Introduction
Businesses face more than reputational risk when the personally identifiable information (“PII”) of their customers is stolen during a data breach. Many data breaches have spawned multi-plaintiff or class action lawsuits by customers whose PII was accessed by unauthorized third parties as a result of the breach. But, until recently, businesses faced modest litigation risk in these cases because most courts held that litigants lacked standing to sue in federal court, reasoning that plaintiffs had yet to suffer an injury absent allegations that the exposure of their PII resulted in identity theft or unauthorized and unreimbursed charges to their financial accounts. This survey discusses new developments in the law of standing in data breach cases, as well as decisions about the viability of legal claims. Currently, the law is sharply divided, and it is likely to remain so for the foreseeable future.
Article III Standing for Data Breach Cases
Background
The recent evolution in case law concerning the standing of plaintiffs in data breach litigation is the outgrowth of two U.S. Supreme Court decisions that established the framework for analyzing Article III’s “injury-in-fact” requirement. In Clapper v. Amnesty International USA, the Supreme Court held that the plaintiffs’ fear that their private communications might be intercepted by government surveillance programs was not an injury in fact because any “threatened injury must be certainly impending to constitute injury in fact,” and “allegations of pos-sible future injury are not sufficient.” The plaintiffs’ injury was “too speculative” because its occurrence “relie[d] on a highly attenuated chain of possibilities” that “the Government [would] imminently target communications to which [they were] parties.” Nor were “measures that they have undertaken to avoid . . . surveillance” an injury; “otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.” Yet, the Clapper Court cautioned that its cases have “not uniformly require[d] plaintiffs to demonstrate that it is literally certain that the harms they identify will come about,” provided there is “a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.”
In Spokeo, Inc. v. Robins, the Court reiterated that the injury-in-fact requirement “does not mean [] that the risk of real harm cannot satisfy that requirement.” The Spokeo Court held that an alleged Fair Credit Reporting Act (“FCRA”) violation did not, ipso facto, confer standing because “a bare procedural violation, divorced from any concrete harm,” does not “satisfy the injury-in-fact requirement of Article III.” It explained that “[i]n determining whether an intangible harm constitutes injury in fact,” two considerations were important: “whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts”; and “because Congress is well positioned to identify intangible harms that meet minimum Article III requirements, its judgment is also instructive and important.”The Spokeo Court re-manded the case to the Ninth Circuit to determine “whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement.”
Recent Developments
In most data breach cases, the alleged injury resulting from the unauthorized access of PII is the increased risk of identity theft and concomitant expenses associated with mitigating that risk. The courts have reached differing conclusions depending on whether actual identity theft has occurred and whether such an occurrence is found to be a prerequisite for standing.
In Lewert v. P.F. Chang’s China Bistro, Inc., for example, the Seventh Circuit held that theft of debit and credit card information conferred standing to sue. One plaintiff incurred four fraudulent transactions on his debit card, and there-after purchased credit monitoring services, and while the other plaintiff “did not spot any fraudulent charges on his card, nor did he cancel his card and suffer the associated inconvenient or costs,” he alleged that he “spent time and effort monitoring his card statements and his credit report.” The court held that the injuries alleged were sufficient. First, “the increased risk of fraudulent charges and identity theft” was “concrete enough to support a lawsuit” “because [plaintiffs’] data has already been stolen.” Second, the plaintiffs alleged “time and effort” resolving fraudulent charges and other “measures to mitigate [their] risk.” P.F. Chang’s argued that the data breach “posed a risk only of fraudulent charges to affected cards, not of identity theft,” but the court refused to dismiss the case for lack of standing based on “a factual assumption that has yet to be tested.”
In contrast, a Colorado federal court dismissed a case for this very reason in Engl v. National Grocers by Vitamin Cottage, Inc. Because the “card issuer identified the fraudulent activity on his account and unilaterally exonerated [plaintiff] of responsibility for the fraudulent charges” and then “closed the account associated with the stolen card number,” the Engl court concluded that he “brought [his] exposure to any future harm from the [] data breach to an end.”
In Welborn v. Internal Revenue Service, a District of Columbia district court held that the plaintiffs alleged an injury in fact arising from a data breach of an online tool used by the Internal Revenue Service (“IRS”) to provide prior-year tax returns to taxpayers because two plaintiffs “allege[d] that they have suffered actual identity theft when someone filed false tax returns (and claimed fraudulent refunds) in their names,” and the third plaintiff “has been the victim of at least two occasions of fraudulent activity in her financial accounts, one of which resulted in the removal of funds from a personal financial account, which occurred after the IRS data breach.” But the plaintiffs’ allegation “that they suffer an increased threat of future identity theft and fraud” was “entirely speculative and depends on the decisions and actions of one or more independent, and unidentified, actor(s), and the risk of such harm occurring was not “imminent harm that is ‘certainly impending.’” Other injuries the court found too speculative were “general anxiety,” the “diminished value of their PII,” and “time and money spent monitoring and assessing the potential risk of future harm.”
