Sitting or Standing … Injury in Fact after a Data Breach?

The Issue

“If you live in the U.S. and breathe oxygen, there’s a good chance you may be impacted by the latest security breach [Equifax].” –CNN

A battle wages on between creative hackers and information security professionals, each struggling to outpace the other.  Likely, most of us already have had personal or medical information leaked in one of several massive data breaches in recent years, possibly even today with the news coming out that five million Lord and Taylor and Saks Fifth Avenue customers had their information stolen. Until you are hit with identify theft, medical insurance fraud, or some other abuse of your data, your options are only to lock down credit reports and purchase identity theft insurance, then sit back and hope your personal information is not misused.

In the meantime, you are upset, you are worried, but so far it does not seem like the hackers have used your data.  For the sake of this article, we will call you an “Unharmed Victim.”   Do you have standing to sue?

In Fero v. Excellus Health Plan (W.D.N.Y. 2018), hackers gained access to the Excellus’ computer network and the personal identity information (PII) of more than 10.5 million individuals; however, as far as the plaintiffs knew, the hackers had not yet used or misused their stolen data.

The Fero case highlights a wide split among the Circuit courts.  In Fero, a district court found standing for Unharmed Victims of a data breach to sue, relying on the rationale of a recent unpublished Second Circuit case, Whalen v. Michaels Stores (2017)The Fero court cited to similar holdings in several other Circuits which found plaintiffs had standing based on an increased identity theft risk, including Galaria v. Nationwide (6th Cir. 2016), Remijas v Neiman Marcus (7th Cir. 2015), and Attias v. Carefirst (D.C. Cir. 2017).

On the other hand, the Third, Fourth and Eighth circuits in Reilly v. Ceridian Corp. (3rd Cir. 2011), Beck v. McDonald (4th Cir. 2016) and In re: SuperValu Inc., Customer Data Security Breach Litigation. (8th Cir. 2017), all declined to find standing in data breach cases wherein hackers had not yet used or misused plaintiffs’ stolen data.

The Standing Requirement

In Lujan v. Defenders of Wildlife (1992), the U.S. Supreme Court noted that a plaintiff bears the burden of establishing standing by demonstrating three elements: 1) an injury in fact; 2) fairly traceable to the challenged conduct of the defendant; and 3) likely to be redressed by a favorable judicial decision.

Further to the first element of Lujan, in Clapper v. Amnesty Int’l USA (2013), the U.S. Supreme Court stated that a plaintiff must allege an injury that is “concrete, particularized, actual or imminent…” and emphasized that a future injury must be “certainly impending,” rather than simply speculative.

In certain circuits, Unharmed Victims’ ability to establish standing by pleading an injury in fact is significantly more challenging than in other circuits.

The Split

The Fero court cites the Sixth, Seventh and D.C. Circuit in finding standing on the basis that an increased identity theft risk is sufficient to state an injury in fact.

Those three Circuit Courts could not find a reason why hackers would break into a database and steal consumers’ private information, if not intending harm. The courts reasoned that the most likely and obvious motivation for hackers was to use plaintiff’s PII nefariously or to sell it to someone who would.  The court in Fero adopted this rationale, especially because the PII stored on the Excellus networks was particularly valuable for committing identity theft and fraud.  “All of these injuries suffered by the Plaintiffs and Class Members are a direct and proximate result of the Excellus data breach and include … the imminent and certain impending injury flowing from fraud and identity theft posed by their PII and PHI being placed in the hands of unknown third parties.”

The Sixth Circuit went a step further by holding that the combination of theft by “ill-intentioned criminals” and the reasonable mitigation costs by the plaintiffs such as purchasing credit reporting services and frequently reviewing bank statements results in an injury in fact. “Where Plaintiffs already know they have lost control of their data, it would be unreasonable to expect plaintiffs to wait for actual misuse…before taking steps to ensure their own personal and financial security.”

On the other side of the split, the Third, Fourth and Eighth circuits have declined to grant standing to plaintiffs whose stolen data was not yet used or misused, saying the mere risk of identity theft is too speculative to constitute an injury, and therefore insufficient to constitute injury in fact.   Specifically, the Fourth Circuit argued against standing because as more and more time passed after the breach, with the plaintiffs still unable to produce evidence of their PII or PHI being misused, the threat of injury became more and more speculative.

