Injury In Hack?

In 2016, the number of American consumers impacted by identity theft rose to 15.4 million from 13.1 million in 2015. Eighty-five percent of identity theft victims do not realize their identity has been stolen for a year or longer; and, according to a study completed in 2006, only 0.14% of identity thieves are ever caught.

Unfortunately for these millions of Americans, circuit courts are split over whether threat of future identity theft satisfies the “imminent injury-in-fact” requirement for Article III standing. Article III standing requires: (1) concrete, imminent injury-in-fact; (2) proximate causation; and (3) redressability. The split concerns the meaning of “imminent” within the injury-in-fact requirement.

Clapper v. Amnesty International

The primary case cited by courts on both sides of the issue is Clapper v. Amnesty International. In Clapper, the Supreme Court ruled that an “objectively reasonable likelihood” a future injury will be suffered by the plaintiff is insufficient for Article III standing, and that costs incurred to mitigate speculative harm do not satisfy the injury-in-fact requirement for standing. However, the court stopped short of ruling plaintiffs must prove that the harm will certainly occur. In some cases, “substantial risk” the injury will occur is sufficient.

The Splits

Does increased risk of identity theft qualify as a “substantial risk,” satisfying the imminent injury-in-fact requirement for Article III standing?

To Stand….

The Sixth, Seventh, and Ninth Circuits have held increased threat of identity theft qualifies as an imminent injury-in-fact. Moreover, these courts have held that costs incurred in response to this imminent injury qualify as a present injury-in-fact.

The Sixth and Seventh Circuits rest their decisions on a broad reading of Clapper. The Ninth Circuit decision was made prior to the Supreme Court’s ruling. These courts consider the increased threat to identity theft to satisfy the “substantial risk” standard for injury-in-fact.

In addition to a broad interpretation of Clapper, these courts distinguish the increased threat of identity fraud from the plaintiffs’ claims in Clapper. Primarily, the plaintiffs know their information has been stolen. In contrast, the plaintiffs in Clapper only suspected their conversations were being record. Costs are incurred from a breach of personal information in both cases, but, these courts distinguish the costs incurred to prevent identity theft from the costs incurred by the Clapper plaintiffs. Because the harm in Clapper was purely speculative, the costs incurred therefrom were merely to mitigate tenuous harm. However, if the increased threat of identity theft is not a speculative harm, costs incurred to mitigate should qualify as present injury.

From a public policy perspective, these courts feel it’s unfair to force plaintiffs to wait until their identities are stolen to sue.

Or Not to Stand….

The Third and Fourth Circuits have held increased threat of identity theft does not qualify as an imminent injury-in-fact. Additionally, these courts hold that costs incurred in response to a breach of data information is mitigation of a speculative harm and, under Clapper, not considered sufficient present injury-in-fact.

Both courts consider the increased threat of identity theft to be merely speculative until actual misuse of the personal information can be shown. The Fourth Circuit rests its decision on a narrow reading of Clapper. The Fourth Circuit considers the costs incurred by the identity-theft plaintiffs to be analogous to the costs incurred by the plaintiffs in Clapper, and therefore, determines that the costs are insufficient to satisfy the injury-in-fact requirement. Both courts feel that the plaintiffs’ claims require too many steps in the causal chain to qualify as “imminent.”

From a public policy perspective, these courts consider the slippery-slope of allowing some plaintiffs to sue on hypothetical future injuries, regardless of the likelihood that injury will occur.

Conclusion

Considering the alarming number of Americans affected by identity theft, this split should be resolved to inform citizens as to their legal rights following a data breach. Since few identity thieves are ever caught, litigating against those who are responsible for data breaches may be the only remedy available to those who identities are stolen. Therefore, clarity as to Article III standing must be resolved. On a broader scale, the underlying conflict in interpretation of the “substantial risk” standard following Clapper should also be resolved as this conflicting interpretations will only lead to more splits of this nature.