The U.S. Court of Appeals for the Fourth Circuit has added to the growing circuit split on standing in data breach cases in Beck v. McDonald, No. 15-1395 (Feb. 6, 2017). The circuit split now divides at least six federal courts of appeal regarding what data-breach victims must show to establish an “injury-in-fact” under Article III. The Fourth Circuit held that merely having your personal data stolen — and the alleged corresponding increased risk of future theft—is insufficient to satisfy Article III’s injury-in-fact requirement.
The case involved two different lawsuits, which were combined for consideration by the Fourth Circuit. The first lawsuit was brought by Richard Beck and others, whose personal information was stolen when a laptop computer vanished from a Veterans Affairs hospital in South Carolina. The second lawsuit related to four boxes of pathology reports containing personal information, which were stolen from the same hospital. These pathology reports also contained personal information. In both cases, the hospital informed potential victims that their personal information had been stolen and offered one year of credit monitoring.
The Fourth Circuit was tasked with deciding when a potential injury—such as the supposed risk that thieves will forge documents or run-up unauthorized charges—becomes an injury-in-fact sufficient to satisfy Article III’s standing requirement. The court focused its analysis on the Supreme Court’s decision in Clapper v. Amnesty International USA and held that the “chain of possibilities” that could connect the data theft to personal injury was too “attenuated” based on the allegations in the lawsuits. Beck, No. 15-1395, at 20. The court explained that it would have to assume that the thief stole the computer or records in order to obtain the personal information contained in them. Id. And, it would have to further assume that the thief would steal the named plaintiffs’ particular data from the vast trove available to them. Id. The court refused to make these assumptions, despite the fact that the plaintiffs introduced some data showing that they were at a generally increased risk of future theft. Id. at 21-22. Critically, and in contrast to the Seventh Circuit, the court refused to “infer a substantial risk of harm of future identity theft from an organization’s offer to provide free credit monitoring services to affected individuals.” Id. at 22.
Perhaps softening the circuit split recognized by the panel, see id. at 16-17, the court noted differences between the Beck lawsuits and other cases in which federal courts of appeals found that plaintiffs had alleged an injury-in-fact following a data breach. The plaintiffs did not allege that thieves had “intentionally targeted the personal information compromised in the data breaches,” or that any named plaintiff’s personal information had been “misuse[d] or access[ed] . . . by the thief.” Id. at 18. One named plaintiff in the Beck lawsuit did allege that three unauthorized credit card charges had appeared on her account, but she failed to attribute those unauthorized charges to the data breach. Id. at 19 n.6. In fact, the court doubted the plaintiff could connect the two since “the data on the stolen laptop did not contain any credit card or bank account information.” Id. The court also rejected the plaintiffs’ attempt to use their own expenditures on future credit monitoring services to create an injury-in-fact. The court stated that such “self-imposed harms cannot confer standing.” Id. at 23.
Further cases that could impact this split are pending before the Second Circuit and the D.C. Circuit, and so this issue seems to be one that inevitably will need to addressed by the Supreme Court. Until then, the class actions may be filed more often in those circuits that have been more lenient in finding potential harms from data breaches.