The Split on Standing. Article III of the U.S. Constitution limits federal courts’ jurisdiction to cases and controversies. To give meaning to Article III’s case-or-controversy requirement, courts have developed justiciability doctrines, such as the standing and ripeness doctrines. The question of standing requires that the party seeking relief must have a personal stake in the outcome of the controversy, which is shown by establishing that he or she has suffered an “injury-in-fact.” Article III standing is universally found to exist in cases involving a data breach where there is evidence that the plaintiff’s PII has already been misused. The issue of standing is less settled where a plaintiff’s PII has been accessed but has not yet been misused.
· In Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1147-48 (2013), the Supreme Court held that where a plaintiff seeks to establish standing based on imminent injury, “that ‘threatened injury must be certainly impending to constitute injury in fact.’” Thus, courts can find standing based on a “substantial risk” that the harm will occur, even if it is not “literally certain” the harms they identify will come about.
· In Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016), the Supreme Court clarified that “[t]o establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Since the Supreme Court decided Spokeo in May 2016, several courts have had occasion to define the contours of Article III standing in data-breach cases where PII has been accessed or stolen but has not yet been used for an improper purpose.
· In April 2018, the Ninth Circuit joined the Sixth, Seventh and D.C. Circuits in holding that Article III standing exists where the plaintiffs’ PII has been accessed or stolen but has not yet been used for an improper purpose. In re Zappos, 888 F.3d 1020, 1027-30 (9th Cir. 2018) involved a 2012 breach in which hackers breached the servers of online retailer Zappos.com, Inc. and allegedly stole the names, account numbers, passwords, email addresses, billing and shipping addresses, telephone numbers, and credit and debit card information of more than 24 million Zappos customers. Several of those customers filed putative class actions in federal courts across the country, asserting that Zappos had not adequately protected their personal information. The plaintiffs’ claims in this case were based on the hacking incident itself, not any subsequent illegal activity such as use of stolen PII to conduct subsequent financial transactions. The court held that the plaintiffs sufficiently alleged an injury-in-fact based on the substantial risk that the Zappos hackers, having obtained and compromised the plaintiffs’ respective PII, would commit identity fraud or identity theft.
As mentioned above, the Sixth, Seventh, and D.C. Circuits have each reached similar conclusions. On the other hand, the Third, Fourth, and Eighth Circuits have reached the opposite conclusion, generally finding plaintiffs’ injuries to be too speculative to confer Article III standing where such plaintiffs did not allege any actual or attempted misuse of PII. The Second Circuit has not yet clearly taken a position, although a 2018 opinion from the U.S. District Court for the Western District of New York suggested that the Second Circuit would follow the approach of the Sixth and Seventh Circuits in deciding the issue of Article III standing.
Read Your Policy. Whether Article III standing exists where there is no evidence that wrongfully obtained PII has yet been misused bears directly on the risk of exposure to policyholders. Cyber liability policies generally cover third-party lawsuits from affected individuals arising from a data breach or cyber-security event. A lower bar for standing where PII has not yet been misused may result in an increase in the number of lawsuits filed in the wake of such events. More importantly, a lawsuit brought by individuals whose PII has been wrongfully obtained, but has not yet been misused, may preclude coverage for some policyholders.
Unlike with legacy lines of insurance, such as commercial general liability or directors and officers policies, there is no industry-standard language or Insurance Services Office (ISO) form for cyber liability policies. As a result, there is an incredibly broad spectrum of policy forms available, each delivering coverage using distinct language, endorsements and definitions. Some cyber liability policies provide broad coverage for “failure to prevent unauthorized access to” PII or “any failure to protect” PII. Such language should be broad enough to provide coverage in a scenario where PII has been accessed, but not yet misused. On the other hand, some cyber liability policies only cover wrongful or unauthorized use of PII. A policyholder with such a policy may face challenges to coverage for a lawsuit brought where wrongfully obtained PII has not yet been misused. As always, however, the golden rule of insurance coverage applies—coverage always depends on the specific language of each policy, as even slight variations in language can have a dramatic impact on coverage.
The terms of cyber liability policies are negotiable and coverage can often be expanded by endorsement. Given the possibility of a lawsuit surviving past the pleading stage where PII has been wrongfully accessed or obtained but there is no evidence that the plaintiffs’ PII has yet been misused, a company that maintains a large amount of PII would be well-advised to seek out a cyber liability policy that explicitly covers any failure to secure PII – not just unauthorized use of PII.
Ken D. Kronstadt is with Kelley Drye & Warren LLP, Los Angeles, CA.