The Fourth and Eighth Circuits argued against the mitigation of risk argument put forth by the Sixth Circuit and held that the costs plaintiffs incurred in “protecting themselves against this speculative threat cannot create injury” (8th Cir.)  and “self-imposed harms cannot confer standing.” (4th Cir.)

Notably, the D.C Circuit flatly contradicts the more time, more speculation rationale put forth by the 4th Circuit and found the plaintiffs had standing, even though they had “not suffered any identity theft or other harm in more than three years since the breach.”

Looking Forward

On February 16, 2018, the U.S. Supreme Court denied certiorari to review an appeal of the D.C. Circuit’s decision to deny standing in Attias v. CareFirst.

Without Supreme Court guidance, the Sixth, Seventh, and D.C. circuits have now seemingly emerged as the clear forums of choice for data breach class actions.  Conversely, defendant companies will logically seek to consolidate data breach class actions in the Third, Fourth and Eighth Circuits.  There are other Circuits not mentioned in the Fero case that may widen the split on this issue.

Waive after Waive: Can the Government Waive a Challenge to Fourth Amendment Standing?

Background: Not All Standing is Done on the Same Legs

The most familiar idea of “standing” is based in Article III and is about whether someone can participate in the case at all. However, the term “standing” has attached itself to a narrower issue within Fourth Amendment law, despite then-Justice Rehnquist’s misgivings in Rakas v. Illinois.

Fourth Amendment standing is shorthand for the requirement that in a motion to suppress evidence from an unconstitutional search and seizure, the defendant must show that the search violated the defendant’s own personal rights of privacy, liberty, or possession. A defendant lacks Fourth Amendment standing if they attempt to suppress evidence based on the violation of someone else’s rights, for example, when a search of a car one does not own uncovers a gun that one, likewise, cannot lay claim to—the move not permitted in Rakas.

It is the responsibility of the government to bring a challenge to a defendant’s Fourth Amendment standing, but what happens when it does not do so at the district level? Is it waived in any future proceedings?

The Split

Two circuits have held that the government does not waive Fourth Amendment standing issues if it fails to raise them in district court: the First Circuit and the Eighth Circuit. The Eighth Circuit case on point, United States v. Rodriguez-Arreola, clearly states that the government does not waive a lack of Fourth Amendment standing based on a previous case pertaining to Article III standing, surely causing Chief Justice Rehnquist to spin uncontrollably in his grave:

The government cannot waive Rodriguez’s lack of standing, and therefore any argument based on waiver must fail…(“[I]t is elementary that standing relates to the justiciability of a case and cannot be waived by the parties.”).

On the other hand, seven circuits hold that the government does in fact waive Fourth Amendment standing challenges if it fails to raise them in district court, though some circuits are more lenient than others. This majority position is rooted in the idea that just because the word “standing” is involved, it does not implicate Article III jurisdictional issues—it views Fourth Amendment standing as simply shorthand for the substance of the Fourth Amendment.

Most of these circuits (namely, the Third, Fifth, Seventh, Tenth, and Eleventh) hold that the government may not raise an issue of Fourth Amendment standing for the first time on appeal. If the government fails to challenge Fourth Amendment standing on the district level, it amounts to a complete concession on the issue by the government.

The Ninth Circuit, in United States v. Paopao, gives the government some wiggle room, allowing challenges to Fourth Amendment standing to be raised for the first time on appeal. It makes clear in United States v. Ewing, however, that failure to place a challenge to Fourth Amendment standing in the appellate brief only to bring it up at oral argument is not a valid move, and amounts to a waiver of the challenge.

The latest circuit to join the waive-friendly bunch is the Sixth. United States v. Noble leans toward the Ninth Circuit’s holding, though it is not so lenient. The Sixth Circuit first criticizes the approach of the First and Eighth Circuits, noting:

“Fourth Amendment standing is akin to an element of a claim and does not sound in Article III. The government, like other litigants, therefore, can forfeit or waive an argument that defendants lack Fourth Amendment standing.”

Later, the Sixth Circuit lays out its own approach to waivability:

“[W]e would allow the government to raise an objection to a defendant’s Fourth Amendment standing for the first time on appeal, provided that the government can show that the defendant plainly lacked standing and that our failure to recognize it would “seriously affect…the fairness, integrity or public reputation of judicial proceedings.” …However, if the government fails to raise the issue in its opening brief on appeal, then the objection is waived.”

