The U.S. Court of Appeals for the Eighth Circuit has become the latest appellate court to enter the contested debate over Article III standing in data breach litigation. The Eighth Circuit held that 15 of 16 named plaintiffs who never alleged they had suffered identity theft or incurred fraudulent charges on their payment cards did not have standing to pursue claims based on alleged risk of future harm in the multidistrict action In re SuperValu, Inc. Customer Data Security Breach Litigation. The Eighth Circuit’s opinion comes on the heels of other decisions that found risk of future harm following a data breach sufficient to confer Article III standing on class action plaintiffs.
The plaintiffs in In re SuperValu asserted that they shopped at defendants’ stores using payment cards and that their payment card information—including names, credit and debit card numbers, expiration dates, card verification value codes, and personal identification numbers—was compromised in two data breaches announced by defendants. Fifteen of the plaintiffs pointed to the risk of future fraud and identity theft, and the measures they took to avert that risk, as well as allegations based on information and belief that their payment card information was being sold on illicit websites, as the harm they suffered as a result of the data breaches; just one plaintiff alleged that a fraudulent charge was made on his payment card.
The Eighth Circuit found that plaintiffs’ allegations regarding the illicit sale of their information were both too “speculative” and failed to identify an injury specific to particular plaintiffs. The Eighth Circuit rejected plaintiffs’ broader argument that they satisfied the injury in fact requirement for standing based on risk of future identity theft. In particular, the court held that plaintiffs’ allegations did not plausibly show a substantial risk of future harm necessary for standing. The court found that a 2007 Government Accountability Office (“GAO”) report—Personal Information: Data Breaches are Frequent, but Evidence of Resulting Theft is Limited; However, the Full Extent is Unknown—cited in the complaint did not support plaintiffs’ argument. As the court noted, the report stated that most data breaches did not result in detected incidents of identity theft; of the 24 largest breaches reported between January 2000 and June 2005, only four were known to have resulted in identity theft. The court left open the possibility that “some years later there may be more detailed factual support for plaintiffs’ allegations of future injury” and that plaintiffs might be able to sufficiently allege a substantial risk of future harm through other means, but as of today plaintiffs could make no such showing.
The Eighth Circuit acknowledged that courts in other cases had reached a different conclusion on standing, citing the Seventh Circuit’s decision in Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015). That court found it plausible to infer that hackers stole consumers’ private information to make fraudulent charges or steal their identities and thus creating a substantial risk of harm from that data breach. It cited the same GAO report for the point that stolen data may be held for some time before being used for fraudulent purposes, and that once sold, information may be used fraudulently for years. The Court of Appeals for the District of Columbia Circuit issued a decision a few weeks ago that adopted the same reasoning as Remijas. The court in Attias v. CareFirst, 865 F.3d 620 (D.C. Cir. 2017) inferred that the attackers behind the data breach had the intent and ability to use the stolen data for fraudulent purposes. And it found that plaintiffs faced a substantial risk of harm simply because the hack occurred and exposed their personal information. The Eighth Circuit, by contrast, declined to make such inferential leaps. In doing so, the court aligned itself with the Fourth Circuit, which in Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) found that statistics purporting to show that 33% of individuals impacted in the data breach would suffer identity theft fell short of establishing a substantial risk of harm necessary for standing. The court in Beck underscored the point that a “reasonable” risk of harm was not enough to establish standing and that a substantial risk required more.
It remains to be seen how the different views of what data breach plaintiffs must allege to establish a substantial risk of future harm—embodied in the recent In re SuperValu and Attias decisions—will play out in the courts. Indeed, the District of Columbia Circuit just granted a stay of its mandate in Attias while CareFirst files a certiorari petition to the U.S. Supreme Court. That petition will be closely watched. In the meantime, the In re SuperValu decision shows that courts are not moving in a uniformly pro-plaintiff direction on standing. And although the Eighth Circuit found that the one named plaintiff who alleged that a fraudulent charge was made on his payment card had standing, and thus the court had subject matter jurisdiction over the suit, defendants will have the opportunity on remand to argue that the case should still be dismissed for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6).