Sitting or Standing … Injury in Fact after a Data Breach?

The Issue

“If you live in the U.S. and breathe oxygen, there’s a good chance you may be impacted by the latest security breach [Equifax].” –CNN

A battle wages on between creative hackers and information security professionals, each struggling to outpace the other.  Likely, most of us already have had personal or medical information leaked in one of several massive data breaches in recent years, possibly even today with the news coming out that five million Lord and Taylor and Saks Fifth Avenue customers had their information stolen. Until you are hit with identify theft, medical insurance fraud, or some other abuse of your data, your options are only to lock down credit reports and purchase identity theft insurance, then sit back and hope your personal information is not misused.

In the meantime, you are upset, you are worried, but so far it does not seem like the hackers have used your data.  For the sake of this article, we will call you an “Unharmed Victim.”   Do you have standing to sue?

In Fero v. Excellus Health Plan (W.D.N.Y. 2018), hackers gained access to the Excellus’ computer network and the personal identity information (PII) of more than 10.5 million individuals; however, as far as the plaintiffs knew, the hackers had not yet used or misused their stolen data.

The Fero case highlights a wide split among the Circuit courts.  In Fero, a district court found standing for Unharmed Victims of a data breach to sue, relying on the rationale of a recent unpublished Second Circuit case, Whalen v. Michaels Stores (2017)The Fero court cited to similar holdings in several other Circuits which found plaintiffs had standing based on an increased identity theft risk, including Galaria v. Nationwide (6th Cir. 2016), Remijas v Neiman Marcus (7th Cir. 2015), and Attias v. Carefirst (D.C. Cir. 2017).

On the other hand, the Third, Fourth and Eighth circuits in Reilly v. Ceridian Corp. (3rd Cir. 2011), Beck v. McDonald (4th Cir. 2016) and In re: SuperValu Inc., Customer Data Security Breach Litigation. (8th Cir. 2017), all declined to find standing in data breach cases wherein hackers had not yet used or misused plaintiffs’ stolen data.

The Standing Requirement

In Lujan v. Defenders of Wildlife (1992), the U.S. Supreme Court noted that a plaintiff bears the burden of establishing standing by demonstrating three elements: 1) an injury in fact; 2) fairly traceable to the challenged conduct of the defendant; and 3) likely to be redressed by a favorable judicial decision.

Further to the first element of Lujan, in Clapper v. Amnesty Int’l USA (2013), the U.S. Supreme Court stated that a plaintiff must allege an injury that is “concrete, particularized, actual or imminent…” and emphasized that a future injury must be “certainly impending,” rather than simply speculative.

In certain circuits, Unharmed Victims’ ability to establish standing by pleading an injury in fact is significantly more challenging than in other circuits.

The Split

The Fero court cites the Sixth, Seventh and D.C. Circuit in finding standing on the basis that an increased identity theft risk is sufficient to state an injury in fact.

Those three Circuit Courts could not find a reason why hackers would break into a database and steal consumers’ private information, if not intending harm. The courts reasoned that the most likely and obvious motivation for hackers was to use plaintiff’s PII nefariously or to sell it to someone who would.  The court in Fero adopted this rationale, especially because the PII stored on the Excellus networks was particularly valuable for committing identity theft and fraud.  “All of these injuries suffered by the Plaintiffs and Class Members are a direct and proximate result of the Excellus data breach and include … the imminent and certain impending injury flowing from fraud and identity theft posed by their PII and PHI being placed in the hands of unknown third parties.”

The Sixth Circuit went a step further by holding that the combination of theft by “ill-intentioned criminals” and the reasonable mitigation costs by the plaintiffs such as purchasing credit reporting services and frequently reviewing bank statements results in an injury in fact. “Where Plaintiffs already know they have lost control of their data, it would be unreasonable to expect plaintiffs to wait for actual misuse…before taking steps to ensure their own personal and financial security.”

On the other side of the split, the Third, Fourth and Eighth circuits have declined to grant standing to plaintiffs whose stolen data was not yet used or misused, saying the mere risk of identity theft is too speculative to constitute an injury, and therefore insufficient to constitute injury in fact.   Specifically, the Fourth Circuit argued against standing because as more and more time passed after the breach, with the plaintiffs still unable to produce evidence of their PII or PHI being misused, the threat of injury became more and more speculative.

The Fourth and Eighth Circuits argued against the mitigation of risk argument put forth by the Sixth Circuit and held that the costs plaintiffs incurred in “protecting themselves against this speculative threat cannot create injury” (8th Cir.)  and “self-imposed harms cannot confer standing.” (4th Cir.)

Notably, the D.C Circuit flatly contradicts the more time, more speculation rationale put forth by the 4th Circuit and found the plaintiffs had standing, even though they had “not suffered any identity theft or other harm in more than three years since the breach.”

Looking Forward

On February 16, 2018, the U.S. Supreme Court denied certiorari to review an appeal of the D.C. Circuit’s decision to deny standing in Attias v. CareFirst.

Without Supreme Court guidance, the Sixth, Seventh, and D.C. circuits have now seemingly emerged as the clear forums of choice for data breach class actions.  Conversely, defendant companies will logically seek to consolidate data breach class actions in the Third, Fourth and Eighth Circuits.  There are other Circuits not mentioned in the Fero case that may widen the split on this issue.