Looking Forward

While the Supreme Court has released opinions concerning Fourth Amendment standing, it has not explicitly stated whether the government waives the issue if it fails to bring it up in district court. Considering the precedent of Rakas, if the right mix of criminal procedures twists and turns its way up to the highest Court, it would not be unreasonable to wager on the path chosen by most circuits today. For what it’s worth, however, this blogger would like to see a reexamination of the general idea that a defendant cannot acquire Fourth Amendment standing without an interest in the property searched, especially when that unconstitutional search specifically targeted that defendant.

Injury In Hack?

In 2016, the number of American consumers impacted by identity theft rose to 15.4 million from 13.1 million in 2015. Eighty-five percent of identity theft victims do not realize their identity has been stolen for a year or longer; and, according to a study completed in 2006, only 0.14% of identity thieves are ever caught.

Unfortunately for these millions of Americans, circuit courts are split over whether threat of future identity theft satisfies the “imminent injury-in-fact” requirement for Article III standing. Article III standing requires: (1) concrete, imminent injury-in-fact; (2) proximate causation; and (3) redressability. The split concerns the meaning of “imminent” within the injury-in-fact requirement.

Clapper v. Amnesty International

The primary case cited by courts on both sides of the issue is Clapper v. Amnesty International. In Clapper, the Supreme Court ruled that an “objectively reasonable likelihood” a future injury will be suffered by the plaintiff is insufficient for Article III standing, and that costs incurred to mitigate speculative harm do not satisfy the injury-in-fact requirement for standing. However, the court stopped short of ruling plaintiffs must prove that the harm will certainly occur. In some cases, “substantial risk” the injury will occur is sufficient.

The Splits

Does increased risk of identity theft qualify as a “substantial risk,” satisfying the imminent injury-in-fact requirement for Article III standing?

To Stand….

The Sixth, Seventh, and Ninth Circuits have held increased threat of identity theft qualifies as an imminent injury-in-fact. Moreover, these courts have held that costs incurred in response to this imminent injury qualify as a present injury-in-fact.

The Sixth and Seventh Circuits rest their decisions on a broad reading of Clapper. The Ninth Circuit decision was made prior to the Supreme Court’s ruling. These courts consider the increased threat to identity theft to satisfy the “substantial risk” standard for injury-in-fact.

In addition to a broad interpretation of Clapper, these courts distinguish the increased threat of identity fraud from the plaintiffs’ claims in Clapper. Primarily, the plaintiffs know their information has been stolen. In contrast, the plaintiffs in Clapper only suspected their conversations were being record. Costs are incurred from a breach of personal information in both cases, but, these courts distinguish the costs incurred to prevent identity theft from the costs incurred by the Clapper plaintiffs. Because the harm in Clapper was purely speculative, the costs incurred therefrom were merely to mitigate tenuous harm. However, if the increased threat of identity theft is not a speculative harm, costs incurred to mitigate should qualify as present injury.

From a public policy perspective, these courts feel it’s unfair to force plaintiffs to wait until their identities are stolen to sue.

Or Not to Stand….

The Third and Fourth Circuits have held increased threat of identity theft does not qualify as an imminent injury-in-fact. Additionally, these courts hold that costs incurred in response to a breach of data information is mitigation of a speculative harm and, under Clapper, not considered sufficient present injury-in-fact.

Both courts consider the increased threat of identity theft to be merely speculative until actual misuse of the personal information can be shown. The Fourth Circuit rests its decision on a narrow reading of Clapper. The Fourth Circuit considers the costs incurred by the identity-theft plaintiffs to be analogous to the costs incurred by the plaintiffs in Clapper, and therefore, determines that the costs are insufficient to satisfy the injury-in-fact requirement. Both courts feel that the plaintiffs’ claims require too many steps in the causal chain to qualify as “imminent.”

From a public policy perspective, these courts consider the slippery-slope of allowing some plaintiffs to sue on hypothetical future injuries, regardless of the likelihood that injury will occur.

Conclusion

Considering the alarming number of Americans affected by identity theft, this split should be resolved to inform citizens as to their legal rights following a data breach. Since few identity thieves are ever caught, litigating against those who are responsible for data breaches may be the only remedy available to those who identities are stolen. Therefore, clarity as to Article III standing must be resolved. On a broader scale, the underlying conflict in interpretation of the “substantial risk” standard following Clapper should also be resolved as this conflicting interpretations will only lead to more splits of this nature.