In a pair of recent decisions, in Kuhns v. Scottrade, Inc. and Alleruzzo v. SuperValue, Inc., the Eighth Circuit further defined the contours of what allegations will satisfy Article III standing in that circuit when applying future harm analysis to claims resulting from a data breach. As the Supreme Court stated in Spokeo . Robins, 136 S. Ct. 1540 (2016),  and Clapper v. Amnesty Int’l, USA, 133 S. Ct. 1138 (2013), a plaintiff has the burden of demonstrating (i) an injury in fact that is particularized and concrete; (ii) that is fairly traceable to the challenged conduct of the defendant; (iii) that is likely to be redressed by a favorable judicial decision and, with respect to a claim grounded in future harm, (iv) that is actual or imminent, not conjectural or hypothetical.

In Scottrade, the plaintiff alleged that Scottrade breached the privacy statement of its brokerage agreement as it related to the protection of personal identifying information by failing to implement reasonable safeguards to protect such information from third parties. While the court ultimately dismissed the complaint based on plaintiff’s failure to set forth a viable claim for relief in that the complaint did not allege, among other things, a breach of any specific contractual provision, the court stated the inquiry into the threshold issue of standing was independent, irrespective of the merits of the complaint. In that regard, the court found the allegations that a portion of the fees paid by plaintiff were allocated to fulfill Scottrade’s contractual obligation to protect personal identifying information, which was breached when it allegedly failed to provide data security services that resulted in the plaintiff receiving brokerage services of lesser value than what he paid, was sufficient to establish an injury in fact. The difference between what the plaintiff paid and the value of the services plaintiff received reflected his actual economic injury, satisfying Article III standing requirements, the court found.

In SuperValue, the retailer suffered two data breaches in short succession in 2014 that may have resulted in the theft of their customers’ credit card information. Other than information specifically relating to the credit cards (i.e., account numbers, expiration dates and personal identification numbers, no other personal information was acquired by third parties. Thereafter, 16 plaintiffs filed a class action lawsuit, with only one alleging that following the breach his credit card was fraudulently used, while the other class plaintiffs alleged that the theft of their credit card information placed them at risk for identity theft in the future.

For the 15 Plaintiffs who did not allege the fraudulent use of their credit cards as a result of the breach, only that they were at risk of identity theft, the court in SuperValue found they had failed to satisfy Article III standing because they did not demonstrate that they face “certainly impending” or “substantial risk” of identity theft.  The court noted that “although others have ruled that a complaint could plausibly plead that the theft of a plaintiff’s personal or financial information creates a substantial risk that they will suffer identity theft sufficient to constitute a threatened injury in fact, we conclude that plaintiffs have not done so here.” Importantly, in the absence of the theft of any other data elements, such as social security numbers, birth dates, driver’s license number, the court found there was little to no risk that the stolen credit card information would be used to open unauthorized accounts under the plaintiffs’ names, resulting in the theft of their identity. In other words, the misappropriation of credit card information, without more, is generally insufficient to create new accounts under a person’s name, rendering their claims too speculative to give them standing.

With respect to the single plaintiff in SuperValue, who alleged that his credit card had been fraudulently used, the court found he had suffered an actual injury, which was sufficient to demonstrate he had standing, allowing the class action lawsuit to proceed.    

While the inclination by some will be to interpret the Eighth Circuit’s decisions in Scottrade and SuperValue as a rejection of standing based on data breaches that may result in future harm, aligning itself with the Fourth Circuit and, arguably, the Second Circuit that have rejected as too speculative claims based on data breaches without any alleged or demonstrable actual injury, it is unclear whether the Eighth Circuit would have found a lack of standing if the breach included the acquisition of social security numbers, birth dates and other data elements that could be used to steal a person’s identity. Accordingly, a more restrained interpretation that limits the import to the court’s decision to their facts may be appropriate until the court has an opportunity to address a class action lawsuit that involves a data breach that implicates data elements that can more clearly be used for identity theft.

Nevertheless, assuming the Eighth Circuit’s decision is counted among the circuit courts that have found allegations of future harm are insufficient to satisfy Article III standing, the ledger among the circuits reads as follows: 

  • Allegations of risk of future harm sufficient to satisfy Article III standing:
    • D.C. Circuit, Chantal Attias et al. v. CareFirst Inc. et al. (2017)
    • Third Circuit, In Horizon Healthcare Services data breach litigation (2017)
    • Sixth Circuit; Galaria v. Nationwide Mutual Insurance Company (2016)
    • Seventh Circuit, Remijas v. Neiman Marcus Grp. (2015)
    • Eleventh Circuit, Resnick v. Avmed (2012)
    • Ninth Circuit, Krottner v. Starbucks Corp. (2010)
  • Allegations of risk of future harm insufficient to satisfy Article III Standing
    • Fourth Circuit, Beck v. McDonald (2017)
    • Whalen v. Michaels Stores (2d Cir. 2017)  (The holding in Michaels may be best read as limited to its facts, as there was no damages suffered, no risk of future harm and no personal data beyond information relating to the Michael’s charge card stolen, leaving the possibility that a more expansive breach involving more personal data elements might lead to a different result.)
    • Eighth Circuit, Kuhns v. Scottrade, Inc. and Alleruzzo v. SuperValue, Inc. (2017)

For those circuit courts that have found future risk of harm, including identity theft and fraudulent charges sufficient at the pleading stage to satisfy Article III standing, the issue distills to whether  the complaint plausibly alleges there is a substantial risk of identity theft (or other harm) due to the defendant’s negligence. For these courts, the prevailing reasoning for finding concrete and particularized harm in data breach cases has been expressed as follows:

“It is much less speculative – at the very least, it is plausible – to infer that [the hacker] has both the intent and ability to use that data for ill.” … “Why else would hackers break into a … database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later to make fraudulent charges or assume those customers’ identity.” Chantal Attias et al. v. CareFirst Inc. et al.

More extensive, prior discussions of a number of the circuit cases discussed above can be found here (3rd, 4th and 7th Circuits), here (2nd Circuit) and here (4th Circuit).