Two cases decided within the space of just a few weeks by the U.S. Court of Appeals for the Eighth Circuit and the District of Columbia Circuit show the difficulty courts have in evaluating whether plaintiffs in data breach class actions have standing to pursue their claims. These cases deepen what some consider an “existing circuit split regarding whether an increased risk of identity theft is an Article III injury.” Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384 (6th Cir.2016).
Whereas the Eighth Circuit in In re SuperValu, Inc. Customer Data Security Breach Litigation joined the First, Second, Third, and Fourth Circuits in finding alleged increased risk of future fraud and identity theft insufficient to establish standing, the D.C. Circuit in Attias v. CareFirst, Inc. joined the Sixth, Seventh, and Ninth Circuits in holding that such alleged increased risk can be sufficient for Article III standing at the pleading stage. To the extent there is a split in authority, that division is unlikely to be resolved soon. The U.S. Supreme Court recently denied a certiorari petition filed by the defendant in Attias, letting lower courts sort out whether plaintiffs’ allegations are enough to show an Article III injury.
Given the Supreme Court’s denial of certiorari and injury plaintiffs’ practice of filing suit immediately after the announcement of a new data breach without waiting for any purported injury to materialize, it is worth stepping back to consider the injury in fact requirement for Article III standing and the factors courts consider in assessing the future risk of harm following a data breach.
Analyzing Alleged Future Harm
The apparent split among the courts of appeal traces back to the Supreme Court’s jurisprudence on when an alleged harm is sufficiently imminent and concrete to satisfy the first element of constitutional standing: injury in fact. When considering whether an alleged future injury satisfies this requirement, the Supreme Courtin Clapper v. Amnesty International USAand other cases has held that the alleged future injury must be “certainly impending” or there must be a “substantial risk” that the alleged harm will occur. According to the Fourth Circuit, the courts of appeal “are divided” in applying these standards to putative class actions alleging future harm following a data breach.
Courts have correctly found that plaintiffs lack Article III standing where there is no alleged misuse of personal information traceable to the breach and where no alleged facts show that the breach was intentional and perpetrated to commit identity theft or fraud. In Reilly v. Ceridian Corp., for example, a hacker allegedly infiltrated defendant’s system and potentially gained access to the personal and financial information of thousands of individuals. But plaintiffs nonetheless failed to allege facts showing that the hacker read, copied, and understood their personal information or misused that information. The Third Circuit further noted that there was “no evidence that the intrusion was malicious or intentional.” The alleged increased risk of harm plaintiffs faced was “nothing more than speculation.” Any future harm depended on a string of “what ifs”—“if the hacker read, copied, and understood the hacked information, and if the hacker attempts to use the information, and if he does so successfully”—and was insufficient for standing. The Fourth Circuit in Beck v. McDonaldlikewise noted the lack of any allegations showing that unencrypted personal data on a stolen laptop had been improperly accessed or misused or that the thief intentionally targeted the laptops at issue “with the intent to steal” plaintiffs’ private information. The thefts, moreover, occurred several years before, making any threatened injury even more speculative with the passage of time. The court affirmed dismissal for lack of standing.
When plaintiffs do allege misuse of stolen data or intentional theft of that data, such allegations should not automatically satisfy the injury in fact requirement. Two decisions show how courts have appropriately found the risk of future harm still too attenuated to support standing. First, in Whalen v. Michaels Stores, Inc., the named plaintiff alleged that her credit card was used to make fraudulent purchases after she had used that card at one of defendant’s stores and credit card data was stolen from defendant in a breach. The plaintiff, however, said that she cancelled her card shortly thereafter and never claimed she was liable for any of the unauthorized purchases. The Second Circuit found that plaintiff did “not allege how she can plausibly face a threat of future fraud” given that “her stolen credit card was promptly canceled after the breach and no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen.”
