[BreachExchange] Fourth Circuit Weighs in on Standing in Data Breach Litigation

[Audrey McNeil]

https://www.natlawreview.com/article/fourth-circuit-weighs-standing-data-breach-litigation


Cybersecurity incidents are on the rise, and so too is data breach
litigation brought by plaintiffs who allege they were harmed by the
unauthorized exposure of their personal information. Federal circuits
across the United States are grappling with the issue of what satisfies the
Article III standing requirement in data breach litigation, when often only
a “risk of future harm” exists.

The United States Court of Appeals for the Fourth Circuit (“the Fourth
Circuit”) is the latest circuit court to weigh in on standing in data
breach litigation. In Hutton v. National Board of Examiners in Optometry,
the court held that the plaintiffs satisfied the Article III standing
requirement by alleging hackers stole and misused their personally
identifiable information (PII), even though no financial loss was incurred.
Circuit courts have been split on the issue of standing in the data breach
context, with some courts finding standing where only a heightened “risk of
future harm” exists, i.e. the likelihood that stolen data may be misused
(Sixth, Seventh, and Ninth Circuits), while other circuit courts require
actual harm such as financial loss (Second, Third, and Eighth Circuits).
The Fourth Circuit in Hutton has reached a middle ground finding that
actual theft and misuse of the PII satisfied the standing threshold, even
though no pecuniary damages resulted.

In Hutton, the plaintiffs, members of the National Board of Examiners in
Optometry (NBEO), noticed that credit card accounts were fraudulently
opened in their names, which required knowledge of their social security
numbers and dates of birth. Although the NBEO never admitted to a security
breach, plaintiffs concluded that the NBEO was the only common source to
which they had provided their personal information. As a result, plaintiffs
filed a lawsuit alleging the NBEO failed to adequately safeguard their
personal information.

The NBEO filed a motion to dismiss arguing that although fraudulent credit
card accounts were opened, no actual harm had occurred, and thus the
plaintiffs lacked Article III standing to sue. The U.S. District Court for
the District of Maryland granted the NBEO’s motion, finding, inter alia,
that plaintiffs failed to sufficiently allege they had suffered an
“injury-in-fact” because they had incurred no fraudulent charges and had
not been denied credit or required to pay a higher credit rate as a result
of the fraudulent credit card accounts.

The Fourth Circuit, however, reversed the district court’s holding,
concluding that credit card fraud and identity theft alone were sufficient
to establish Article III standing. The court distinguished Hutton, from
their ruling in Beck v. McDonald, in which the court concluded that the
plaintiffs lacked standing because they only alleged a “threat of future
injury” – laptops and boxes were stolen containing personal information,
but that information was not misused. In Hutton, the court emphasized,
unlike in Beck, plaintiffs were “concretely injured” as credit card
accounts were open without their knowledge or approval, qualifying as
misuse, even if fraudulent charges were yet to occur.

The circuit court split on the issue of Article III standing has made it
difficult for businesses to assess the likelihood of litigation and its
associated costs in the wake of a data breach. Until the Supreme Court
weighs in on this issue, it is crucial for businesses to assess their
breach readiness and develop an incident or breach response plan that takes
into consideration the possibility of litigation.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180702/1a3f223f/attachment.html>