Two federal circuits considered Article III standing related to claims for data breaches, splitting their decisions and causing a ripple in the future of standing related to data privacy litigation. The two circuits contemplated the issues by analyzing different factors and ultimately reached divergent conclusions, sowing doubt into the future ability of an individual or a class to establish standing for a data breach damages claim.
In TransUnion, LLC v. Ramirez, the U.S. Supreme Court in 2021 considered an individual’s ability to bring a data breach claim. The Court held that the defendant’s alleged actions that “deprived [the plaintiffs] of their right to receive information in the format required by statute” were not sufficient to show the required concrete injury needed to bring a claim. In essence, the Court struck down the claim for injury, finding that the plaintiffs lacked standing. In rendering its decision, the Court concluded “no concrete harm, no standing,” reminding that Article III standing requires a “concrete harm” and that a given plaintiff must demonstrate standing with respect to each claim asserted.
Since the Court’s TransUnion decision, lawyers and courts have grappled with what is required to show a sufficient, concrete injury that will survive dismissal and provide standing for an individual or company in a data breach case. Two federal appellate courts, however, have interpreted the TransUnion rule differently.
In Webb v. Injured Workers Pharmacy, LLC, the U.S. Court of Appeals for the First Circuit considered an appeal of a lower court’s determination that a class action failed to meet the minimum standing requirement for a case to proceed on the merits. The court took appeal from the U.S. District Court for the District of Massachusetts.
The lower court had dismissed the class action for lack of a concrete injury. It held that the complaint brought by former pharmacy patients alleging their personally identifiable information (PII) was exposed in a data breach affecting more than 75,000 people lacked standing. The lower court reasoned that the named plaintiffs and putative class members were not able to satisfy the injury-in-fact requirement for constitutional standing and therefore their claims must be dismissed. At the time, the plaintiffs claimed they suffered from several ailments including anxiety, sleep disruption, stress, and fear, and had lost considerable time and spent significant effort in monitoring their accounts.
In rendering its decision, the lower court determined that the plaintiffs had failed to demonstrate any identifiable harm and they could not “manufacture standing merely by inflicting harm on themselves based on . . . hypothetical future harm.” On appeal, the First Circuit reversed, parsing the opinion to find a concrete injury for standing in the context of a data breach that posed threats to the plaintiffs’ privacy of their personally identifiable information. The First Circuit concluded that the “complaint’s plausible allegations of actual misuse of [the plaintiffs’] stolen PII to file a fraudulent tax return [was] sufficient to state a concrete injury.”
In a further step, the First Circuit held that actual misuse of PII is itself a concrete injury, even absent direct harm to an individual, and a plaintiff need not make a showing of monetary damages to survive a motion to dismiss based on lack of standing. To that end, the First Circuit held that “the complaint plausibly alleges a concrete injury in fact based on the material risk of future misuse of the plaintiff’s PII and a concrete harm caused by exposure to this risk.” In sum, the First Circuit concluded that a possible, future injury remained sufficient for meeting the standing requirements in a data breach case.
In contrast to the First Circuit’s opinion, the U.S. Court of Appeals for the Seventh Circuit recently affirmed a lower court’s dismissal of a data breach class action claim where an unauthorized disclosure of driver’s license numbers occurred. In Baysal v. Midvale Indemnity Company, the Seventh Circuit held that the plaintiffs had failed to demonstrate a concrete injury that could be tied to the disclosure of their driver’s license numbers, failing to the meet the requirements for proper Article III standing.
The underlying claim stemmed from an auto insurance company’s creation of an “instant quote” on its website. Individual customers could utilize these website features using their basic identifying information and they would in turn receive a quote for auto insurance. At times, the website features would autofill some information, including an individual’s driver’s license number. As a result, customers could utilize these driver’s license lookup functions to retrieve others’ personally identifiable information in the form of driver’s license numbers.
At some point after its inception, the insurer removed the autofill function from its website after unusual activity suggested misuse by users. The insurer also notified the affected individuals whose information had been improperly disclosed. In response, three individual customers filed a class action lawsuit based on the federal Driver’s Privacy Protection Act.
The lower court held that the three plaintiffs failed to show a concrete injury that could be linked back to the insurer’s disclosure of the personally identifiable information. On appeal, the plaintiffs argued that the disclosure of their personally identifiable information caused them to worry and become anxious, as well as to take steps to pay for credit monitoring. Two of the plaintiffs also argued that illegitimate unemployment claims had been filed in another jurisdiction in their names.
The Seventh Circuit disagreed with the plaintiffs’ contention, holding that worry and anxiety are not the kind of concrete injury that is required by Article III when bringing a claim for data breach. Moreover, the appellate court held that costs associated with credit monitoring were unfounded because a driver’s license number cannot be utilized to obtain credit in another individual’s name. Further, the appellate court held that the plaintiffs’ complaint failed to detail the harm that came from the insurance claims or how knowledge of a driver’s license number could create the kind of fraud they alleged. In sum, the court held that the plaintiffs failed to allege that the insurer’s disclosure of the plaintiff’s driver’s license numbers caused them any injury.
