In a decision consolidating two cases involving two veterans and two separate incidences of data breaches at the Veterans Affairs Medical Center (VAMC) in South Carolina, the US Court of Appeals for the Fourth Circuit clarified the applicable standing requirement for data privacy actions and affirmed the dismissal of both suits. Beck et al. v. Robert A. McDonald, Case No. 15-1395; Watson v. Robert A. McDonald, Case No. 15-1715 (4th Cir., Feb. 6, 2017) (Diaz, J). Relying on the 2013 Supreme Court of the United States decision in Clapper v. Amnesty International, the Court explained that standing based on a threatened injury of future identity theft is too speculative absent evidence or allegation that the data thief intentionally targeted, accessed and/or misused the personal information compromised in the breach.

Beck, a veteran, filed a putative class-action suit following the February 2013 misplacement or theft of an unencrypted VAMC laptop containing personal patient information. Watson, another veteran, filed a putative class-action suit following VAMC’s discovery that four boxes of pathology reports had been misplaced or stolen; such reports have yet to be recovered.  

Both suits, brought under the Privacy Act (5 USC § 552a et seq.), were dismissed for lack of standing. In Beck, the district court found that at the summary judgment stage, Beck had not submitted evidence sufficient to create a genuine issue of material fact as to whether the risk of identity theft was “certainly impending.” In Watson, at the pleading stage, the district court found that Watson had not alleged any actual or attempted misuse of her personal information. The district court found that the fear of harm from future identity theft was “too speculative” and was “contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendants.” The district court also rejected the allegation that any costs incurred to fend off future identity theft constituted an injury-in-fact. Plaintiffs appealed. 

The circuit courts are split as to whether Article III injury-in-fact may be based on an increased risk or threat of future identity theft. The Sixth, Seventh and Ninth Circuits have recognized that plaintiffs can, at the pleading stage, establish an injury-in-fact based on threatened injury, whereas the First and Third Circuits have not. In either case, according to the Fourth Circuit, Clapper’s iteration of the well-established tenet that “a threatened injury must be ‘certainly impending’ to constitute an injury-in-fact” is controlling. 

The Fourth Circuit agreed with the district court that neither Beck nor Watson went beyond speculation to “certainly impending,” as both required the court to engage in an “attenuated chain of possibilities.” Indeed, the Court noted that since 2013 and 2014, when the data breaches in Beck and Watson occurred, respectively, plaintiffs had not uncovered evidence—or even alleged—that the information had been accessed or misused or that they had suffered identity theft or been victim of an attempted identify theft.

The Fourth Circuit also concluded that plaintiffs fell short of establishing standing based on a “substantial risk” that the harm will occur. For example, plaintiffs claimed that “33% of health-related data breaches result in identity theft.” However, even if this statistic were true, the Court noted that it left unharmed more than 66 percent of veterans affected by the breach and therefore did not establish a “substantial risk” of harm. The Court also decline to infer a substantial risk of harm of future identity theft from an organization’s offer to provide free credit monitoring services to affected individuals, or from the VA’s internal investigations that not only concluded that the laptop and pathology reports had been stolen, but also that a “‘reasonable risk exists’ for the ‘potential misuse’” of personal information. 

Finally, with respect to standing, the Fourth Circuit rejected plaintiffs’ allegation that they had suffered an injury-in-fact because they had incurred or will in the future incur mitigation expenses to guard against identity theft, noting that these “self-imposed harms cannot confer standing.”