Earlier this month, the Fourth Circuit weighted in with the most recent decision in the developing case law on Article III standing in data breach litigation, a topic that we have been covering extensively on this blog.
The case, Beck v. McDonald, is a consolidated appeal that arose out of two lawsuits brought by veterans whose medical information was compromised by data breaches at the William Jennings Bryan Dorn Veterans Affairs Medical Center in Columbia, South Carolina. First, in 2013, a laptop containing the unencrypted personal data of 7,400 patients was stolen. Then in 2014, four boxes of medical records, containing pathology reports for more than 2,000 veterans, were misplaced or stolen while en route to a storage facility.
Plaintiffs sued the Secretary of Veterans Affairs and Medical Center officials for violations of the Privacy Act of 1974. Plaintiffs alleged that Article III standing was satisfied because the data breaches had increased their risk of future identity theft and had forced them to spend money on identity theft monitoring and other protective measures.
In both suits, the district court found plaintiffs’ alleged injuries “too speculative” for Article III standing and dismissed for lack of subject-matter jurisdiction.
The Fourth Circuit agreed that the alleged injuries were insufficient to satisfy Article III. The Court recognized it was wading into a topic that has recently divided the circuits: the Sixth, Seventh, and Ninth Circuits have held that at the pleading stage, plaintiffs can establish injury-in-fact based on the threatened injury of a data breach, while the Fifth and Third Circuit have reached the opposite conclusion.
The Fourth Circuit sidestepped the issue of whether to join one camp or the other (although the opinion suggests it may be inclined to side with the latter). Rather, it distinguished the decisions of the Sixth, Seventh, and Ninth Circuits—in which the plaintiffs alleged that within a short time after the attack, they were targeted by identity thieves—with those of the plaintiffs in Beck, who made no such allegations.
Notably, the Fourth Circuit held that the U.S. Supreme Court’s ruling in Clapper v. Amnesty International—and not Spokeo—controlled the outcome of this suit. In Spokeo the Supreme Court suggested that some statutory violations (in that suit, a violation of the Fair Credit Reporting Act) may be sufficiently “concrete” to establish an Article III injury-in-fact, even though the injuries caused by such violations are “intangible.” See 136 S. Ct. at 1549–50. But here, the Fourth Circuit held, Spokeo did not govern because plaintiffs did not allege that the Medical Center’s violations of the Privacy Act alone constituted Article III injury-in-fact.
Instead, the court applied Clapper and concluded there was not Article III standing based on a “substantial risk” that harm would occur to the plaintiffs as a result of the data breaches. The court found that the plaintiffs’ allegations—including that 33% of health-related data breaches result in identity theft––were insufficient to establish such substantial risk.
In addition to the Fourth Circuit’s ruling, on February 9, the U.S. Court of Appeals for the D.C. Circuit held argument in Chantal Attias et al. v. CareFirst Inc., another appeal that grapples with these issues. We are continuing to follow closely the developing case law in this area and will have more updates as the law develops.