A claimed “heightened risk of future identity theft” in the wake of a data breach does not provide standing for a plaintiff to sue the company that suffered the breach, a federal court judge has determined.
Texas hospital St. Joseph Health System was the victim of a cyberattack in December 2013, and one of the 405,000 patients and employees whose information was compromised filed suit in Texas federal court. Beverly Peters claimed that her personal information—including her name, address, Social Security number, birthdate, medical records, and bank account information—was placed online by the hackers, where it was misused by unknown third parties.
As a result, there was a fraudulent charge to her Discover card, an attempt to access her Amazon account, her e-mail account was compromised, and she received unwanted telephone solicitations, she alleged.
St. Joseph moved to dismiss the suit, arguing that Peters lacked standing to sue because she had not suffered a cognizable injury. Discover paid for the fraudulent charge and closed her account to prevent future fraud, Peters changed her e-mail account password, and the hospital provided one free year of credit monitoring and identity theft protection for all victims, the defendant told the court.
U.S. District Court Judge Kenneth M. Hoyt agreed, ruling that Peters could not plausibly establish a “certainly impending” or “substantial risk” that she would be victimized, the standard set by Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013).
“The Court cannot agree that she faces a ‘certainly impending’ or ‘substantial’ risk of identity theft/fraud as Article III requires,” Judge Hoyt wrote, particularly as Peters’ complaint “raises the possibility that fraudulent use of her personal information could go undetected for long periods of time—even ‘years into the future.’ ”
“ ‘Unless and until these conjectures come true,’ Peters’ alleged future injuries are speculative—even hypothetical—but certainly not imminent,” the court said. “Critically, Peters ‘cannot describe how [she] will be injured without beginning the explanation with the word ‘if.’ For example, Peters might be able to demonstrate harm if third parties become aware of her exposed information and reveal their interest in it; if they form an intent to misuse her information; and if they take steps to acquire and actually use her information to her detriment. The misuse of her information could take any number of forms, at any point in time.”
The plaintiff’s theory of standing “relies on a highly attenuated chain of possibilities,” the court concluded. “As such, it fails to satisfy the requirement that ‘threatened injury be certainly impending to constitute injury in fact.’ ”
A mere allegation that risk has been increased does not transform that assertion into a cognizable injury, Judge Hoyt added, and even if Peters had spent money prophylactically on credit monitoring services to ease her fears of future third-party criminality, she would still fall short of the constitutional standard for standing.
While the Supreme Court’s decision in Clapper should have resolved a circuit split among the federal appellate courts, some district courts have recognized Article III standing for claims of future harm suffered by data breach victims, even after Clapper. Despite Peters’ reliance on such decisions, the court emphasized that Clapper “compels the conclusion that Peters lacks standing to bring her federal claims to the extent they are premised on the heightened risk of future identity theft/fraud.”
Peters also failed to establish an actual injury, the court said. Discover never charged her for the fraudulent purchase and closed her account, Peters changed her password after her e-mail account was compromised, and a ruling from the court would not prevent unwanted contact from third parties, the judge said.
“Certainly, the Court can neither ‘control [n]or … predict’ the ‘unfettered choices’ made by these companies, who are not before the Court and are independent of St. Joseph in any event,” the court wrote. “Peters has not made the requisite demonstration of injury, traceability and redressability for her alleged injuries. Lacking viability, her federal claims are dismissed with prejudice.”
To read the opinion in Peters v. St. Joseph Services Corp., click here.
Why it matters: While the court declined to address the viability of Peters’ state or common-law claims, Judge Hoyt was clear that she lacked standing for federal claims on either an actual injury basis or heightened risk of future identity theft or fraud. Companies facing a data breach—or at least those in Texas—can breathe a little easier.