Article III Standing for Risk of Future Harm
For years, standing has been one of the most critical issues facing plaintiffs in data breach and privacy litigation. Indeed, in many cases, the primary harm that plaintiffs suffer from having their information compromised in a data breach is the risk of future harm.
Courts across jurisdictions have appeared to differ as to whether the risk of future harm constitutes an injury in fact sufficient for Article III standing, but the general trend in recent years has been a move toward finding standing. However, this trend has not been completely uniform, and some circuit courts have still found the risk of future harm insufficient for standing in some cases.
In April 2021, the U.S. Court of Appeals for the Second Circuit issued its opinion in McMorris v. Carlos Lopez & Associates, LLC, which seeks to reconcile and unify this body of law. 995 F.3d 295 (2d Cir. 2021). The Second Circuit held that, despite appearances, there really is not a circuit split on whether plaintiffs can establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data. Instead, whether the plaintiff in a data breach case can establish an injury in fact based on the increased risk theory is a fact-specific issue informed by at least three factors: (1) whether the data at issue has been compromised as the result of a targeted attack intended to obtain the plaintiff’s data, (2) whether the plaintiff can show that at least some of the compromised data has been misused, and (3) whether the type of data at issue is likely to subject the plaintiff to a perpetual risk once exposed.
While it is not clear whether the other federal circuits will follow the McMorris model, at least one has shown a willingness to do so. Specifically, in Shiyang Huang v. Equifax, Inc., the U.S. Court of Appeals for the Eleventh Circuit indicated that the McMorris test aligns with its own prior holdings analyzing standing in data breach cases. 999 F.3d 1247 (11th Cir. 2021). District courts in the Eleventh Circuit have subsequently applied factors that mirror the McMorris test, but citing to both McMorris and Eleventh Circuit precedent. See, e.g., Cotter v. Checkers Drive-In Rests., Inc., No. 8:19-cv-1386-VMC-CPT, 2021 U.S. Dist. LEXIS 160592 (M.D. Fla. Aug. 25, 2021).
Subsequent to McMorris, the U.S. Supreme Court issued its opinion in Transunion, LLC v. Ramirez, the holding of which addresses standing for alleged privacy violations. 141 S. Ct. 2190 (2021). In Transunion, a class of 8,185 plaintiffs alleged that the credit reporting agency did not use reasonable procedures to ensure the accuracy of class member credit files, in violation of the Fair Credit Reporting Act. Id. at 2197. Of the class members, 1,853 members’ incorrect credit reports were actually provided to a third party, but the remaining 6,332 members’ information was not.
The Court found that the 6,332 class members whose incorrect credit reports were not given to a third party only had a theoretical risk of future harm that was not sufficiently concrete or materialized for purposes of Article III standing. Specifically, the Court explained that these class members failed to present evidence that they “suffered some other injury (such as an emotional injury) from the mere risk that their credit reports would be provided to third-party businesses.” Id. at 2211. The Court analogized the bare procedural claim to “the mere existence of inaccurate information in a database,” which, without further disclosure, is not a concrete injury. Id. at 2209. Thus, the Court left open the question of whether data breach plaintiffs can have standing without monetary harm, but it is clear that plaintiffs using the imminent risk theory must provide evidence that the risk of harm has materialized in some fashion. At the end of the day, the determinative factors depend on context: the nature of the data breach and whether there is a materialized risk of harm.
To date, only a handful of courts have applied TransUnion in the data breach context. For example, in Cotter v. Checkers Drive-In Restaurants, Inc., the U.S. District Court for the Middle District of Florida held that TransUnion did not preclude plaintiffs from seeking compensatory damages in a case involving a breach of the restaurant’s point-of-sale system. 2021 U.S. Dist. LEXIS 160592. The court distinguished the case from TransUnion on two grounds: (1) TransUnion was a suit for statutory as opposed to compensatory damages, and (2) TransUnion was decided at a phase in the litigation in which in the court had the benefit of the facts or lack thereof—rather than at the pleading stage. Thus, rather than reject the TransUnion or McMorris framework, the Cotter court essentially embraced them both in finding that there was standing based on a risk of future harm.
Circuit and district courts may very well interpret the above cases differently, requiring litigants to assess jurisdictional differences. However, going forward, data breach litigants should take note of these additions—when drafting both complaints and motions to dismiss.
Attorney-Client Privilege and Forensic Investigations
When a company discovers that it has suffered a data breach, one of its first steps is often engaging an outside forensic vendor to investigate the cause of the breach, assess whether personal information was compromised, and confirm that the malicious actor is out of the system. This vendor is typically engaged by outside counsel, who guide the company through the investigation and use the resulting report to assess potential legal obligations and liabilities.
Courts generally have appeared willing to find that large portions or all portions of the investigation were privileged. However, a high-profile case in 2020 questioned whether that trend was turning. See In re Capital One Consumer Data Sec. Breach Litig., MDL No. 1:19md2915 (AJT/JFA), 2020 U.S. Dist. LEXIS 112177 (E.D. Va. June 25, 2020). In 2021, we saw more courts chip away at work-product doctrine and attorney-client privilege protections in cases involving investigative reports.
