“If you live in the U.S. and breathe oxygen, there’s a good chance you may be impacted by the latest security breach [Equifax].” –CNN
A battle wages on between creative hackers and information security professionals, each struggling to outpace the other. Likely, most of us already have had personal or medical information leaked in one of several massive data breaches in recent years, possibly even today with the news coming out that five million Lord and Taylor and Saks Fifth Avenue customers had their information stolen. Until you are hit with identify theft, medical insurance fraud, or some other abuse of your data, your options are only to lock down credit reports and purchase identity theft insurance, then sit back and hope your personal information is not misused.
In the meantime, you are upset, you are worried, but so far it does not seem like the hackers have used your data. For the sake of this article, we will call you an “Unharmed Victim.” Do you have standing to sue?
In Fero v. Excellus Health Plan (W.D.N.Y. 2018), hackers gained access to the Excellus’ computer network and the personal identity information (PII) of more than 10.5 million individuals; however, as far as the plaintiffs knew, the hackers had not yet used or misused their stolen data.
The Fero case highlights a wide split among the Circuit courts. In Fero, a district court found standing for Unharmed Victims of a data breach to sue, relying on the rationale of a recent unpublished Second Circuit case, Whalen v. Michaels Stores (2017). The Fero court cited to similar holdings in several other Circuits which found plaintiffs had standing based on an increased identity theft risk, including Galaria v. Nationwide (6th Cir. 2016), Remijas v Neiman Marcus (7th Cir. 2015), and Attias v. Carefirst (D.C. Cir. 2017).
On the other hand, the Third, Fourth and Eighth circuits in Reilly v. Ceridian Corp. (3rd Cir. 2011), Beck v. McDonald (4th Cir. 2016) and In re: SuperValu Inc., Customer Data Security Breach Litigation. (8th Cir. 2017), all declined to find standing in data breach cases wherein hackers had not yet used or misused plaintiffs’ stolen data.
The Standing Requirement
In Lujan v. Defenders of Wildlife (1992), the U.S. Supreme Court noted that a plaintiff bears the burden of establishing standing by demonstrating three elements: 1) an injury in fact; 2) fairly traceable to the challenged conduct of the defendant; and 3) likely to be redressed by a favorable judicial decision.
Further to the first element of Lujan, in Clapper v. Amnesty Int’l USA (2013), the U.S. Supreme Court stated that a plaintiff must allege an injury that is “concrete, particularized, actual or imminent…” and emphasized that a future injury must be “certainly impending,” rather than simply speculative.
In certain circuits, Unharmed Victims’ ability to establish standing by pleading an injury in fact is significantly more challenging than in other circuits.
The Fero court cites the Sixth, Seventh and D.C. Circuit in finding standing on the basis that an increased identity theft risk is sufficient to state an injury in fact.
Those three Circuit Courts could not find a reason why hackers would break into a database and steal consumers’ private information, if not intending harm. The courts reasoned that the most likely and obvious motivation for hackers was to use plaintiff’s PII nefariously or to sell it to someone who would. The court in Fero adopted this rationale, especially because the PII stored on the Excellus networks was particularly valuable for committing identity theft and fraud. “All of these injuries suffered by the Plaintiffs and Class Members are a direct and proximate result of the Excellus data breach and include … the imminent and certain impending injury flowing from fraud and identity theft posed by their PII and PHI being placed in the hands of unknown third parties.”
The Sixth Circuit went a step further by holding that the combination of theft by “ill-intentioned criminals” and the reasonable mitigation costs by the plaintiffs such as purchasing credit reporting services and frequently reviewing bank statements results in an injury in fact. “Where Plaintiffs already know they have lost control of their data, it would be unreasonable to expect plaintiffs to wait for actual misuse…before taking steps to ensure their own personal and financial security.”
On the other side of the split, the Third, Fourth and Eighth circuits have declined to grant standing to plaintiffs whose stolen data was not yet used or misused, saying the mere risk of identity theft is too speculative to constitute an injury, and therefore insufficient to constitute injury in fact. Specifically, the Fourth Circuit argued against standing because as more and more time passed after the breach, with the plaintiffs still unable to produce evidence of their PII or PHI being misused, the threat of injury became more and more speculative.
The Fourth and Eighth Circuits argued against the mitigation of risk argument put forth by the Sixth Circuit and held that the costs plaintiffs incurred in “protecting themselves against this speculative threat cannot create injury” (8th Cir.) and “self-imposed harms cannot confer standing.” (4th Cir.)
Notably, the D.C Circuit flatly contradicts the more time, more speculation rationale put forth by the 4th Circuit and found the plaintiffs had standing, even though they had “not suffered any identity theft or other harm in more than three years since the breach.”
On February 16, 2018, the U.S. Supreme Court denied certiorari to review an appeal of the D.C. Circuit’s decision to deny standing in Attias v. CareFirst.
Without Supreme Court guidance, the Sixth, Seventh, and D.C. circuits have now seemingly emerged as the clear forums of choice for data breach class actions. Conversely, defendant companies will logically seek to consolidate data breach class actions in the Third, Fourth and Eighth Circuits. There are other Circuits not mentioned in the Fero case that may widen the split on this issue.