Some ABA Litigation Section leaders consider the circuit split to be one that will affect courts nationwide. “Lower courts remain fractured on close questions of standing, no matter what the context. The test announced in the Supreme Court’s TransUnion decision requires lower courts to analyze modern-day injuries in terms of their relationship to longstanding torts. Plainly there was no such thing as a data breach in ancient common law, which makes these cases difficult,” says Mark E. Rooney, Washington, DC, cochair of the Litigation Section’s Consumer Litigation Committee.
Section leaders also caution that the Supreme Court is not likely to wade into these circuit split waters regarding data breach in the coming few terms. “Clearly the First Circuit took a much more expansive view of TransUnion than the Seventh Circuit, which I think represents the difference one occasionally sees between circuits as to adequacy of pleading cases generally, rather than irreconcilable differences between the approaches of the two courts,” suggests Robert J. Will, St. Louis, MO, Litigation Section Division V director.
“Because the data breach cases are so fact specific, small factual differences can make a huge difference, as can how they are alleged in a complaint. I think circuit splits are more properly identified as viewing two very similar fact presentations and reaching opposite results based on interpretation of prior precedent,” Will continues. “The precedent in TransUnion perhaps was not as precise as the Seventh Circuit majority would suggest. I think TransUnion in some respects invites a bit of variability in the interpretation of the rule in light of pleading standards under the Federal Rules of Civil Procedure and thus invites a bit of latitude in results,” he explains.
Clarity on the precise parameters of data breach standing may still be well into the future. “Only time will tell if a consensus is reached as to what does and does not establish standing under the TransUnion standard for data breach cases. But I would not hold my breath expecting the Supreme Court to address this issue again any time soon,” concludes Will.
Section leaders also note that the outcomes in these two cases rest on different sets of facts. “Baysal turned on a lack of plausible allegations connecting the alleged data breach with the supposed harm, as well as the ready availability and relative uselessness of drivers’ license information, to conclude there was no harm,” notes Jeanne M. Huey, Garland, TX, cochair of the Section’s Ethics & Professionalism Committee. “Webb was based on the exposure of important and confidential information like Social Security numbers along with more plausible allegations of resulting misuse. The different outcomes were based on the facts in each case, not on a different application of the legal principles,” she adds.
Further, Section leaders point to the court’s factual applications to the standard to find different ways these two cases could have changed. “Most of the consumer-plaintiff standing cases these days are highly fact-sensitive, and these two decisions are no exception,” suggests Rooney. “If Webb did not experience a fraudulent tax return, the case might turn out differently. The court leans heavily on the presence of ‘some actual misuse’ of the breached data. That phrase does a lot of work in the Webb opinion,” he observes.
Other Section leaders consider different approaches the courts could have taken in rendering their decisions. “I’m not certain that the decisions in Baysal and Webb aren’t reconcilable even though they reached different outcomes. In Baysal, the allegedly stolen data was not the result of an organized theft. Instead, it resulted from a user putting a name and address into a website, which then exposed the driver’s license number for the person associated with that information, even if it wasn’t the person inputting the information,” explains Emily J. Kirk, Edwardsville, IL, Litigation Section Division V director. “The court focused on the fact that drivers’ license numbers aren’t sensitive information like Social Security numbers, and there was no evidence they could be used to steal someone’s identity. If the website had instead flashed Social Security numbers instead of drivers’ license numbers, perhaps the Baysal court would have reached a different result,” she concludes.
Section leaders acknowledge that the circuit split will impact data breach litigation going forward. Will suggests that skilled and experienced litigators need to be considered for privacy and data security breach cases especially where a plaintiff’s “main damage is fear of what could happen,” because neither the First Circuit’s nor the Seventh Circuit’s decision offers “much hope at establishing standing for a private cause of action under the TransUnion standard.”
Rooney suggests that the focus should turn to companies at risk of such data breaches. “Companies suffering a data breach should focus on one thing—the goodwill of its customers. You should contact counsel to make sure you abide by all data-breach notice requirements without opening yourself up to additional risk. Some consumer litigation is probably inevitable, but hitting the issues head-on is a good first step in stanching a flood of lawsuits,” he adds.
Kirk believes that data breach cases will turn on specific sets of facts going forward. “Courts [are] taking different views of factual allegations . . . [creating] trickier issues coming out of these cases. Standing exists when victims of data breaches have had their information stolen, but not yet used,” Kirk notes.
Companies should not delay in telling consumers of the potential breach, adds Huey. “One important factual difference was the promptness of disclosure to the affected parties. The Webb defendant’s delay in notifying customers substantially increased the risk that the information would be misused and partially justified the reactions of the customers in terms of credit monitoring and simple worry. Nothing good comes of hiding a data breach from customers or clients because sooner or later they will find out, and if they find out later, they have less opportunity to mitigate any harm,” she suggests.