On Whose Authority? Authorized Access and Criminalized Computer Use under CFAA

It’s a close thing, when watching a crime drama, to see whether the makers of a show thoroughly misunderstand the law or the use of computers. The fantasy of the hacker furiously typing as code streams down a computer screen, and the fantasy of the lawyer defying the judge to give a rousing speech and sway the jury, are equally illusory mainstays of network TV. Occasionally, however, law and computer technology do produce real drama. On January 13th, 2013, a young man named Aaron Swartz faced a lawsuit from the United States. Swartz, a student from MIT, had been accused of downloading over 4,000,000 articles from the online database JSTOR. Swartz had, according to the United States, broken into a network closet at MIT and downloaded the majority of the JSTOR archives, which MIT had licensed, before sharing the millions of scholarly articles on various file-sharing websites. After his breach of the network was discovered, the United States filed suit. During the course of the litigation, after learning that he could face up to seven years in prison, Mr. Swartz committed suicide.

Though this is a dramatic example of information redistribution, many who are currently law students or young lawyers grew up committing, and continue to commit, routine criminal offenses on their computers. Anyone who ever downloaded a song over Napster or Limewire, who got a free version of Microsoft Office or Adobe Photoshop from a friend on a USB drive, or fought through hundreds of pop-up ads to watch a low-res version of a not-on-Netflix movie with a date has committed a crime. Commentators have often worried about statutes that criminalize large swaths of everyday behavior, creating a situation where most people receive no penalty while an arbitrary few face crushing consequences. One such statute under scrutiny is the Computer Fraud and Abuse Act, the statute under which Mr. Swartz was prosecuted.

The Split

The Computer Fraud and Abuse Act, ‘CFAA,’ is codified at 18 U.S.C. § 1030. The CFAA criminalizes certain acts by those who have “knowingly accessed a computer without authorization or exceeding authorized access.” The question is, what constitutes authorized access? Courts have split over the proper definition. The narrow view, held by the Ninth and Fourth Circuits, interprets “exceeding authorized access” as referring to only access restrictions on restricted data itself. The broader view, held by the First, Fifth, Seventh and Eleventh Circuits, interprets “exceeding authorized access” as referring to any use of the computer that was not authorized.

Typical of the narrow interpretation is the case U.S. v. Nosal (9th Cir. 2012). The defendant, David Nosal, was planning on leaving his contracting firm and starting a competing business. Along with associates, he obtained login credentials and downloaded source lists and other data from his employer, to use in founding his own company. Nosal summarises the split well:

This language can be read either of two ways: First, as Nosal suggests and the district court held, it could refer to someone who’s authorized to access only certain data or files but accesses unauthorized data or files—what is colloquially known as “hacking.” For example, assume an employee is permitted to access only product information on the company’s computer but accesses customer data: He would “exceed authorized access” if he looks at the customer lists. Second, as the government proposes, the language could refer to someone who has unrestricted physical access to a computer, but is limited in the use to which he can put the information. For example, an employee may be authorized to access customer lists in order to do his job but not to send them to a competitor.

After review, the Ninth Circuit upheld the reasoning of the district court, arguing both that the broad interpretation made redundant prior “without authorization,” clause of the statute, and that the federal statute too broadly criminalized computer use:

Minds have wandered since the beginning of time and the computer gives employees new ways to procrastinate, by g-chatting with friends, playing games, shopping or watching sports highlights. Such activities are routinely prohibited by many computer-use policies, although employees are seldom disciplined for occasional use of work computers for personal purposes. Nevertheless, under the broad interpretation of the CFAA, such minor dalliances would become federal crimes. While it’s unlikely that you’ll be prosecuted for watching TV on your work computer, you could be. Employers wanting to rid themselves of troublesome employees without following proper procedures could threaten to report them to the FBI unless they quit. Ubiquitous, seldom-prosecuted crimes invite arbitrary and discriminatory enforcement.

The broader view can be found in cases like U.S. v. Rodriguez (11th Cir. 2010), argued in the Eleventh Circuit. Rodriguez found that an employee in the Social Security Administration who authorized personal information in the database without a business reason had violated the CFAA, as “the policy of the Administration is that use of databases to obtain personal information is authorized only when done for business reasons… In the light of this record, the plain language of the Act forecloses any argument that Rodriguez did not exceed his authorized access.”

Looking Forward

Many tech commentators continue to worry that the CFAA as interpreted as broadly as it is in the Rodriguez case will, as the Ninth Circuit notes, criminalize even basic work slacking. Despite his win, the defendant Nosal found himself in court again for U.S. v. Nosal (9th Cir. 2016), or “Nosal II.” In this case, Mr. Nosal was found in violation of the CFAA, though the Ninth Circuit retained their narrow interpretation. Mr. Nosal appealed to the Supreme Court, and the case was denied certiorari. Until the Supreme Court clarifies the CFAA, courts will continue to disagree on how broadly the statute should be interpreted, and on whether the use of a work computer “without a business reason,” like sneaking some Netflix in during company time, should be a federal crime.