[BreachExchange] Standing In Data Breach Class Actions: The Fourth Circuit Weighs In, Affirming Dismissal For Lack Of Subject Matter Jurisdiction

Fri Feb 24 20:05:55 EST 2017

http://www.jdsupra.com/legalnews/standing-in-data-
breach-class-actions-44554/

The U.S. Court of Appeals for the Fourth Circuit issued a unanimous opinion
in Beck v. McDonaldon February 6, 2017, clarifying the standard for Article
III standing and what constitutes sufficient injury-in-fact in putative
data breach class actions. Plaintiffs’ claims were based on the Dorn VA
Medical Center’s (“VAMC”) loss of a laptop computer containing the
unencrypted, confidential patient information of 7,400 patients and the
loss of file boxes containing the confidential information of 2,000
hospital patients. The laptop computer and files, which have still not been
found, contained patient names, social security numbers, medical diagnoses,
and other identifiable patient information such as gender, race, and
treating physician’s name. After the loss was discovered, VAMC officials
notified affected patients of the incident and provided each with one year
of free credit monitoring.

The case involves the consolidated appeal of two putative class actions
filed by military veterans who received medical treatment at VAMC in
Columbia, South Carolina. Plaintiffs sought both monetary damages and
injunctive relief, asserting claims under the Privacy Act of 1974, 5 U.S.C.
§ 552(a) et seq. and the Administrative Procedures Act (“APA”), 5 U.S.C. §
701 et seq.

In both cases, the plaintiffs attempted to establish Article III standing —
and in particular injury-in-fact — based on a long list of potential
damages that could arise as a result of VAMC’s loss of patient information,
including “embarrassment, inconvenience, unfairness, mental distress, and
threat of current and future substantial harm from identity theft or misuse
of their personal information.” Plaintiffs further contended that the
increased risk of identity theft or healthcare fraud required them to take
costly and time-consuming affirmative actions in order to protect
themselves, such as frequently reviewing bank statements and credit
reports, and that these reciprocal actions also constituted injury-in-fact.

In Beck, filed first, the district court denied the defendants’ first
motion to dismiss, permitting discovery to allow the plaintiffs an
opportunity and more time to establish sufficient injury-in-fact. After
extensive discovery, the district court granted the defendants’ renewed
motion to dismiss for lack of subject matter jurisdiction, holding that the
Beck plaintiffs lacked standing because they had “not submitted evidence
sufficient to create a genuine issue of material fact as to whether they
face a ‘certainly impending’ risk of identity theft.” The district court
then dismissed Watson v. McDonald, a case filed after Beck, applying the
same line of reasoning but without permitting discovery. Plaintiffs in both
cases appealed the district court’s findings of no injury-in-fact to the
Fourth Circuit.

The Fourth Circuit affirmed the dismissal of both cases for lack of subject
matter jurisdiction, holding that the plaintiffs’ alleged harm was too
speculative and hypothetical to establish the required “certainly
impending” injury-in-fact for standing. The court affirmed the
determination that the plaintiffs’ fear of harm based on higher risk of
future identity theft was too speculative to confer standing because it was
“contingent on a chain of attenuated hypothetical events and actions by
third parties independent of the defendants.”

The case offers some insight for those facing potential data breach
litigation, particularly in the putative class action context. Although not
all federal circuit decisions are in perfect harmony with regard to what
constitutes sufficient injury-in-fact for Article III standing, an apparent
consensus has emerged requiring plaintiffs to demonstrate something more
than harm based on a fear of future, uncertain, or speculative injury. And
while courts have recognized the possibility that risk of future harm could
establish sufficiently concrete harm for standing purposes, the risk must
be substantial and the harm “certainly impending.” According to the Fourth
Circuit, “common allegations that suffice[] to push the threatened injury
of future identity theft beyond the speculative to the sufficiently
imminent” underlie cases finding concrete harm based on risk of future harm.

In addition, the Fourth Circuit’s opinion is a reminder that defendants
should not give up on motions to dismiss for lack of subject matter
jurisdiction — here, the Fourth Circuit noted approvingly the district
court’s decision in Beck to deny the defendants’ first motion to dismiss,
giving the plaintiffs more time and opportunity to demonstrate harm
sufficient for standing. But, the plaintiffs could not make such a showing.
The Fourth Circuit considered the passage of time since the loss of
information as significant to its decision: “[A]s the breaches fade further
into the past, the plaintiffs’ threatened injuries become more and more
speculative.” Lack of subject matter jurisdiction is non-waivable and, as
such, is an issue that can be raised at any time in federal court
proceedings — even for the first time on appeal. If plaintiffs have not
established Article III standing with concrete injury-in-fact, defendants
may at any time move for dismissal on that basis.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170224/eed3d149/attachment.html>