Published by The Lawfare Institute
in Cooperation With
If your personal information is released but never misused, can you sue the company that was supposed to keep it safe? Some federal circuits say no; others say yes. A new cert petition in Attias v. CareFirst, filed in appeal of the D.C. Circuit’s decision to allow one such lawsuit to proceed, argues that it is time for the Supreme Court to decide.
When bringing suit against a company, victims of data breaches must show that they have standing to sue. The standing requirement comes from Article III of the Constitution, which limits the federal judicial power to certain “cases” and “controversies.” In our system, federal courts exist only to resolve disputes between parties and should not make theoretical pronouncements about the law. The Supreme Court has set out three requirements to make sure this constitutional bar is met. A plaintiff has standing to sue only if she has “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” The hard question for data breach victims is whether they can satisfy the first prong: injury in fact.
They probably can if they can show that someone has misused their personal information. The vast majority of data breach victims, however, are not yet victims of identity theft or other misuse. These victims worry about the consequences of a data breach. But does the theft of their information, along with their worry, satisfy the injury-in-fact requirement?
The answer isn’t clear.
Theory of Harm
The circuits’ approaches generally turn on their receptivity to a “future harm” theory of standing—that is, that the “substantial risk of harm” caused by a data breach is itself injury enough for standing. One notable exception is the Third Circuit. It rejects the future-harm theory but embraces a broad conception of standing for disclosures of statutorily protected data. Any such breach is itself an injury in fact, “whether or not the disclosure . . . increased the risk of . . . future harm.” Plaintiffs may not rely on the “risk of harm” argument to bring their common law claims, however.
Most of the remaining circuits have neither categorically embraced nor categorically rejected the future-harm theory. The reason is twofold: First, the courts that have considered the question have tended toward a fact-specific approach, often making assessments about the magnitude of the risks plaintiffs face given the details of each breach. Second, the question has rarely been presented to a circuit more than once, so it is hard to predict how a court might apply (or find reason to distinguish) a prior panel’s reasoning to a different set of facts.
Still, some circuits are considerably more sympathetic to the future-harm argument than others, and the variance among their approaches can be (and has been) characterized as a circuit discord or disarray, if not a clean split. Thus far, the Sixth, Seventh and D.C. Circuits have found standing in data breach actions based on the risk of future harm. The Second, Fourth and Eighth have denied standing on the basis of the same theory.
Because the facts of each breach vary widely from case to case, and because there are only a few cases to begin with, the circuits’ approaches cannot be organized around a clear set of pivotal questions. A circuit that denied standing in one data breach case might well have found a risk of future harm to be an injury in fact in a different case, given more compelling facts. But insofar as there are key factors guiding the courts’ decisions, they are as follows:
Nature of attack. Some circuits will find that a “substantial risk of harm”—and therefore an injury in fact—exists “by virtue of the hack and the nature of the data” stolen. As the Seventh Circuit has put it in Remijas v. Neiman Marcus, and as the D.C. Circuit echoed in CareFirst, if hackers did not have an ability and intent to harm plaintiffs, “[w]hy else would [they] break into a . . . database and steal consumers’ private information?”
But the fact of an attack alone does not seem to establish an irrebuttable presumption of injury. In the cases mentioned, the courts emphasized supporting facts to bolster their findings that plaintiffs had standing. For example, the Seventh Circuit, in the context of the theft of credit card numbers, pointed to the fact that thousands of putative class members (though less than 3 percent) had already reported fraudulent charges. The D.C. Circuit supported its presumption by looking to compelling facts about the amount and type of data targeted in a health insurance breach (names, birthdates, social security numbers, medical information, and credit card numbers). The more plaintiffs can point to the “ill intentions” of hackers as evidence of the risk of harm, the more likely they are to persuade the court to grant the presumption.
