In our last post, we discussed the evolving standing landscape in class actions. That discussion highlighted the Third Circuit Court of Appeals’ recent decision in Horizon Healthcare, where the Court held that even without hard evidence that any of the plaintiffs’ personal information was used improperly, the alleged disclosure of information was enough to create a “de facto injury” sufficient to confer standing.
The Horizon decision is also noteworthy for its finding of what would not, in and of itself, provide a sufficient basis for establishing standing: an offer of credit monitoring by a breached entity. In relevant part, the Court held as follows: “We agree with Horizon that its offer should not be used against it as a concession or recognition that the Plaintiffs have suffered injury. We share its concern that such a rule would disincentivize companies from offering credit or other monitoring services in the wake of a breach.” In re Horizon Healthcare Servs. Data Breach Litig., 846 F.3d 625, 634 (3d Cir. 2017).
Following any sort of a data breach or inadvertent disclosure of personally identifiable information, or PII, it has become commonplace for businesses to offer their potentially affected customers or employees the opportunity to subscribe, free of cost, to a credit-monitoring product. Why? In the rare circumstance, it is because such an offer is required under law. See Conn. Gen. Stat. § 36a-701b (requiring, under certain limited circumstances of a breach in CT, the breached entity to make an offer of “appropriate identity theft prevention services and, if applicable, identity theft mitigation services.”). However, most of the 48 state statutes governing notification are silent about credit monitoring. Thus, most often affected organizations offer credit-monitoring services as a gesture of good faith in order to preserve and even generate customer and public goodwill.
But in some Circuits, that good deed may well suffice to confer standing on a plaintiff alleging negligence in the wake of a data breach. See, e.g., Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384, 388 (6th Cir. 2016) (finding that the complaint adequately alleged Article III standing, noting: “Indeed, [defendant] seems to recognize the severity of the risk, given its offer to provide credit monitoring and identity-theft protection for a full year.”).
Joining the Sixth Circuit Court of Appeals on the other side of the standing ledger, the Fourth Circuit recently made clear that, in its eyes, more is required to establish standing following a breach than a company’s offer to provide monitoring services. In Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), the Court reasoned as follows: “[W]e decline to infer a substantial risk of harm of future identity theft from an organization’s offer to provide free credit-monitoring services to affected individuals. To adopt such a presumption would surely discourage organizations from offering these services to data-breach victims, lest their extension of goodwill render them subject to suit.”
The split among the Circuits, coupled with the unabated increase in data breaches suffered by organizations big and small, almost certainly will lead to this standing question being taken up by the Supreme Court. In the meantime, and especially in the context of larger data breaches where class-action litigation is likely to result, it is always best to consider all issues, including whether to provide monitoring offers, hand-in-hand with a comprehensive data security strategy. Further, as is always the case following a breach of any magnitude, it is important to carefully review any potentially applicable policy of insurance. Credit-monitoring services are now part of the regular slate of coverage offered in cyber risk policies and, notwithstanding the above discussion, in some cases a breached entity may not be the primary driver behind a decision to offer credit monitoring.