On February 6, 2017, the Fourth Circuit Court of Appeals weighed in on what has become a nagging issue involving a plaintiff’s standing to bring a lawsuit relating to a data breach when personal information has been compromised (an issue which we recently noted here). The matter, Beck v. McDonald (No. 15-1395 (4th Cir. 2017)) involved two consolidated appeals (with the lead Plaintiffs named Beck and Watson) in which the Plaintiffs, veterans who received medical treatment and health care at the William Jennings Bryan Dorn Veterans Affairs Medical Center in Columbia, South Carolina, brought separate actions against the Secretary of Veterans Affairs and medical center officials, alleging violations of the Privacy Act of 1974 and the Administrative Procedure Act, after their personal information was lost or stolen. In determining that the Plaintiffs did not have standing to pursue their claims, the Fourth Circuit engaged in a thoughtful analysis of some of the issues which have recently arisen in the area of data breach standing, and in doing so, made some interesting findings along the way.
The Beck case arose from a report that in February, 2013 that a laptop containing the unencrypted personal information (including names, birth dates, the last four digits of social security numbers, and physical descriptors such as age, race, gender, height, and weight) of approximately 7,400 patients was misplaced or stolen. While the Beck case was pending, the Watson case arose, based upon the medical center’s July 2014 discovery that four boxes of pathology reports headed for long-term storage had been misplaced or stolen. The reports contained identifying information of over 2,000 patients, including names, social security numbers, and medical diagnoses. The Watson plaintiffs sued under similar a similar theory as the Beck plaintiffs. In both cases, the Plaintiffs sought to establish Article III standing based on the “harm” of increased risk of future identity theft, and the cost of measures to protect against it. The District Court dismissed the actions for lack of subject-matter jurisdiction, holding that the Plaintiffs failed to establish a non-speculative, imminent injury-in-fact for purposes of Article III standing. All Plaintiffs appealed the District Court’s ruling to the Fourth Circuit Court of Appeals.
Before turning the merits of the matter, the Fourth Circuit noted that its analysis would be pursuant to the “threatened injury” theory for Article III standing as set forth in Clapper v. Amnesty International USA, 568 U.S. __ (2013), as opposed to the analysis undertaken in perhaps the most well-known data breach standing case, Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016). In Spokeo, the Supreme Court addressed the question of if a plaintiff’s allegation that a defendant violated a statute, in-and-of-itself, could give rise to the injury-in-fact in fact necessary for Article III standing (Spokeo involved allegations that the defendant published false information about the plaintiff on the internet in violation of the Fair Credit Report Act). The Supreme Court explained in Spokeo that a bare procedural violation, divorced from any concrete harm, is insufficient to establish standing. However, since the Beck and Watson cases both involved allegations beyond that of just a statutory violation, the Fourth Circuit applied the Clapper analysis. In Clapper, the Supreme Court held that claims of future injury could only satisfy the Article III standing requirement if the injury was “certainly impending” or if there was a “substantial risk” that the harm was going to occur, and not just a “highly attenuated chain of possibilities.”
With the standard settled, the Fourth Circuit noted the circuit split on whether a plaintiff may establish an Article III injury-in-fact based on an increased risk of future identity theft. In particular, the Sixth, Seventh, and Ninth Circuits have all recognized, at the pleading stage, that plaintiffs can establish an injury-in-fact based on threatened injury. See Galaria v. Nationwide Mut. Ins. Co., No. 15-3386, 2016 WL 4728027, at *3 (6th Cir. Sept. 12, 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692, 694– 95 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir. 2010) and; Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 632–34 (7th Cir. 2007). By contrast, the First and Third Circuits have rejected the notion that such allegations are sufficient at the pleading stage. See Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012) and Reilly v. Ceridian Corp., 664 F.3d 38, 40, 44 (3d Cir. 2011). Naturally, the Beck Plaintiffs attempted to rely on the holdings of Galaria, Krottner, Pisciotta and Remijas to support their allegations of standing based on threatened injury of future identity theft.