Second, the Eighth Circuit in In re SuperValu found that only one of 16 named plaintiffs alleged fraudulent use of his payment card following a breach of payment card information at defendant, and while the court held that this plaintiff could allege a “present” injury to establish standing, plaintiffs’ allegations regarding risk of “future” harm did not suffice. In particular, the Eighth Circuit found that apart from conclusory allegations about data breaches facilitating identity theft, plaintiffs relied on a 2007 Government Accountability Office Report to support standing. The statistics in that report, the panel explained, actually showed that data breaches were “unlikely to result in account fraud” and thus none of the plaintiffs could show any certainly impending or substantial risk of fraud in the future. The analysis in In re SuperValu shows why it is problematic to extrapolate the alleged misuse of personal data of one or more plaintiffs to show that other plaintiffs in the same action face an impending or substantial risk of future harm.
Some courts, however, appear to have extrapolated future risk of harm from alleged misuse of personal information or allegations regarding malicious attacker intent. For example, in Remijas v. Neiman Marcus Group, LLC, the Seventh Circuit found standing based in part on allegations that a number of payment cards exposed in the attack had been used fraudulently. The Seventh Circuit reached the same conclusion in Lewert v. P.F. Chang’s China Bistro, Inc., where one of the two named plaintiffs asserted that the same debit card he used at defendant’s restaurant was used in four fraudulent transactions following a breach of payment card data from defendant’s computer system. Similarly, the Sixth Circuit in Galaria v. Nationwide Mutual Insurance Co. found in that case that there was “no need for speculation” about the risk of future harm because plaintiffs alleged “that their data has already been stolen and is now in the hands of ill-intentioned criminals.” The plaintiffs alleged “the intentional theft of their data.”
The analysis underpinning these decisions in the Seventh and Sixth Circuits relied on problematic inferences about attacker motive and defendants’ conduct. These problematic inferences show why courts should not stretch to find an imminent or substantial risk of harm from a data breach.
Why Else Would Attackers Steal Information?
In holding that it was plausible to infer a substantial risk of future harm from plaintiffs’ allegations, the Remjias court posed a central question and answer to that question: “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Other courts have repeated the same axiom. In Galaria, the Sixth Circuit explained that “w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaint.”
The D.C. Circuit in Attias reiterated these points:
“Here, by contrast, an unauthorized party has already accessed personally identifying data on CareFirst’s servers, and it is much less speculative—at the very least, it is plausible—to infer that this party has both the intent and the ability to use that data for ill. As the Seventh Circuit asked, in another data breach case where the court found standing, ‘Why else would hackers break into a . . . database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.’ No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that plaintiffs allege was taken.”This may seem like common sense. However, the inference that hackers access personal data to misuse that data is not necessarily true. Data breaches may be perpetrated for reasons unrelated to identity theft. For example, it has been widely reported that the attacker behind the Office of Personnel Management data breach—which impacted the personal data of more than 20 million individuals—was a sophisticated group linked to the Chinese government. And the nature of the attacker is important. Data stolen in that breach does not appear to have been found for sale on illicit marketplaces, and government officials and analysts have described the purpose of the attack as unrelated to identity theft for commercial gain. The district court in In re U.S. Office of Personnel Management Data Security Breach Litigation found that the circumstances of the OPM attack made it “unable to rely on the presumption that animated the Attias and Remijas decisions.” The court found that plaintiffs failed to marshal “any facts” that would support an inference “that those behind this attack are likely to use the information for credit card fraud or identity theft purposes, that they are likely to make it available to other criminals for that purpose, or that the breach has enabled other bad actors to have greater access to the information than they did before.” “[I]t is not plausible,” the court concluded, “to infer that plaintiffs now face a substantial risk of identity theft based on the allegations in the complaint.” Reports that state-sponsored groups may have been behind other data breaches—including attacks on private sector firms that range from health care to information security companies—further underscores that a blanket inference about the motive of cyber attackers does not fit the different reasons why such attacks are launched.
