With cyberattacks on the rise, so is data breach litigation initiated by plaintiffs who claim that they have been harmed by the exposure of their personal information. As a result, more and more courts are confronting the threshold issue of standing under Article III of the Constitution for these plaintiffs, and they are coming to different conclusions.
The United States Court of Appeals for the Eighth Circuit is the latest federal appellate court to rule in a case involving Article III standing for data breach litigation. In In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017), the Eighth Circuit held that fifteen out of sixteen plaintiffs failed to allege they had suffered identify theft and/or incurred fraudulent charges and, thus, they did not meet the Constitutional requirements for standing. The Eighth Circuit concluded that the alleged risk of some future harm was not sufficient to satisfy the standing requirements to bring a lawsuit.
SuperValu, the defendant in this case, owned and operated grocery stores across the United States. In 2014, SuperValu suffered two cyberattacks in which “[t]he hackers installed malicious software on defendants’ network that allowed them to gain access to the payment card information of defendants’ customers (hereinafter, Card Information), including their names, credit or debit card account numbers, expiration dates, card verification value (CVV) codes, and personal identification numbers (PINs).” In both instances, SuperValu issued a press release acknowledging the cyberattack and the potential theft of some customers’ Card Information, but there was no determination as to whether “such information ‘was in fact stolen.’” Following the data breach, customers who shopped at the affected SuperValu stores had to determine if their cards were compromised. They spent time reviewing the information released about the breaches and the impacted locations, and monitored account information to guard against potential fraud. Only one of the plaintiffs, however, David Holmes (“Holmes”), specifically noticed a fraudulent charge on his credit card statement following the breach. He immediately cancelled his credit card, and waited two weeks to receive a replacement card.
The customers allegedly affected by the data breach brought numerous class actions, which were later consolidated in the United States District Court for the District of Minnesota. The complaint alleged violations of state consumer protection statutes and state data breach notification statutes, negligence (including negligence per se), breach of implied contract, and unjust enrichment. SuperValu moved to dismiss the complaint, and the district court granted dismissal under Federal Rule of Civil Procedure 12(b)(1). According to the district court’s findings, all of the plaintiffs had failed to allege an injury-in-fact and, thus, they lacked standing to bring a suit. The plaintiffs appealed the court’s dismissal and the defendants cross appealed, arguing for dismissal with prejudice under Rule 12(b)(6).
On appeal, the plaintiffs took the position that the complaint “sufficiently alleged an injury in fact because the theft of their Card Information in the data breaches at defendants’ store created a substantial risk that they will suffer identity theft in the future.” They alleged “on information and belief, [that] illicit websites [were] selling their Card Information to counterfeiters and fraudsters, and that plaintiffs’ financial institutions [were] attempting to mitigate their risk.” Only one of the plaintiffs, Holmes, alleged the “actual misuse of his Card Information” as a result of the data breaches – a present injury, which he specifically argued was “causally connected to defendants’ careless security practices.”
Relying on prior cases decided by the United States Supreme Court ( Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013), and Susan B. Anthony List v. Driehaus, ___ U.S. ___, 134 S. Ct. 2334 (2014)), the Eighth Circuit explained that future harm can be sufficient to establish Article III standing only if plaintiffs can “demonstrate that ‘the threatened injury is certainly impending, or there is a substantial risk that harm will occur.” (emphasis added). The Eighth Circuit was tasked with “determin[ing] whether plaintiffs’ allegations plausibly demonstrate[d] that the risk that plaintiffs [would] suffer future identity theft [was] substantial.” In support of their position that the threat of future identity theft was certainly pending or substantial, the plaintiffs relied on a 2007 Government Accountability Office (“GAO”) report. The Eighth Circuit found the GAO report unpersuasive because, even though the report acknowledged some data breach incidents could result in identity theft, “it conclude[d] based on the ‘available data and information’ that ‘most breaches have not in fact resulted in detected incidents of identity theft.” The court further noted the possibility that in some years, “more detailed factual support for plaintiffs’ allegations of future injury” may become available, but the complaint, as it stood, alleged a “mere possibility,” which was insufficient for standing. The Eighth Circuit also rejected the plaintiffs’ argument that the time spent and the costs incurred to “mitigate their risk of identity theft [by] reviewing information about the breach and monitoring their account information” amounted to an injury in fact. Because plaintiffs had failed to allege a substantial risk of future identity theft, the court concluded that the costs incurred by the plaintiffs were to protect against a “ speculative threat[,]” and did not create an injury for standing purposes. (emphasis added).
The Eighth Circuit, however, found that Holmes met the threshold requirement for Article III standing by alleging the actual “misuse of his Card Information.” The court concluded that the complaint, as it related to Holmes, “contained sufficient allegations to show that [he] suffered an injury in fact, fairly traceable to defendants’ security practices, and likely to be redressed by a favorable judgment [and, thus,] Holmes had standing under Article III’s case or controversy requirement.”
The Eighth Circuit acknowledged that other courts, such as the United States Court of Appeals for the District of Columbia Circuit (written about here) and the United States Court of Appeals for the Seventh Circuit, had reached different conclusions on standing for data breach litigation. In those cases, the courts found it plausible to infer that hackers stole consumers’ private information with the intent to make fraudulent charges or steal their identities and, thus, the data breach had created a substantial risk of harm to those plaintiffs because their personal information had been exposed. The Eighth Circuit, however, followed the analysis of the United States Court of Appeals for the Fourth Circuit ( Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017)), and declined to make such an inferential step that a breach would result in future harm. In Beck, the Fourth Circuit explained even if the statistics relied upon by plaintiffs were true, which purported to show that 33% of individuals impacted in the data breach would suffer identity theft, it necessarily followed that 66% would not suffer such harm, which was insufficient to establish a substantial risk of harm necessary for Article III standing.
As cyberattacks increase and more plaintiffs initiate data breach litigation, courts will continue to grapple with these different positions on what data breach plaintiffs must allege to establish a substantial risk of future harm. In the meantime, however, the Eighth Circuit’s holding in In re SuperValu shows that courts are not moving uniformly on the issue of Article III standing as it relates to data breach litigation and, as a result, some circuits are more plaintiff friendly while others are not.