The Court rejected the Plaintiffs’ reliance on the Sixth, Seventh, and Ninth Circuit decisions, and in doing so, actually found that the specific facts of those cases undermined Plaintiffs’ argument. In particular, the Fourth Circuit noted that each of those cases involved common allegations that sufficed to push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent because the data thieves in those cases intentionally targeted the personal information compromised in the data breaches. No such claims were made in the case before the Fourth Circuit. That in turn, according to the Court, rendered Plaintiffs’ contention of an enhanced risk of future identity theft too speculative. On that point, the Court reasoned that data breaches in Beck and Watson occurred in February 2013 and July 2014, respectively; yet, even after extensive discovery, the Beck Plaintiffs uncovered no evidence that the information contained on the stolen laptop has been accessed or misused or that they have suffered identity theft, nor, for that matter, that the thief stole the laptop with the intent to steal their private information (that finding by the Court was interesting, as it seemed to push the analysis more towards a summary judgment standard, as opposed one which would be ripe on a motion to dismiss). The Court further noted that Watson’s complaint suffered from the same deficiency with regard to the four missing boxes of pathology reports.
The Court went on to explain that “as the breaches fade further into the past,” the Plaintiffs’ threatened injuries become more and more speculative, and that for the Plaintiffs to suffer the harm of identity theft that they fear, the Court would have to engage in the same “attenuated chain of possibilities” rejected by the Supreme Court in Clapper. To that point, the Court would have to assume that a thief targeted the stolen items for the personal information they contained, and then, must further assume that in both cases, the thieves selected, from thousands of others, the personal information of the named Plaintiffs and attempted successfully to use that information to steal their identities. The Court refused to make those assumptions and found that such an “attenuated chain” could not confer standing.
With the Court’s analysis of whether the Plaintiffs’ alleged standing based upon the increased risk of future identity theft complete, it continued its standing inquiry by noting that it could also find standing based on a “substantial risk” of harm that prompts a party to reasonably incur costs to mitigate or avoid that harm (this standard was also set forth in Clapper). Here, the Plaintiffs alleged that there was a “substantial risk” that the harm would occur because (i) 33% of health-related data breaches result in identity theft, (ii) the Defendants expend millions of dollars trying to avoid and mitigate those risks, and (iii) by offering the Plaintiffs free credit monitoring, the Defendants effectively conceded that the theft of the laptop and pathology reports constituted a “reasonable risk of harm to those victimized” by the data breaches. The Fourth Circuit rejected Plaintiffs’ argument, noting that even if Plaintiffs’ statistics were credited, over 66% of veterans affected will suffer no harm, which falls far short of establishing a “substantial risk” of harm.
In addition, the Fourth Circuit, contrary to some other circuits (including the Galaria and Remijas) Courts, declined to infer a substantial risk of harm of future identity theft from an organization’s offer to provide free credit monitoring services to affected individuals, reasoning that adopting such a presumption would discourage organizations from offering these services to data-breach victims. Finally, the Court addressed the Plaintiffs’ allegation that they suffered an injury-in-fact because they have incurred or will in the future incur the cost of measures to guard against identity theft, including the costs of credit monitoring services. That argument was summarily rejected, as even if Plaintiffs did or would incur such costs, those costs would be incurred as the result of a speculative threat,” which is nothing more than “a repackaged version of Plaintiffs’ first failed theory of standing.” Simply put, the Court noted, self-imposed harms cannot confer standing.
The Fourth Circuit’s opinion in Beck was well-reasoned and reflects a growing trend in the Court’s that just having personal information compromised is not good enough to confer standing to sue. Indeed, some facts must be alleged which make it reasonable to believe that harm will actually occur. Although the Circuit split remains, it seems likely that as the case law evolves, the Fourth Circuit’s analysis will become the predominant way that courts look at this issue. And of Course, the Supreme Court can always resolve the split if a suitable case comes before it.