The Fourth Circuit recently issued its first opinion addressing the issue of standing for data breach claims in Beck v. McDonald. The opinion raises several interesting points for practitioners.
Background
The Beck opinion addressed two consolidated cases against the Secretary of Veterans Affairs and officials of a Veterans Affairs hospital. One case stemmed from the theft of a laptop containing unencrypted personal information, while the other originated from the disappearance of four boxes of pathology reports. The plaintiffs asserted claims under the Privacy Act of 1974 and the Administrative Procedure Act, and alleged that their injury-in-fact consisted of: (1) the increased risk of future identity theft and (2) the costs they incurred to protect against that risk.
The district court dismissed the claims for lack of subject-matter jurisdiction. Defendants renewed a previous motion to dismiss for lack of subject-matter jurisdiction and moved for summary judgment after plaintiffs moved for class certification and partial summary judgment.
The court affirmed the dismissal of plaintiffs’ claims for lack of Article III standing. The court found that the threat of identity theft stemming from these breaches was too speculative to establish an injury-in-fact for these claims.
The court acknowledged that the threat of future harm could establish injury-in-fact, and justify incurring costs to protect against that harm, if the threat was imminent. However, the threat in Beck was too speculative. The court refused to assume, absent specific factual allegations or evidence, that (1) the thieves who stole equipment and documents containing personal information targeted those items for the personal information they contained, (2) the named plaintiffs’ information would be selected for identity theft from the data of thousands of individuals, or (3) that the named plaintiffs’ identities would be successfully stolen. Hence the court held that the plaintiffs could not establish standing under Clapper v. Amnesty International USA.
Passage of Time and Imminence of Harm
In finding that the threat of harm was not sufficiently imminent, the court relied in part on the amount of time elapsed since the breaches, which was approximately two years. The court noted that any claim of harm arising from a breach will become more speculative “as the breaches fade further into the past.” The passage of two years between the breach and the court’s consideration of standing without any demonstrated instances of identity theft indicated a more speculative risk of harm.
Evidence of Harm at Summary Judgment
Because the standing question in Beck arose at summary judgment, the parties had already conducted extensive discovery on the issue of injury-in-fact. Even with the advantage of discovery, the court found that plaintiffs had been unable to establish a single instance of identity theft. This also made their claim of increased risk of identity theft too speculative.
The Fourth Circuit also used the plaintiffs’ inability to produce evidence of identity theft to reconcile its holding with Sixth, Seventh and Ninth circuit cases holding that an increased risk of identity theft alone constitutes injury-in-fact. Those cases were considered at the motion to dismiss stage, where the courts accepted allegations of imminent harm as true. The Beck plaintiffs, by contrast, had ample opportunity to produce evidence of injury-in-fact through discovery conducted in advance of the summary judgment motion. Their inability to do so weighed against finding an imminent threat of identity theft.
Relevance of Defendant’s Offering of Free Credit Monitoring Reports
Plaintiffs also argued that they had standing because of a substantial risk of harm indicated in part by defendants’ offer of free credit monitoring to breach victims and expenditures to mitigate harms. The court rejected those arguments and specifically stated that offering free credit monitoring reports does not help establish injury-in-fact. That holding contrasts with Sixth and Seventh Circuit precedent, but aligns with the Third Circuit’s recent In re Horizon Healthcare Servs. Inc. Data Breach Litig. opinion.
The Beck court was concerned that following the Sixth and Seventh Circuits would discourage breached entities from offering protective services to breach victims. It also noted that while free credit monitoring offers might indicate a reasonable risk of harm, they do not establish the imminent threat required to establish injury-in-fact.
Beck offers several key takeaways for practitioners. The court’s reliance on the passage of time to defeat standing creates an incentive for plaintiffs to act quickly to avoid questions on the imminence of alleged harms. However, Beck also indicates that defendants can raise or revive standing arguments when discovery indicates there is no threat of harm. This should incentivize defendants to mitigate post-breach harms, especially since Beck indicates such efforts will not necessarily establish standing.