A recent decision from the Fourth Circuit Court of Appeals in Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), adds to the list of circuit courts of appeal that have held that that the mere threat of future harm resulting from a data breach, without more, is insufficient to satisfy the injury-in-fact requirement for Article III standing.
The Beck case involved two separate law suits arising out of distinct data breaches at the William Jennings Bryan Dorn Veterans Affairs Medical Center. The plaintiffs in both cases were veterans whose personal and medical information had been compromised as a result of the breaches. The first breach occurred in 2013 when a laptop containing the unencrypted personal information for 7,400 patients - including names, birth dates, portions of social security numbers and physical descriptions - was stolen from the pulmonary function department at Dorn VAMC. The second breach occurred in 2014 when four boxes of pathology reports containing identifying information for over 2,000 patients were misplaced or stolen.
The plaintiffs filed putative class action lawsuits in federal court alleging statutory and common law claims against Dorn VAMC and its administrators as a result of the data breaches, and sought damages for “embarrassment, inconvenience, unfairness, mental distress, and the threat of current and future substantial harm from identity theft and other misuse of [p]ersonal [i]nformation.” Id. at 267-68. The plaintiffs also alleged that the “threat of identity theft” required them to frequently monitor their “credit reports, bank statements, health insurance reports, and other similar information, purchas[e] credit watch services, and [shift] financial accounts.” Id. at 267.
In the district court, the defendants moved to dismiss both actions on the ground that the putative class plaintiffs had not suffered the harm necessary to confer standing to sue. It is axiomatic that a plaintiff must have standing in order to sue, which requires the plaintiff to show an injury-in-fact. “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’” Spokeo, Inc. v. Robins, ––– U.S. –––, 136 S.Ct. 1540, 1548 (2016) (citation omitted).
Like the majority of courts to address the issue, the district court applied the US Supreme Court’s recent decision in Clapper v. Amnesty Intern. USA, ––– U.S. –––, 133 S.Ct. 1138, 1146 (2013), and dismissed the complaint on the ground that allegations of the threat of future harm are insufficient to satisfy the standing requirement of injury-in-fact. Beck, 848 F.3d at 655.
As the US Supreme Court reiterated in Clapper (and other cases over the past few years), Article III standing requires a plaintiff to prove “(1) an injury in fact, (2) that is fairly traceable to the challenged conduct of a defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc., 136 S.Ct. at 1547 (2016); Clapper v. Amnesty Intern. USA, ––– U.S. ––––, 133 S.Ct. 1138, 1146 (2013). In Clapper, the Supreme Court held that the risk of future harm may satisfy the injury in fact requirement for Article III standing so long as the alleged harm is “certainly impending.” Clapper, 133 S.Ct. at 1147. Under Clapper, where the threatened harm depends on a “highly attenuated chain of possibilities,” it cannot meet the injury-in-fact requirement. Importantly, Clapper left open the possibility that the injury-in-fact element could be satisfied through a showing that there is a “substantial risk that the harm will occur.” Susan B. Anthony List v. Driehaus, 134 S.Ct. 2334, 2341 (2014). Indeed, in Clapper, the US Supreme Court declined to resolve whether the “‘substantial risk’ standard was relevant and distinct from the ‘certainly impending’ requirement.” Clapper, 133 S.Ct. at 1150 n.5.
In Beck, the defendants argued that there had not been any “actual or attempted” misuse of the plaintiffs’ personal information, rendering speculative the allegations that it would eventually be misused. Beck, 848 F.3d at 269. The defendants argued that the plaintiffs’ alleged harm was too speculative to satisfy the required showing of an injury-in-fact and, therefore, the facts alleged did not support the plaintiffs’ claim that there was a “substantial risk” that such harm would occur. Id.
In moving to dismiss, the defendants focused on the assumptions required to find an injury. The defendants emphasized that in order to find an injury-in-fact, the district court would have to assume all of the following: (1) the plaintiffs’ data was stolen by someone bent on misusing the personal information; (2) the thief would then have to attempt to use or sell to others the plaintiffs’ personal information; and (3) the thief or purchaser of the plaintiffs’ information would successfully use the information to steal the plaintiffs’ identities. Id. at 268-69. This “attenuated chain of possibilities” did not satisfy the plaintiffs’ burden to show that their threatened injury was “certainly impending” under Clapper. The district court agreed with the defendants and granted their motions to dismiss, holding that the threat of future harm was too speculative to support standing. The district court also held that plaintiffs could not “create standing by choosing to purchase credit monitoring services or taking other steps to mitigate the speculative harm of future identity theft” because these measures were taken solely to “mitigate a speculative future harm.” Id. at 268.
