[BreachExchange] The Widening Data Breach Standing Split: Fourth Circuit Finds No Standing From Increased Risk of Future Identity Theft

Mon Apr 10 18:38:39 EDT 2017

http://www.lexology.com/library/detail.aspx?g=aaaf2853-09c0-4ec4-b058-
8f8e277270bb

The U.S. Court of Appeals for the Fourth Circuit has added to the growing
circuit split on standing in data breach cases in Beck v. McDonald, No.
15-1395 (Feb. 6, 2017). The circuit split now divides at least six federal
courts of appeal regarding what data-breach victims must show to establish
an “injury-in-fact” under Article III. The Fourth Circuit held that merely
having your personal data stolen — and the alleged corresponding increased
risk of future theft—is insufficient to satisfy Article III’s
injury-in-fact requirement.

The case involved two different lawsuits, which were combined for
consideration by the Fourth Circuit. The first lawsuit was brought by
Richard Beck and others, whose personal information was stolen when a
laptop computer vanished from a Veterans Affairs hospital in South
Carolina. The second lawsuit related to four boxes of pathology reports
containing personal information, which were stolen from the same hospital.
These pathology reports also contained personal information. In both cases,
the hospital informed potential victims that their personal information had
been stolen and offered one year of credit monitoring.

The Fourth Circuit was tasked with deciding when a potential injury—such as
the supposed risk that thieves will forge documents or run-up unauthorized
charges—becomes an injury-in-fact sufficient to satisfy Article III’s
standing requirement. The court focused its analysis on the Supreme Court’s
decision in Clapper v. Amnesty International USA and held that the “chain
of possibilities” that could connect the data theft to personal injury was
too “attenuated” based on the allegations in the lawsuits. Beck, No.
15-1395, at 20. The court explained that it would have to assume that the
thief stole the computer or records in order to obtain the personal
information contained in them. Id. And, it would have to further assume
that the thief would steal the named plaintiffs’ particular data from the
vast trove available to them. Id. The court refused to make these
assumptions, despite the fact that the plaintiffs introduced some data
showing that they were at a generally increased risk of future theft. Id.
at 21-22. Critically, and in contrast to the Seventh Circuit, the court
refused to “infer a substantial risk of harm of future identity theft from
an organization’s offer to provide free credit monitoring services to
affected individuals.” Id. at 22.

Perhaps softening the circuit split recognized by the panel, see id. at
16-17, the court noted differences between the Beck lawsuits and other
cases in which federal courts of appeals found that plaintiffs had alleged
an injury-in-fact following a data breach. The plaintiffs did not allege
that thieves had “intentionally targeted the personal information
compromised in the data breaches,” or that any named plaintiff’s personal
information had been “misuse[d] or access[ed] . . . by the thief.” Id. at
18. One named plaintiff in the Beck lawsuit did allege that three
unauthorized credit card charges had appeared on her account, but she
failed to attribute those unauthorized charges to the data breach. Id. at
19 n.6. In fact, the court doubted the plaintiff could connect the two
since “the data on the stolen laptop did not contain any credit card or
bank account information.” Id. The court also rejected the plaintiffs’
attempt to use their own expenditures on future credit monitoring services
to create an injury-in-fact. The court stated that such “self-imposed harms
cannot confer standing.” Id. at 23.

Further cases that could impact this split are pending before the Second
Circuit and the D.C. Circuit, and so this issue seems to be one that
inevitably will need to addressed by the Supreme Court. Until then, the
class actions may be filed more often in those circuits that have been more
lenient in finding potential harms from data breaches.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170410/b0fafe1c/attachment.html>