Amount of time since breach. Whether a circuit accepts a presumption in favor of plaintiffs or not, the passage of time might rebut the presumption by serving as evidence that no substantial risk of harm exists. The passage of time without injury may weaken a strong presumption in plaintiffs’ favor. For instance, the Fourth Circuit based its denial of standing in Beck v. McDonald on the fact that after years of “extensive discovery,” plaintiffs could produce no evidence that medical information stolen from a Veterans Affairs hospital had been misused. “As the breaches fade further into the past,” the court argued, the threat of injury “become[s] more and more speculative.” On the other hand, the D.C Circuit was not persuaded by this reasoning when it allowed an action against a health insurance company to proceed, even though the plaintiffs had “not suffered any identity theft or other harm in more than three years since the breach.”
Whether plaintiffs have incurred costs to mitigate the risk of harm. Victims of data breaches will sometimes take measures to reduce their susceptibility to identity theft. Let’s call this the economic-costs-of-monitoring theory. There is a clear circuit split on whether courts should take these costs into account in the injury-in-fact analysis. The Sixth Circuit held in Galaria v. Nationwide that the combination of theft by “ill-intentioned criminals” and reasonable mitigation costs amounts to an injury in fact. “Where a data breach targets personal information . . . it would be unreasonable to expect Plaintiffs to wait for actual misuse . . . before taking steps to ensure their own personal and financial security,” concluded the court. The Second Circuit signaled its receptivity to this economic-costs-of-monitoring theory in Whalen vs. Michael’s Stores, even though it denied standing in the particular case before it. Because the plaintiff had failed to provide any details about the time and effort she had spent protecting herself in the aftermath of the breach, the court rejected her claim that she had incurred costs to mitigate the harm. But perhaps with more details about the costs and their reasonableness, a plaintiff in the Second Circuit could successfully allege an injury based on actual economic harm. Not so in the Fourth and Eighth. Courts in those circuits have ruled that any costs plaintiffs incurred in “protecting themselves against [a] speculative threat” were “self-imposed harms [that could] not confer standing.”
Supreme Court Review
The defendants in Attias v. CareFirst, have petitioned the Supreme Court to review the appeals court’s finding of standing. They ask the court to clarify if (and in what circumstances) a data breach can create an injury in fact based on a “substantial risk of harm that is not imminent and where the alleged future harm requires speculation about the choices of third-party actors not before the court.” The D.C. Circuit granted a stay of its ruling pending the outcome of the defendants’ petition for review.
Dozens of plaintiffs across the country have filed lawsuits against Equifax in response to the Sept. 7 data breach. The federal court system has a mechanism for consolidating some lawsuits that, like these, share common factual questions. Last week, a special body of judges ordered the consolidation of cases into what is called a multidistrict litigation (MDL). The Judicial Panel on Multidistrict Litigation transferred them to Judge Thomas Thrash in Equifax’s home district, the Eleventh Circuit’s Northern District of Georgia. The judge will preside over the consolidated action and will make decisions about pretrial matters,such as standing, common to all of the cases.
What does this mean for the plaintiffs? The Eleventh Circuit has not yet spoken definitively on the future-harm theory in the data-breach context. But in the closest case on point, Resnick v. AvMed, it applied the economic-cost-of-mitigation theory accepted by the Sixth Circuit and rejected by the Fourth and Eighth. In this 2012 class action, unidentified thieves stole some AvMed laptops containing plaintiffs’ names, social security numbers, health information, and addresses. The named plaintiffs had their identities stolen months after the breach, but many class members did not. The court found standing based on the plaintiffs’ incurred costs. It observed that “some of [its] sister Circuits have found that even the threat of future identity theft is sufficient to confer standing,” but since the named plaintiffs had alleged “only actual—not speculative—identity theft,” the court did not rule on the issue.
Judge Thrash has followed suit, applying the Eleventh Circuit’s reasoning to a case that more closely resembles the Equifax suit. Last year, in another MDL, he found that plaintiffs, financial institutions, had standing to sue Home Depot for a breach of customer credit card information: Plaintiffs’ “reasonable mitigation costs” in response to the “substantial risk that . . . harm will occur” were “not speculative and . . . not threatened future injuries,” but rather “actual, current, monetary damages.” Though the plaintiffs in that case were financial institutions, not individual customers, the ruling is nonetheless quite promising for Equifax plaintiffs who have not yet been victims of identity theft, if they can allege monetary damages as a result of post-breach credit monitoring.