On appeal, the Fourth Circuit Court of Appeals affirmed the district court, holding that the threat of future harm was too speculative to qualify as “certainly impending,” and that the plaintiffs had not demonstrated a “substantial risk” that the alleged future harm would occur.
Like the district court, the Fourth Circuit held that the plaintiffs’ fear of future identity theft was too speculative to confer standing because it was “contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendants.” Id. at 268 (citing Clapper, 133 S.Ct. at 1148). The plaintiffs also failed to satisfy the “lesser standard” of “substantial risk” of future harm referenced in Clapper: For instance, the plaintiffs’ calculations that 33% of those affected by the laptop theft would have their identities stolen and that all affected would be 9.5 times more likely to experience identity theft “d[id] not suffice to show a substantial risk of identity theft.” Beck at 268.
In affirming the district court, the Fourth Circuit noted that the facts in Beck were distinguishable from other recent Circuit Court decisions holding that the threat of future harm satisfied the injury-in-fact requirement. The Fourth Circuit concluded that underlying those other cases were “common allegations that sufficed to push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent.” Beck, 848 F.3d at 274. Notably absent from Beck were any allegations that, “the data thief intentionally targeted the personal information compromised in the data breaches.” Id. (citing Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 386 (6th Cir. 2016) (“[H]ackers broke into Nationwide’s computer network and stole the personal information of Plaintiffs and 1.1 million others.”); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688, 693-94 (7th Cir. 2015) (“Why else would hackers break into a store’s database and steal consumers’ private information?”); Pisciotta v. Old Nat. Bancorp, 499 F.3d 629, 632 (7th Cir. 2007) (“scope and manner” of intrusion into banking website’s hosting facility was “sophisticated, intentional and malicious”). Also absent were any allegations that “at least one named plaintiff alleged misuse or access of that personal information by the thief.” Beck, 848 F.3d at 274 (citing Remijas, 794 F.3d at 690 (9,200 of the 350,000 credit cards potentially exposed to malware “were known to have been used fraudulently”); Krottner v. Starbucks Corp., 628 F.3d 1139, 1141 (9th Cir. 2010) (named plaintiff alleged that, two months after theft of laptop containing his social security number, someone attempted to open a new account using his social security number)). See also Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26 (1976) (named plaintiff cannot rely on injuries allegedly sustained by unknown and unidentified class members).
Moreover, the passage of time since the breaches had occurred rendered plaintiffs' allegations even more speculative. The data breaches occurred in 2013 and 2014, respectively; however, since the breaches had occurred, the plaintiffs had uncovered no evidence that the information contained on the stolen laptop and pathology reports was accessed or misused, or that the named plaintiffs had suffered actual identity theft. Nor, for that matter, had evidence surfaced that a thief stole the reports or the laptop with the intent to steal private information contained therein. Beck, 848 F.3d at 274-75. Given the length of time that had passed since the breaches, and the absence of the factual allegations underpinning similar decisions from its sister circuits, the Fourth Circuit held that the threat of future harm was too speculative to support injury-in-fact for the plaintiffs.
The Fourth Circuit also held that the plaintiffs had failed to show a substantial risk of future identity theft. The plaintiffs alleged that: “(1) 33% of health-related data breaches result in identity theft; (2) the Defendants expend millions of dollars trying to avoid and mitigate those risks; and (3) by offering the Plaintiffs free credit monitoring, the [defendants] effectively conceded that the theft of the laptop and pathology reports constituted a ‘reasonable risk of harm to those victimized’ by the data breaches.” Id. at 275. The Fourth Circuit rejected these allegations as sufficient to show standing because, even if plaintiffs were correct that 33% of victims will suffer from identity theft, “it follows that over 66% of [the victims] affected will suffer no harm. This statistic falls far short of establishing a ‘substantial risk’ of harm.” Id. at 276. And the Fourth Circuit also declined to infer a substantial risk of harm of future identity theft from defendants’ offer to provide free credit monitoring services to affected individuals: “To adopt such a presumption would surely discourage organizations from offering these services to data-breach victims, lest their extension of goodwill render them subject to suit.” Id.
Hence, the Fourth Circuit has now joined the majority of circuit courts in concluding that the threat of future harm from a data breach alone, without more, is insufficient to confer standing on a plaintiff. The Seventh, Ninth and, most recently, Sixth Circuits have come to the opposite conclusion. It is likely that the U.S. Supreme Court will decide this growing circuit split soon. It has addressed the issue of standing in three decisions in the last few years – Clapper (2013), Driehaus (2014) and Spokeo (2016) – in each instance concluding that the circuit court had improperly found that the plaintiff had standing to sue, in violation of well-established standing principles.