We don’t see a lot of data breach litigation here in the Fourth Circuit, so it is notable that the Fourth Circuit Court of Appeals issued an opinion recently that weighs in on the standing debate (For more on the debate: Constitutional Standing Provides Fertile Battleground In Data Breach Litigation). In Beck v. McDonald, the plaintiffs in two consolidated cases sought to establish Article III standing based on the harm from embarrassment, mental distress, inconvenience, the increased risk of future identity theft and the cost of measures to protect against it after (i) a laptop containing their personal information was stolen and (ii) four boxes with pathology reports went missing.
The Fourth Circuit affirmed the dismissal for lack of subject-matter jurisdiction based on the plaintiffs’ failure to establish a non-speculative, imminent injury-in-fact for purposes of Article III standing. Although the court recognized that risk of future harm through identify theft could establish a concrete harm, that risk has to be substantial and the identity theft “certainly impending.” The procedural posture of the case helped the defendants here. Discovery showed that even two years after the alleged breach, the plaintiffs could not show that the information on the laptop was misused or accessed, that the thief stole the laptop with the intent to use the plaintiffs’ private information, or that any identity theft occurred as a result of the theft. The passage of time since the theft was a factor as well. The court noted that “’as the breaches fade further into the past,’ the Plaintiffs’ threatened injuries become more and more speculative” and their ability to provide a concrete injury less likely. Relying on the U.S. Supreme Court’s decision in Clapper, the Fourth Circuit found that for plaintiffs’ feared harm to happen, too many possibilities would have to occur: “that the thief targeted the stolen items for the personal information they contained … [and that] the thieves must then select, from thousands of others, the personal information of the named plaintiffs and attempt successfully to use that information to steal their identities.” The Fourth Circuit held that this “attenuated chain” was insufficient to confer standing. Likewise, plaintiffs’ statistical analysis that one-third of health-related data breaches result in identity theft was insufficient to show a substantial risk that plaintiffs would suffer identity theft. As a result, plaintiffs’ mitigation costs (i.e., credit monitoring) could not confer standing when the risk was not imminent.
This Fourth Circuit decision in Beck is on the heels of the Third Circuit Court of Appeal’s decision on January 20, 2017 in In re Horizon Healthcare Services, Inc. Data Breach Litigation. In Horizon, the plaintiffs, like the plaintiffs in Beck, feared identity theft because their personal information was on two laptops stolen from Horizon, a health insurance company, but had no proof that the personal information on the laptops was used by others to their detriment. Unlike the plaintiffs in Beck who sued under the Privacy Act and the Administrative Procedures Act, the plaintiffs in Horizon brought their claims under the federal Fair Credit Reporting Act (FCRA). Specifically, the plaintiffs alleged that Horizon was a consumer reporting agency, acted willfully and negligently in failing to adequately protect their information and made prohibited “disclosures” of their information by virtue of the laptops being stolen. The Third Circuit held that the plaintiffs’ allegations that their personal information was “disclosed” was sufficient to create a de facto injury, meeting Constitutional standing requirements, even without any evidence that the personal information was used improperly. Applying the Supreme Court’s decision in Spokeo, the court found that the allegations met the “particularized” injury prong of standing because they alleged disclosure of their own private information.
The real beef concerned whether the alleged injury was “concrete” in addition to particularized. The Third Circuit held that violation of FCRA (in this case) was sufficient to meet the concrete injury prong, even without economic or other tangible harm, because the law was designed to protect the plaintiffs’ personal information and if the allegations of the complaint were true, Horizon violated the statute. In reaching this conclusion, the court pointed to two prior decisions. The first was In re Google Inc. Cookie Placement Consumer Privacy Litigation, in which the Third Circuit held that placement of cookies on user’s browsers violated the Stored Communications Act, among other statutes, and therefore the consumers at issue had standing even though the cookies did not cause any tangible harm. Because the SCA created a legal right, the invasion of the right created standing. The court also cited its 2016 decision in In re Nickelodeon Consumer Privacy Litigation finding standing based on Viacom and Google collecting personal information of consumers who visited their websites, without their consent. The Third Circuit opined that “when it comes to laws that protect privacy, a focus on economic loss is misplaced” and the “unlawful disclosure of legally protected information” is a clear de facto injury. Although recognizing that a “mere technical violation of a procedural requirement of a statute, cannot, in and of itself, constitute an injury in fact,” the court declined to draw a line between a technical violation insufficient to confer standing and a violation that does. According to the Third Circuit, because Congress prohibited certain conduct by consumer reporting agencies and gave consumers a private cause of action to sue a consumer reporting agency that engages in that prohibited conduct, and because plaintiffs alleged that Horizon was a consumer reporting agency and engaged in that prohibited conduct with respect to their information, the consumers had standing. If the consumers had simply brought a claim under the common law or a statute that did not provide a private right of action for such conduct, the consumers could not establish standing. Also notable was that at least one of the named plaintiffs did experience identity theft, including someone filing a false tax return and stealing his tax refund, although he eventually was paid the refund money.
