[BreachExchange] 8th Circuit adds to data breach litigation uncertainty, ahead of SCOTUS petition

Tue Sep 5 20:12:22 EDT 2017

https://www.reuters.com/article/us-otc-databreach/8th-
circuit-adds-to-data-breach-litigation-uncertainty-ahead-of-scotus-petition-
idUSKCN1BC5OJ

U.S. appellate courts cannot seem to make up their minds about whether data
breach victims have the right to sue in federal court. Some, as I’ll
explain, have ruled that the risk of identity theft is sufficiently
concrete to meet constitutional standing requirements. Others have held
that risk to be too speculative to give breach victims a right to sue. This
week, the 8th U.S. Circuit Court of Appeals weighed in, reviving a class
action against SuperValu Inc, with a whole new appellate interpretation of
standing in data breach litigation.

The 8th Circuit opinion doesn’t simply deepen the split amongst the
circuits but digs a new trench. The decision adds to ongoing appellate
uncertainty about standing in data breach litigation, just as the defendant
in a recently decided data breach case in the District of Columbia moved
for a stay so it can bring the issue to the U.S. Supreme Court.

Until this week’s 8th Circuit ruling, federal appeals courts have focused
on data breach victims’ risk of identity theft or credit card fraud. In a
landmark decision in 2015, the 7th Circuit upended conventional wisdom when
it ruled in Remijas v. Neiman Marcus that the risk alone is substantial
enough to grant constitutional standing to people whose information has
been hacked. As Kevin LaCroix recently detailed at the D&O Diary, the 3rd
and 6th Circuits subsequently reached the same conclusion.

Most recently, the D.C. Circuit held on Aug. 1 that CareFirst policyholders
have standing to sue over a 2014 breach of the insurer’s computers. Hackers
allegedly stole data including not just identifying information about
CareFirst subscribers, such as birthdates and email addresses, but also
credit card and social security numbers. The appeals court said the theft
gave rise to a substantial risk for breach victims, “simply by virtue of
the hack and the nature of the data that the plaintiffs allege was taken.”

The 2nd and 4th Circuits, however, have both ruled this year that the risk
is not sufficiently imminent or concrete to meet the tests the Supreme
Court laid out in 2013’s Clapper v. Amnesty International and 2016’s Spokeo
v. Robins. The 2nd Circuit’s decision in Whalen v. Michaels Stores is just
a summary order, but the 4th Circuit’s published opinion in Beck v.
McDonald concluded that the link between data theft and potential harm to
people whose information was stolen is too attenuated to establish standing.

The 8th Circuit actually agreed with that reasoning in this week’s
SuperValu decision, written by Judge Jane Kelly for a panel that also
included Judges Lavenski Smith and Steven Colloton. The SuperValu breach
did not expose social security numbers, birthdates or driver’s license
numbers, the court said. Without that information, the court concluded,
it’s unlikely that hackers could steal victims’ identities, so plaintiffs
in the class action could not rely on the risk of imminent harm to
establish their right to sue.

But one of the named plaintiffs in the case claimed that after the data
breach, someone used his credit card to make an unauthorized purchase – and
the 8th Circuit said his allegation of misuse was a concrete injury that
met constitutional standing requirements for the class action. SuperValu’s
lawyers at Ropes & Gray argued there was no evidence the supposedly
unauthorized purchase was the result of the SuperValu hack, but the 8th
Circuit said the allegation is enough to establish standing. Causation
arguments, the opinion said, are more appropriate for a dismissal motion.

By holding that a supposedly unauthorized use of a data breach victim’s
information establishes standing regardless of whether that use was
actually the result to the breach, the 8th Circuit seems to me to have
opened a new door for data breach class actions. (SuperValu lawyer Harvey
Wolkoff of Ropes & Gray declined to comment.)

So far, according to Westlaw records, the Supreme Court has considered only
one data breach petition, from the 4th Circuit case I mentioned above. The
justices denied review last June. But based on a motion in the CareFirst
case at the D.C. Circuit, the court will have another chance to consider
standing in data breach class actions in the upcoming terms.

CareFirst’s lawyers at Eversheds Sutherland asked the appeals court to stay
its mandate reviving the policyholders’ class action for 90 days so the
insurer can file a petition for Supreme Court review. Its motion argued
there’s a good likelihood the Supreme Court will take the case “to guide
courts in sorting out the claims of truly injured victims of data breaches
from those who file class actions without being able to allege that any
harm is real or immediate.”

The stakes are going up in cyber breach cases. Anthem agreed in June to pay
a record $115 million to settle a class action in federal court in San
Jose. The judge who presided over the Anthem case, U.S. District Judge Lucy
Koh, just this week refused to dismiss gargantuan consolidated data breach
class actions against Yahoo. As cyber attacks proliferate, the threshold
issue of standing becomes ever more important – and sooner than later, the
Supreme Court is going to have to get involved.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170905/f708d884/attachment.html>