854).
[5] Katz v. Dime Sav. Bank, FSB, 992 F. Supp. 250 (W.D. N.Y. 1997).
[6] Id.
[7] Low v. Linkedin Corp., 2011 U.S. Dist. 10, LEXIS 130840 (N.D. Cal. Nov. 11, 2011).
[8] Id. at 11.
[9] Id. at 11-12.
[10] Id. at 13-14.
3. Offer, acceptance, bargained-for consideration
"Plaintiffs' sole allegation on the element of contract damages consists of the statement that JetBlue's breach of the company privacy policy injured plaintiffs and members of the class and that JetBlue is therefore liable for 'actual damages in an amount to be determined at trial'.... At oral argument, when pressed to identify the 'injuries' or damages referred to in the Amended Complaint, counsel for plaintiffs stated that the 'contract damage could be the loss of privacy,' acknowledging that loss of privacy 'may' be a contract damage. The support for this proposition was counsel's proffer that he had never seen a case that indicates that loss of privacy cannot as a matter of law be a contract damage. In response to the Court's inquiry as to whether a further specification of damages could be set forth in a second amended complaint, counsel suggested only that perhaps it could be alleged or argued that plaintiffs were deprived of the 'economic value' of their information. Despite being offered the opportunity to expand their claim for damages, plaintiffs failed to proffer any other element or form of damages that they would seek if given the opportunity to amend the complaint.[1]
"[H]ad the cases brought in New York proceeded in state court, the contract actions would have been dismissed based upon state pleading rules.... Neither side has addressed whether the result would be the same or different under the pleading requirements of Rule 8 of the Federal Rules of Civil Procedure, which in fact applies to this proceeding.... Even if federal pleading rules require less specification, the result should not be different.[2]
"As plaintiffs' counsel concedes, the only damage that can be read into the present complaint is a loss of privacy. At least one recent case has specifically held that this is not a damage available in a breach of contract action. See Trikas v. Universal Card Services Corp., 351 F.Supp.2d 37, 46 (E.D.N.Y. 2005). This holding naturally follows from the well-settled principle that 'recovery in contract, unlike recovery in tort, allows only for economic losses flowing directly from the breach.' Young v. U.S. Dep't of Justice, 882 F.2d 633, 641 (2d Cir. 1989); see Katz v. Dime Savings Bank, FSB, 992 F.Supp 250, 255 (W.D.N.Y. 1997) (non-economic loss is not compensable in a contract action)."[3]
[Also Hadley v. Baxendale: liability only for damages reasonably foreseeable as resulting from breach of contract at the time the contract is formed;[4] and Katz v. Dime Sav. Bank, 992 F.Supp at 255: put plaintiff in the economic position they would be in had the contract been performed.[5]]
"[T]here is absolutely no support for the proposition that the personal information of an individual JetBlue passenger had any value for which that passenger could have expected to be compensated. It strains credulity to believe that, had JetBlue not provided the PNR data en masse to Torch, Torch would have gone to each individual JetBlue passenger and compensated him or her for access to his or her personal information. There is likewise no support for the proposition that an individual passenger's personal information has or had any compensable value in the economy at large."[6]
The court also rejected the plaintiff's Article III standing in Low v. LinkedIn for failure to establish economic injury or harm due to reduced market value of the plaintiff's personal information. However, the Low court followed Krottner v. Starbucks Corp. in recognizing injury-in-fact because of increased risk of future harm. The Low court also acknowledges that individuals theoretically have a property interest in their personal information.