The Third Circuit decision is somewhat at odds with the Seventh Circuit’s decision in December in Myers v. Nicolet Restaurant. The Seventh Circuit held that a violation of a statute designed to protect consumers against identity theft, without actual harm or any “appreciable risk of harm”, does not confer standing. In Myers, the plaintiff alleged that the restaurant violated FACTA when it did not truncate his credit card’s expiration date on the receipt for his meal. He only sought statutory damages and did not allege any sort of harm, actual or impending. The court emphasized that the plaintiff immediately discovered the violation and no one else saw the non-compliant receipt. Perhaps this is the kind of “technical” violation of a statute that the Third Circuit would find insufficient to confer standing. However, in a footnote, the Seventh Circuit suggested that the plaintiff may have been able to meet the “injury in fact” standard if the non-compliant receipt affected his behavior or created “any appreciable risk that the concrete interest Congress identified [in FACTA] (the integrity of personal identities) would be compromised.”
A few things can account for the differences between the Third Circuit’s opinion in Horizon and the Fourth Circuit’s opinion in Beck. First, in Horizon, the court found that FCRA gives a cause of action to consumers based on the mere unauthorized disclosure of covered information. In Beck, the court noted that the Privacy Act requires actual harm and further declined to decide whether violation of the statute alone can create a defacto injury because the Beck plaintiffs did not assert it. Further, the procedural posture of Beck was different. While in Horizon the court accepted the allegations of the complaint as true for purposes of deciding motion to dismiss based on lack of standing, the court in Beck did not because the challenge to standing arose in the context of summary judgment—a phase of the case that occurs after discovery of evidence. Finally, the Fourth Circuit attempted to harmonize the decisions from other circuits, such as the Ninth, Sixth and Seventh, where the courts held that fear of future harm arising from identity theft after a data breach was sufficient to confer standing. In those cases, the Fourth Circuit noted, the plaintiffs alleged facts that “push[ed] the threatened injury beyond speculative to sufficiently imminent.” Such facts included that the information stolen was targeted for identity theft or that at least some of the consumers in the plaintiff class actually suffered identity theft or other misuse of their information, making the likelihood of identity theft more real for the other class members. Notably, although not clearly a deciding factor, the Fourth Circuit specifically cited to and relied on the US Supreme Court’s decision in Clapper. The Third Circuit did not.
Although not neatly aligned on what constitutes a concrete harm for standing purposes, the Fourth Circuit and the Third Circuit do align in their disagreement with other courts that infer a substantial risk of harm of future identity theft from an organization’s offer to provide free credit monitoring services to the victims of a breach. Both the Horizon and the Beck courts found that such an inference would unfairly penalize entities trying to extend goodwill when a breach occurs.
It is hard to draw any hard and fast takeaways from the variety of decisions on standing, aside from the unsurprising conclusion that the Fourth Circuit is more aligned with its judicial brethren in the Eleventh Circuit than in the Third, Ninth or Seventh Circuits. The other lesson from Beck is to not give up on a motion to kick the case for lack of standing. Although data breach plaintiffs may survive a motion to dismiss based on lack of standing, they may not fare so well at summary judgment without evidence of some actual harm or a substantial risk that the harm will occur. Also expect plaintiffs’ counsel to get increasingly creative in finding a statute that gives them a cause of action based on a violation of the statute’s provisions alone, even absence actual harm.
With two decades of experience as a practicing attorney, Karin McGinnis, CIPP US, has handled a wide variety of privacy and data security matters for her clients, with a special emphasis on privacy and data security issues in the workplace. Ms. McGinnis’ privacy and data security experience includes counseling and litigation regarding misappropriation of trade secrets, violation of the Computer Fraud and Abuse Act and state computer trespass laws, common law privacy torts, discovery challenges posed by the Stored Communications Act, privacy of consumer financial information under Gramm-Leach-Bliley, and confidentiality rights concerning mental health consumers. Ms. McGinnis also handles a wide variety of data breach matters for her clients, including those involving PCI-DSS compliance, and has worked with the USSS and the FBI in investigating potential cyber-crime. She has assisted clients with drafting and creating data breach procedures, mobile device policies and agreements, FACTA Red Flag policies and procedures, online privacy policies, international ethics hotlines, international data transfer agreements, vendor agreements, and employee data security training. Ms. McGinnis is co-chair of the firm’s Privacy and Data Security Group.