At the beginning of May, a federal judge in the Eastern District of Louisiana dismissed a putative class action against eBay stemming from a breach the company experienced in 2014. Green v. eBay Inc.
In that breach, hackers accessed customers' names, encrypted passwords, dates of birth, and contact information, but no financial data or social security numbers. In that case, the plaintiff did not allege that any of the information accessed was actually misused or that there was any attempt to use it, so his primary theory of injury was based on an increased risk of identity theft. The court concluded "the mere fact that Plaintiff's information was accessed during the Data Breach is insufficient to establish injury-in-fact," and "the potential threat of identity theft or identity fraud, to the extent any exists in this case, does not confer standing on Plaintiff to pursue this action in federal court." The court noted that its disposition was in line with the vast majority of post-Clapper data breach cases to have considered the issue.