For example, in Wengui v. Clark Hill, PLC, a client sued his former law firm after its database was breached and his information was publicly disseminated. 338 F.R.D. 7 (D.D.C. 2021). The firm’s counsel employed a cybersecurity provider to investigate and remediate the breach. The plaintiff moved to compel the production of “all reports of its forensic investigation into the cyberattack” that led to the public dissemination of the plaintiff’s confidential information. Id. at 9 (quoting ECF No. 25-1 (Mot.) at 3). The firm argued that the report produced by the third-party provider was protected by the work-product doctrine and attorney-client privilege.
Similarly, in In re Rutter’s Data Security Breach Litigation, a convenience store’s payment processing system was potentially compromised. 511 F. Supp. 3d 514 (M.D. Pa. 2021). The company retained counsel after learning of the potential breach, and the law firm hired a third-party provider to conduct a forensic analysis and determine the scope and character of the breach. The plaintiffs in the litigation sought to compel production of the investigative report, and the defendant argued that the materials were protected by the work-product and attorney-client privilege doctrines.
In both cases, the federal district courts held that neither the work-product doctrine nor the attorney-client privilege necessarily protected the investigative reports generated by the defendants in the wake of a data breach.
With respect to the work-product doctrine, the courts focused on the fact that privilege does not apply to documents prepared by lawyers in the ordinary course of business or for other nonlitigation purposes. Thus, even where a document is prepared because of the prospect of litigation, if a substantially similar document would have been prepared in the absence of litigation (i.e., in the ordinary course of business) or if the document is used for a range of nonlitigation purposes, then the document is not protected. For example, in Wengui, the purpose of the cybersecurity provider’s work was for “business continuity,” id. at 11, so the work-product doctrine did not apply. Similarly, the Rutter’s court found that the primary motivation of creating the investigative report was not the “unilateral belief” that litigation would result—it was to determine whether a data breach had occurred. Without knowing whether a breach had occurred, the court reasoned, the defendant could not have unilaterally believed that litigation would result at the time that the investigation was ordered.
With respect to the attorney-client privilege, the courts appear to be signaling a narrower approach based on the nature of forensic investigations as understood by the courts. Specifically, the courts have stressed that such reports do not fit the definition of what attorney-client privilege protects—that is, confidential communications between attorney and client made for the purpose of obtaining or providing legal advice. Rather, reports tend to be communications between the attorney and an outside consultant relating to cybersecurity advice, not legal advice. Indeed, in Rutter’s, the court stressed that the communications between the expert and the company were factual in nature and did not include legal input.
The recent trend in privilege over forensic reports is certainly not absolute. There are many cases that serve to bolster claims of privilege, and companies can take various steps to do so. However, it should be an issue that companies proactively consider before and after breaches occur.
BIPA Developments
Over the past year, there has been a continued explosion of case filings alleging violations of the Illinois Biometric Information Privacy Act (BIPA). Under BIPA, companies must follow certain requirements in how they handle Illinois consumers’ biometric information, such as notice and consent rules and a prohibition on the sale of biometric information. BIPA also includes a private right of action with statutory damages. In 2021, two important issues with significant impacts on total damages were debated and (sometimes) clarified in the case law: the applicable statute of limitations and whether an individual suffers a new violation for each collection.
Generally, Illinois’s statute of limitations for “violating the right to privacy” is one year, whereas the catchall statute of limitations is five years. BIPA is silent regarding its statute of limitations, but the Illinois First Circuit’s decision in Tims v. Black Horse Carriers, Inc. provides some clarity. 2021 IL App. (1st) 200563 (Sept. 17, 2021). Claims brought under sections 15(a), (b), and (e)—which require companies to have a publicly available policy, reasonably safeguard biometric data, and obtain informed consent prior to collecting biometric identifiers—have a five-year statute of limitations. On the other hand, claims brought under sections 15(c) and (d)—which prohibit profiting from, using, and disclosing biometric data—are subject to a one-year statute of limitations. Thus, depending on the alleged violation, the scope of damages “in play” may vary significantly.
Another case that will greatly impact the scope of damages under BIPA is Cothron v. White Castle System, Inc., which addresses whether violations of BIPA accrue each time the law is violated or if only the first violation constitutes the claim. No. 20-3202, 2021 U.S. App. LEXIS 37593 (7th Cir. Dec. 20, 2021). For example, the collection of fingerprint scans for timekeeping purposes without prior written consent is a frequent source of BIPA litigation. Whether or not a violation accrues on each scan can be the difference between one violation per employee or thousands per employee. Accordingly, the resolution of this issue will impact the potential damages on the scale of billions of dollars. On December 20, 2021, the U.S. Court of Appeals for the Seventh Circuit certified the accrual issue to the Illinois Supreme Court.