In today’s highly digital age, data breaches are increasing at an alarming pace, not only in terms of frequency, but also in severity. Consequently, companies large and small are now facing the tough reality that it is no longer a matter of “if,” but rather “when” a company’s network will be breached.
For years, data breach defendants have experienced fairly widespread success in obtaining dismissals of class-action litigation on grounds that the claimants in these lawsuits are unable to establish a sufficient “injury in fact” to satisfy the standing requirements of Article III. In the past few years, however, this once robust defense to class-action lawsuits arising in the wake of a data breach has eroded considerably as a result of several key federal appellate court decisions.
But, in 2017, the Fourth Circuit Court of Appeals weighed in on the issue in Beck v. McDonald, halting the recent trend toward a more relaxed standard for establishing an actionable injury in fact and instead holding that the risk of future identity theft stemming from a data breach, without more, is inadequate to demonstrate a sufficient injury in fact to confer Article III standing.
The decision is a noteworthy one, as Beck deepens the divide among federal circuit courts regarding the level of proof that is required to establish Article III standing in the context of data breach class-action litigation and, more specifically, whether the increased risk of identity theft alone is adequate to demonstrate a cognizable injury in fact.
Beck involved a consolidated appeal of two class-action lawsuits filed by veterans who received medical care at the William Jennings Bryan Dorn Veterans Affairs Medical Center (Dorn VAMC) in Columbia, South Carolina. After two data breaches at Dorn VAMC—one involving the theft of a laptop (the Beck lawsuit) and the other involving the theft of four boxes of pathology reports (Watson v. McDonald)—the plaintiffs claimed that their personal information was compromised and brought two separate class-action lawsuits against the Secretary of Veterans Affairs Robert McDonald and Dorn VAMC officials.
On appeal, the Fourth Circuit was tasked with resolving the question of whether the plaintiffs had alleged a sufficient injury-in-fact to clear the Article III standing hurdle. The court answered that in the negative, holding that the plaintiffs failed to establish a non-speculative, imminent injury-in-fact sufficient to confer Article III standing.
First, the Fourth Circuit concluded that the threat of future harm alleged in that case was too speculative to satisfy the “certainly impending” standard recognized by the Supreme Court in Clapper v. Amnesty International USA. In doing so, the Fourth Circuit refused to adopt the more lenient standard for establishing an Article III injury in fact utilized recently by several federal courts of appeal to find standing in favor of data breach class-action plaintiffs.
Instead, the Fourth Circuit chose to distinguish the decisions of the Sixth, Seventh, and Ninth Circuits—all of which found that the plaintiffs could establish an injury in fact based on mere threatened harm—by highlighting the fact that, in those three cases, the data thief intentionally targeted the personal information compromised in the data breaches, which sufficed to push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent. Conversely, the Beck plaintiffs made no such claims, rendering their contention of an enhanced risk of future identity theft too speculative to establish Article III standing.
Importantly, the Fourth Circuit—contrary to some of its sister circuits—declined to infer a substantial risk of harm of future identity theft from an organization’s offer to provide free credit monitoring services to affected individuals. To adopt such a presumption, the court concluded, would “surely” discourage organizations from offering these services to data breach victims, lest their extension of goodwill render them subject to suit.
Finally, the court rejected the plaintiffs’ argument that they suffered an injury in fact because they had incurred, or would incur in the future, the cost of measures to guard against identity theft, including the costs of credit monitoring services. In doing so, the court noted these “self-imposed harms” in the form of costs incurred in response to a speculative threat—i.e., their fear of future harm—was insufficient to confer standing.
In Beck, the Fourth Circuit refused to continue the recent trend of other federal appellate courts in significantly lowering the bar for demonstrating a cognizable injury in fact for purposes of establishing Article III standing in data breach class-action litigation.
Importantly, the Fourth Circuit disagreed with other recent federal appellate court decisions that have allowed a “substantial risk” of harm of future identity theft to be inferred—thus conferring standing—based merely on a data breach defendant’s decision to offer credit monitoring services to those impacted by the breach, as doing so would unjustly penalize companies that were simply trying to help mitigate any potential harm after the breach occurred.
In addition, the Beck court also rejected the plaintiffs’ attempt to establish standing based on mitigation costs incurred by those impacted by the breach, reasoning that such “self-imposed harms” in response to a “speculative threat” of future harm falls short of establishing standing. Rather, in order to establish standing pursuant to Beck, data breach plaintiffs must demonstrate that their personal sensitive information was targeted and intentionally stolen by those perpetrating the data theft in order to satisfy the injury in fact requirement for purposes of Article III standing. Consequently, Beck raises the bar in terms of the necessary showing that must be made to establish standing in data breach class-action litigation, going well beyond what was found to be sufficient to confer standing by the Sixth and Seventh Circuits in the wake of Clapper.
Ultimately, the Beck decision only adds to the growing divide among the federal courts of appeal concerning the requirements for demonstrating a cognizable injury in fact for purposes of Article III standing in the context of data breach class-action litigation. While Beck does support the conclusion that a mere fear of future, uncertain injury—without more—will be inadequate to establish standing in future data breach class-action suits down the road, significant uncertainty remains as to the precise showing that must be made by data breach victims in connection with a future increased threat of identity theft in order to successfully overcome the injury in fact standing hurdle. Unfortunately, this uncertainty may only be resolved by a definitive ruling on the issue by the U.S. Supreme Court, which would, in turn, allow for consistent application of the law across all federal courts throughout the country.