While each plaintiff in Wellborn alleged an injury, the court observed that the second element of standing, causation, required plaintiffs to “put forward facts showing that their injuries can be traced to the specific data incident of which they complain and not to any previous theft or data loss incident.” One plaintiff did not allege that his injury was “fairly traceable” to the IRS’s conduct because he “simply allege[d] that the alleged financial fraud happened after the [] breach.” The court found that the other two plaintiffs alleged a sufficient causal connection to their injuries because they “alleged sufficient facts that, if proved, would tend to show that the information used in the fraudulent tax re-turn was of the same type that was stolen.”
The Third Circuit held in In re Horizon Services Inc. Data Breach Litigation that the plaintiffs, whose PII was contained on stolen laptops, sufficiently alleged an injury in fact even though “none of them had [ ] alleged that the information was actually used to their detriment.” The plaintiffs alleged injury based on both an “increased risk of harm from identity theft, identity fraud, and medical fraud” and “the violation of their statutory rights under FCRA.” Rather than decide whether the plaintiffs had alleged a non-speculative risk of future injury as required by Clapper, the court “conclude[d] that they have standing due to Horizon’s alleged violation of FCRA.”The Horizon Services court reasoned that, while the court’s “pronouncements in this area have not been entirely con-sistent,” “in some circumstances, [ ] the breach of a statute is enough to cause a cognizable injury—even without economic or other tangible harm.” It held that “[i]n light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.” While, under Spokeo, “there are some circumstances where the mere technical violation of a procedural requirement of a statute cannot, in and of itself, constitute an injury in fact,” the Third Circuit found that “[p]laintiffs here do not allege a mere technical or procedural violation of FCRA. They allege instead the unauthorized dissemination of their own private information—the very injury that FCRA is intended to prevent.”
In Beck v. McDonald, the Fourth Circuit affirmed the dismissal of the Privacy Act and Administrative Procedure Act claims arising from the theft of laptops containing patient records from a Veterans Affairs hospital. The plaintiffs alleged two injuries: “(i) the increased risk of future identity theft, and (ii) the costs of protecting against the same.” The Beck court noted that its “sister cir-cuits are divided on whether a plaintiff may establish an Article III injury-in-fact based on an increased risk of future identity theft,” but that where courts rec-ognized such injuries, the plaintiffs’ allegations “sufficed to push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent” because in those cases “the data thief intentionally targeted the personal information compromised in the data breaches.” The Beck plaintiffs, however, “have uncovered no evidence that the information contained on the stolen laptop has been accessed or misused or that they have suffered identity theft, nor, for that matter, that the thief stole the laptop with the intent to steal their private information.” The court also rejected the plaintiffs’ contention that there was a “substantial risk” of harm occurring, even accepting as true plaintiffs’ allegation that “33% of health-related data breaches result in identity theft.” Because the risk was speculative, the cost of protecting against future identity theft also did not confer standing as the harm resulting from such efforts was “self-imposed.” Notably, the Beck court distinguished Horizon Services, where the Third Circuit found standing even though there was no allegation that plaintiffs’ PII had been accessed, because their injury was “the very injury that FCRA is intended to prevent”; whereas in Beck, “[p]laintiffs do not allege that [defendant’s] violations of the Privacy Act alone constitute an Article III injury-in-fact.”41
In Galaria v. Nationwide Mutual Insurance Co., the Sixth Circuit held that the plaintiffs had standing to sue even though none of them pled unauthorized charges or identity theft. The plaintiffs’ allegations amounted to a “substantial risk of harm” because, “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for [] fraudulent purposes.” This inference was confirmed by the defendant’s actions: “Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.” The Galaria court’s finding that the plaintiffs faced “a substantial risk of harm” meant that they “expend[ed] time and money to monitor their credit, check their bank statements, and modify their financial accounts,” which constituted an injury because “it would be unreasonable to expect Plaintiffs to wait for actual misuse—a fraudulent charge on a credit card, for example—before taking steps to ensure their own personal and financial security, particularly when Nationwide recommended taking these steps.”
The Galaria court also addressed whether the plaintiffs satisfied Article III’s causation requirement. The majority of the court held that the plaintiffs’ allegations met the “fairly traceable” requirement for standing because plaintiffs alleged that “the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody.”
In Whalen v. Michaels Stores, Inc., the Second Circuit affirmed dismissal of claims for breach of implied contract and under the New York General Business Law based on a data breach at Michaels. The plaintiff alleged that at some point after the data breach, her credit card “was physically presented for payment” on two occasions by an unauthorized third party. Just like the plaintiff in Engl, however, the Whalen plaintiff did not allege that she incurred any fraudulent charges that she was liable to pay, because her credit card company removed the charges and deactivated her account. The Whalen court concluded that the plaintiff’s alleged injury failed the Clapper test because “she never was either asked to pay, nor did pay, any fraudulent charge.” Because her credit card was canceled “and no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen,” the court reasoned that the plaintiff “does not allege how she can plausibly face a threat of future fraud.” It rejected the plaintiff’s mitigation allegations as conclusory because she “pleaded no specifics about any time or effort that she herself has spent monitoring her credit.”
While the nature of the breach in Whalen distinguished the case from Galaria, where a broader array of PII was accessed, Whalen is more difficult to reconcile with the Seventh Circuit’s Lewert decision, where the only information obtained by hackers was the plaintiffs’ debit card numbers, and yet the court still held that plaintiffs faced a substantial risk of future injury.