While data privacy—especially data breach—cases in the United States have been on the rise for years now, most cases never make it past the pleading stage. Indeed, federal courts frequently dismiss data-privacy complaints for lack of standing under Article III of the US Constitution—i.e., injury in fact. Article III has become the first (and often last) line of defense for companies accused of improperly collecting or protecting consumer data, particularly given the high costs of discovery and potential exposure in such cases. Of course, not all claims arise under federal law or are subject to removal to federal court. State data-privacy defendants are not without recourse, however. As several recent decisions show, the principles underlying an Article III defense apply equally under state law, where injury is an element of many statutory and common-law claims.
The US Supreme Court has long interpreted the Constitution’s “case or controversy” provision to require (i) concrete and particularized injury in fact that is (ii) fairly traceable to the defendant’s conduct and is (iii) capable of redress by judicial decision.1 In 2013,in Clapper v. Amnesty International, the Court held that a threat of future surveillance was “too speculative” to satisfy Article III, even though the plaintiffs had incurred costs, such as international airfare, to keep their communications private.2 Since Clapper,and even before, numerous federal courts have dismissed class actions alleging data collection and/or breach, but not data dissemination or misuse.3 The principles that underlie these dismissals are not limited to Article III, as recent decisions from Illinois and California show.
The Illinois cases began when burglars stole four laptops from Advocate Health and Hospitals (“Advocate”), a network of affiliated doctors and hospitals. An Advocate patient, Veronica Vides, brought suit in state court, alleging that Advocate failed to encrypt and protect the laptops, subjecting patients to increased risk of identity theft, out-of-pocket costs to mitigate the risk and anxiety.4 Vides predicated her claims on several Illinois statutes—the Consumer Fraud and Deceptive Business Practices Act, the Personal Information Protection Act and the Consumer Fraud Act—as well as common-law negligence, invasion of privacy and infliction of emotional distress. Vides sought damages on behalf of all Advocate patients treated prior to the theft.
The circuit court, citing Clapper and numerous federal cases, dismissed Vides’ class-action complaint with prejudice.5 According to the court, the threat of identity theft depended on a “chain of attenuated and hypothetical events” including “whether [patient] data was actually taken after the removal, whether it was subsequently sold or otherwise transferred, whether anyone who obtained the data attempted to use it, and whether or not they succeeded.” To establish standing, the court concluded, the risk of identify theft need not be “literally certain,” but must be “imminent” or “certainly impending.” As in Clapper, costs incurred to offset such risks were insufficient; otherwise, plaintiffs could “manufacture standing merely by inflicting harm on themselves.” A month after Vides, a second Illinois circuit court reached the same conclusion in Maglio v. Advocate Health & Hospitals Corp., dismissing another Advocate patient’s class action with prejudice for failure to allege standing.6
Similarly, a Los Angeles judge recently dismissed claims that Ralphs Grocery Company (“Ralphs”) disclosed to trusted business partners customer information obtained through its free rewards program. The California Court of Appeal affirmed, in an unpublished decision, holding that plaintiff Jacob Heller lacked standing to assert claims under California’s Unfair Competition Law (UCL), which requires injury in fact.7Heller alleged that he would not have applied for the rewards card or shopped at Ralphs, had he known about the information sharing, and he sought disgorgement of profits on behalf of all Ralphs rewards members. What was “notably missing” from Heller’s complaint, however, was any economic injury resulting from his use of the rewards card. “The card was provided without cost,” and there was no allegation “that any product purchased was not as represented.” This failure was sufficient to defeat Heller’s claims under the UCL and for breach of contract, fraud, intentional misrepresentation and negligence.
On the other hand, in Tabata v. Charleston Area Medical Center Inc., the West Virginia Supreme Court reversed a circuit court decision refusing to certify claims that a medical center inadvertently published patient information on the internet.8 The state supreme court “agreed with the circuit court that the risk of future identity theft alone does not constitute an injury in fact for the purpose of showing standing,” but found that patients had a “concrete, particularized, and actual” interest “in having their medical information kept confidential,” even though discovery revealed that the patient data had not yet been accessed on the internet.
Tabata is arguably best read as an outlier, distinguishable in that it involved actual—albeit accidental—dissemination of patient data by the defendant (as opposed to a data thief) and special state-law duties imposed on doctors. Moreover, the Maglio court expressly addressedTabata, and found that federal cases “more persuasively analyze” the standing issue.
Businesses should be aware of Tabata, nonetheless, particularly health-care providers and companies operating in West Virginia. Ralphsand Advocate, meanwhile, reinforce the prevailing rule that increased risk of identity theft, without more, is not enough to establish standing in state or federal court.