"Low alleges that his browsing history is personal property with market value and that he has 'relinquished this valuable personal property without compensation to which he was due'.... Plaintiff is alleging that his personal information has an independent economic value, and that he was not justly compensated for LinkedIn's transfer of his personal data to third party data aggregators.[7]
"These allegations, however, appear to be too abstract and hypothetical to support Article III standing. The recent case of Specific Media is instructive. See LaCourt v. Specific Media, Inc., 2011 U.S. Dist. LEXIS 50543, at *9-12 (C.D. Cal. Apr. 28, 2011). In Specific Media, plaintiffs accused an online third party ad network, Specific Media, of installing 'cookies' on their computers to circumvent user privacy controls and track internet use without user knowledge or consent. The court held that plaintiffs lacked Article III standing in part because they had not alleged any 'particularized example' of economic injury or harm to their computers. The Court noted that while Plaintiffs may theoretically have had some property interest in their personal information, they had not 'identif[ied] a single individual who was foreclosed from entering into a "value-for-value exchange" as a result of [Defendant's] alleged conduct,' and they had not explained 'how they were "deprived" of the economic value of their personal information simply because their unspecified personal information was purportedly collected by a third party.' Other cases, analyzing similar legal issues, have held that unauthorized collection of personal information does not create an economic loss. See In re iPhone Application Litig., No. 11-MDL-02250, 2011 U.S. Dist. LEXIS 106865 (N.D. Cal. Sept. 20, 2011); In re Doubleclick, Inc., Privacy Litig., 154 F. Supp. 2d 497, 525 (S.D.N.Y. 2001) (holding that unauthorized collection of personal information by a third party is not 'economic loss'); see also In re JetBlue Airways Corp., Privacy Litig., 379 F. Supp. 2d 299, 327 (E.D.N.Y. 2005) (explaining that airline's disclosure of passenger data to third party in violation of airline's privacy policy had no compensable value)....[8]
"Low relies upon allegations that the data collection industry generally considers consumer information valuable, and that he relinquished his valuable personal information without the compensation to which he was due. But Low, like the plaintiffs in Specific Media, has failed to allege facts that demonstrate that he was economically harmed by LinkedIn's practices. Low has failed to allege how he was foreclosed from capitalizing on the value of his personal data or how he was 'deprived of the economic value of [his] personal information simply because [his] unspecified personal information was purportedly collected by a third party.' 2011 U.S. Dist. LEXIS 50543, 2011 WL 1661532 at *5.[9]
"Plaintiff relies on Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010), to argue that the loss of personal information may be sufficient to confer Article III standing.... Plaintiffs in Krottner were Starbucks employees that had had their personal information, including names, addresses, and social security numbers, compromised as the result of the theft of a company laptop.... Class members brought an action against Starbucks, alleging negligence and breach of contract.... The Ninth Circuit held that the plaintiffs satisfied the injury-in-fact requirement through their allegations of increased risk of future identify theft because they had 'alleged a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data'....
"In reaching its decision, the Ninth Circuit relied on analogous reasoning in environmental claims, wherein a plaintiff may allege a future injury in order to comply with the injury-in-fact requirement... (quoting Cent. Delta Water Agency v. United States, 306 F.3d 938, 948-50 (9th Cir. 2002). The Ninth Circuit explained that:
'[T]he injury in fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant's actions...'
"(quoting Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007). Thus, where sensitive personal data, such as names, addresses, social security numbers and credit card numbers, is improperly disclosed or disseminated into the public, increasing the risk of future harm, injury-in-fact has been recognized. See Krottner, 628 F.3d 1139; see also Doe 1 v. AOL, 719 F. Supp. 2d 1102, 1109-1111 (2010) (holding that past publication of sensitive personal information, including credit card numbers, social security numbers, financial account numbers, and information regarding AOL members' personal issues, including sexuality, mental illness, alcoholism, incest, rape, and domestic violence and continuing collection and dissemination of this same sensitive information is sufficient to establish standing)."[10]
In Low v. LinkedIn, the court establishes that increasing the risk of future harm constitutes injury-in-fact in a breach-of-contract action. The Krottner "highly sensitive" requirement can be extended to the tracking information commonly collected by Web services because of the increasing detail and consequent value of the services' user profiles.
When Web services collect, resell, and reuse their customers' personal information, they increase the risk of future harm by making it more likely that the private data will be used against the customers' best interests. More importantly, customers haven't waived their property right to the information even though they have lost dominion and control over their private data.
[1] In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 326 (E.D.N.Y. 2005).
[2] Id.
[3] Id. at 326-327.
[4] Hadley v. Baxendale, 9 Ex. 341, 156 Eng.Rep. 145 (1854).
[5] Katz v. Dime Sav. Bank, FSB, 992 F. Supp. 250 (W.D. N.Y. 1997).
[6] Id.
[7] Low v. Linkedin Corp., 2011 U.S. Dist. 10, LEXIS 130840 (N.D. Cal. Nov. 11, 2011).
[8] Id. at 11.
[9] Id. at 11-12.
[10] Id. at 13-14.
3. Offer, acceptance, bargained-for consideration
Copyright 2014-2015 by Dennis O'Reilly/Rag Hall -- All rights reserved.