Furthermore, even if such an inference were found to make more sense for certain types of data breaches, motive does not necessarily translate into future harm. The Whalen case is again illustrative. The plaintiff there never said she was held liable for any of the alleged unauthorized purchases on her credit card, which is consistent with zero liability policies for payment cards. The plaintiff also said she was able to cancel her credit card shortly after the allegedly fraudulent purchases, eliminating the risk of future unauthorized use of the credit card.
Credit Monitoring Concession?
In addition to assuming that attackers steal personal information to commit fraud, the Remijas court found it “telling” that the defendant in that case “offered one year of credit monitoring and identity-theft protection to all customers for whom it had contact information and who had shopped at their stores between January 2013 and January 2014.” According to the court, it was “unlikely” that defendant “did so because the risk is so ephemeral that it can safely be disregarded.” The court found that the offer of credit monitoring made it reasonable for plaintiffs to incur expenses to mitigate potential fraud, such as purchasing their own credit monitoring services. In Galaria, the Sixth Circuit similarly reasoned that defendant “seem[ed] to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.”
But it is not necessarily the case that victims of data breaches offer credit monitoring or other protections because impacted individuals are at a heightened risk of identity theft or other fraud. On the contrary, it has become standard practice to offer such protections following certain types of breaches, and there is not necessarily any correlation between free credit monitoring being offered and risk of future harm. For example, an individual impacted in a state-sponsored cyber attack may face a de minimis risk of future identity theft as a result of that attack but still be offered credit monitoring services. There are many reasons why entities that suffer breaches may decide to provide protection services to affected individuals, including giving those individuals peace of mind, regardless of whether the risk that their information might be misused in the future is negligible.
Other courts have appropriately rejected the reasoning in Remijas and Galaria. The Fourth Circuit in Beck “[d]ecline[d] to infer a substantial risk to harm of future identity theft from an organization’s offer to provide free credit monitoring services to affected individuals.” The court grounded this decision in an important policy rationale. “To adopt such a presumption,” the court explained, “would surely discourage organizations from offering these services to data-breach victims, lest their extension of goodwill render them subject to suit.” The Third Circuit in In re Horizon Healthcare Services Inc. Data Breach Litigationreached the same conclusion. The panel agreed with defendant that “its offer should not be used against it as a concession or recognition that the Plaintiffs have suffered injury. We share its concern that such a rule would ‘disincentive[ ] companies from offering credit or other monitoring services in the wake of a breach.’” This concern is underscored by the fact it has become the norm to offer these services across many different types of data breaches. The analysis in Beck and In re Horizon, coupled with the lack of connection between an offer of credit monitoring and future risk of harm, show why it does not make sense to infer that an offer of such services is tantamount to a concession of heightened risk of injury across the board.
There is no sign that the spate of lawsuits that follow the announcement of each new cyberattack is slowing. A core allegation in these suits is that plaintiffs have suffered a cognizable injury based on the threat of future harm. Consistent with Supreme Court precedent requiring actual, concrete injury, where plaintiffs have not alleged facts showing that their data has been misused or taken for fraudulent purposes, courts should find that plaintiffs lack Article III standing. Where data breach plaintiffs do make such allegations, courts should avoid problematic inferences about attackers’ motives and defendants’ willingness to provide credit monitoring and protection services after an attack. To the extent that courts draw such inferences, Defendants should consider whether to challenge them, including by pointing to information subject to judicial notice that shows that the data stolen in an attack is unlikely to be used for identity theft. Defendants can also consider whether to seek jurisdictional discovery with respect to plaintiffs’ standing as part of a “factual” standing challenge to the court’s ability to hear the case. And even if a court finds that plaintiffs have alleged enough facts to show Article III standing at the pleading stage, Defendants should not lose sight of potential standing challenges at subsequent stages of the litigation, particularly after some discovery has been taken.
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Adam Cooke is a senior associate in the privacy and cybersecurity practice group at Hogan Lovells LLP in Washington. Cooke helps companies navigate litigation challenges arising out of a cyberattack, a data privacy lawsuit, or a related government investigation and assists clients in all phases of privacy and data security litigation.