The U.S. Court of Appeals for the Eighth Circuit held that allegations of a future risk of identity theft resulting from a data breach are not sufficient to establish standing. The August 30 ruling in In re SuperValu Customer Data Security Breach Litigation requires that data breach plaintiffs must allege an actual injury for Article III standing, making it much more difficult for those plaintiffs to survive a motion to dismiss for lack of subject matter jurisdiction. The ruling increases uncertainty in data breach litigation at a time when various appellate courts have been going in different directions on the question of what must be alleged to establish standing to sue.

Background

SuperValu Inc., AB Acquisition LLC and New Albertson Inc. (the defendants) owned and operated a chain of retail grocery stores. In 2014, the defendants suffered two data breaches. In the first breach, from June 22, 2014 through July 17, 2014, hackers gained access to the payment information of defendants’ customers including their names, credit or debit card account numbers, card expiration dates, card verification value codes, and personal identification numbers. The second breach took place in late August 2014 or early September 2014 and involved the same type of customer information. After each breach, the defendants issued a press release notifying customers of the breach but indicating that there had been no determination that customer information had in fact been stolen or misused.

Customers from several states allegedly affected by the breaches filed putative class actions in different district courts. The actions were transferred to the U.S. District Court for the District of Minnesota and consolidated. A consolidated amended complaint asserting claims for violations of state consumer protection and data breach notification statutes, negligence, breach of implied contract and unjust enrichment was filed with 16 named plaintiffs who allegedly shopped at the defendants’ stores between June and September 2014.

The complaint alleged that the defendant failed to take adequate measures to protect customers’ information by using default or common passwords, failing to lock out users after several failed login attempts and not segregating access to different parts of the computer network or using firewalls to protect customer information. The complaint alleged that customers’ information was stolen as a result of the breaches, subjecting plaintiffs to “an imminent and real possibility of identity theft.” Each of the named plaintiffs allegedly spent time reviewing information about the breaches and impacted locations and monitoring account information to guard against fraud. Only one of the named plaintiffs, David Holmes, alleged that he had suffered a fraudulent charge on his credit card statement, resulting in the replacement of that card. In support of their allegations, the complaint also cited a June 2007 U.S. Government Accountability Office report on data breaches.

The district court evaluated the standing of the named plaintiffs collectively and dismissed the complaint without prejudice, finding that plaintiffs had not alleged an injury in fact and, therefore, lacked standing. Specifically, the district court found that the complaint alleged only an “isolated single instance of an unauthorized charge” that did not “plausibly suggest[] that the hackers had succeeded in stealing the data and were willing and able to use it for future theft or fraud.”

Eighth Circuit Decision, Review of Supreme Court Precedent

The Eighth Circuit affirmed the district court’s dismissal for lack of standing as to the 15 individual plaintiffs who had not experienced any fraudulent charges or identity theft following the breaches, concluding that the complaint had not sufficiently alleged a substantial risk of future injury. However, the court reversed as to Holmes, finding that his allegation of a fraudulent use of his card gave rise to standing in his individual case.

Reviewing Supreme Court precedent, the Eighth Circuit explained that to establish an injury in fact sufficient for standing, plaintiffs must show that they have suffered an injury that is “’concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” In cases involving future injury, plaintiffs must demonstrate that the “the threatened injury is ‘certainly impending,’ or there is a “’substantial risk” that the harm will occur.’” In addition, to establishing that an injury is fairly traceable to a defendant’s conduct, plaintiffs must show “a causal connection between the injury and the conduct complained of” that is “not… th[e] result [of] independent action of some third party not before the court.”

Turning to the complaint, the Eighth Circuit found that, although plaintiffs had established that their information was stolen, they had not adequately alleged that, aside from Holmes, stolen information had been misused. The court held that plaintiffs’ reliance on the GAO report was misplaced as the report did not demonstrate that data breaches created a substantial risk that plaintiffs would suffer future identity theft. The Eighth Circuit noted that the GAO report concluded that compromised credit or debit card information, such as in the present case, “generally [could] not be used alone to open unauthorized new accounts,” and that “most breaches have not resulted in detected incidents of identity theft.” The court further held that the costs that plaintiffs incurred to mitigate the risk of future identity theft did not constitute an injury because the risk was “speculative” and plaintiffs could not “’manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.’”

In contrast, the Eighth Circuit held that Holmes had adequately alleged that he had suffered a concrete and particularized injury in the form of the unauthorized fraudulent charge on his credit card account and that this injury was fairly traceable to the data breaches purportedly caused by defendants’ failure to enact adequate security measures. The court concluded that “the district court had erred in holding that Holmes’ standing was dependent on the standing of the other named plaintiffs and unnamed class members” and that “[e]ach plaintiff’s standing must be assessed individually.” It observed that, at the pleading stage, Holmes’ burden for alleging a causal connection between his injury and the defendants’ conduct was “relatively modest” and he had satisfied that burden. The Eighth Circuit also held that Holmes’ injury was “likely to be redressed by a favorable judicial decision,” as any financial harm that he suffered from the fraudulent charge would be compensable in the present action.

Takeaways

The implications of SuperValu are twofold. First, SuperValu limits the scope of Eighth Circuit’s recent decision in Kuhns v. Scottrade (8th Cir. 2017), where the court held that allegations that the security provisions of a privacy policy were violated resulting in a data breach were sufficient to establish standing. Unlike Kuhns, where the injury was the alleged breach of contract, the plaintiffs in SuperValu did not assert breach of an express agreement. Instead, they asserted a breach of an implied contract claim based on the supposedly implied agreement by defendants to take reasonable measures to protect customer information in return for those customers using their credit or debit cards to make purchases at defendants’ stores. By affirming the dismissal of the implied contract claim for lack of subject matter jurisdiction, SuperValu limits standing to bring contractual claims in data breach cases to those claims where the terms of the agreement are express and definite. Read more about the Kuhns decision in our case analysis article, “Eighth Circuit Finds Standing in Data Breach Case for Privacy Policy Violation, Dismisses for Lack of Specificity.”

Second, SuperValu furthers the split among the Circuit courts concerning the pleading standard for Article III standing in data breach cases. SuperValu places the Eighth Circuit on the side of those Circuit courts that have held that plaintiffs must allege an actual injury in the form of fraudulent charges on existing credit or debit card accounts or the opening of fraudulent financial accounts based upon their stolen personal information to establish an Article III injury and survive a motion to dismiss for lack of standing. Joining the Second Circuit in Whalen v. Michaels Stores (2d Cir. May 2017) and the Fourth Circuit in Beck v. McDonald (4th Cir. 2017), the Eighth Circuit in SuperValu has found that general allegations of a heightened risk of identity theft from stolen personal information alone do not constitute an injury in fact, raising the pleading requirements for plaintiffs in data breach cases. In contrast, the D.C. Circuit in Attias v. CareFirst (D.C. Cir. 2017), the Sixth Circuit in Galaria v. Nationwide Mut. Insur. Co. (6th Cir. 2016), and the Seventh Circuit in Remijas v. Neiman Marcus (7th Cir. 2015) and Lewert v. P.F. Chang’s China Bistro (7th Cir. 2016) have held that allegations that the personal information of the plaintiffs was stolen in a data breach resulting in an increased risk of identity theft without more constitute an injury sufficient to confer Article III standing. The Circuit split is likely to continue until—and unless—the Supreme Court weighs in and offers more definitive guidance.