The 4th Circuit Joins the Discussion on Standing in Data Breach Cases
by Patricia Heyen & Rolf Garcia-Gallont, Womble Carlyle Sandridge & Rice, LLP
While seemingly unrelated, Ashley Madison, eBay, Sony, and Target have one thing in common; they have all, at one point or another, lost control over their highly sensitive data due to a data breach.
As the number of reported data breaches reached an all-time high in 2016, federal courts have been grappling with the question of who should be considered a victim in the eyes of the law. To date, six circuits have addressed standing in the context of data breach litigation, with the Fourth Circuit most recently joining the discussion in Beck v. McDonald. In Beck, the Fourth Circuit held that the mere possibility that a plaintiff’s information may be misused as a result of a data breach is insufficient to establish standing.
Beck v. McDonald
In Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), the U.S. Fourth Circuit Court of Appeals affirmed the dismissal, for lack of subject-matter jurisdiction, of two putative class action claims against the William Jennings Bryan Dorn Veterans Affairs Medical Center (“Dorn VAMC”) and several individuals related to the Dorn VAMC.
The plaintiffs in the consolidated appeal were veterans who received medical treatment and health care at the Dorn VAMC in Columbia, South Carolina. Beck, 848 F.3d at 266. The medical center experienced two data breaches, the result of a medical center laptop and four boxes of pathology reports being misplaced or stolen. Id. The laptop contained unencrypted personal information of approximately 7,400 patients, including names, birth dates, the last four digits of social security numbers, and physical descriptors (age, race, gender, height, and weight). Id. at 267. The pathology reports contained identifying information of over 2,000 patients, including names, social security numbers, and medical diagnoses. Id. at 268.
Richard Beck and Lakreshia Jefferey filed suit on behalf of the approximately 7,400 patients whose information was stored on the missing laptop, and asserted claims under common-law negligence, the Privacy Act of 1974 (5 U.S.C. § 552a et seq.), and the Administrative Procedure Act (5 U.S.C. § 701 et seq.). Id. at 267. The plaintiffs alleged that the Dorn VAMC’s “failures” and “violations” of the Privacy Act caused them “embarrassment, inconvenience, unfairness, mental distress, and the threat of current and future substantial harm from identity theft and other misuse of their Personal Information.” Id. They further alleged that the threat of identity theft required them to purchase credit monitoring services, monitor financial statements, and move their financial accounts to different institutions. Id.
Beverly Watson filed the second suit on behalf of the approximately 2,000 patients whose pathology reports had gone missing. Id. at 268. She alleged the same harm as the Beck plaintiffs, and asserted similar claims for money damages, and declaratory and injunctive relief. Id.
The district court dismissed both suits for lack of subject-matter jurisdiction, holding that the plaintiffs lacked standing because they failed to establish that they had suffered an injury-in-fact. Id. at 268-69.
The Fourth Circuit’s Opinion
As a quick refresher, one of the “irreducible minimum requirements” that a plaintiff must establish to have standing to sue in federal court under Article III is an “injury in fact.” Id. at 269. “To establish injury in fact, a plaintiff must show that he or she suffered an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.” Id. at 270 (quoting Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016) (internal quotation marks omitted).
The district court in Beck granted the defendants’ motion to dismiss, holding that the plaintiffs lacked standing under the Privacy Act. Id. at 267-68. The district court pointed to the U.S. Supreme Court’s holding in Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1155 (2013), and reasoned that as to the “certainly impending” standard (i.e., an allegation of future injury can support standing to sue only if the plaintiff can demonstrate that the injury is “certainly impending”), the plaintiffs’ fear of future harm was too speculative given that it was “contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendants.” Id. at 268. The district court concluded that the plaintiffs had “not submitted evidence sufficient to create a genuine issue of material fact as to whether they face a ‘certainly impending’ risk of identity theft.” Id.
The Fourth Circuit agreed, stating that the Beck plaintiffs failed to provide any “evidence that the information contained on the stolen laptop ha[d] been accessed or misused or that they ha[d] suffered identity theft . . . [or] that the thief stole the laptop with the intent to steal their private information.” Id. at 274. The Fourth Circuit held that the Watson complaint suffered from the same deficiency. Id. at 275. In sum, “the mere theft” of the laptop and pathology reports “without more, [did] not confer Article III standing.” Id.
Even as to the lesser “substantial risk” standard, (i.e., a plaintiff must show that there is a “substantial risk” that the harm will occur), the Fourth Circuit determined that the plaintiffs’ calculations that approximately 33% of those individuals whose information was stored on the laptop would have their identities stolen and that all individuals whose information was stored on the laptop would be 9.5 times more likely to experience identity theft was insufficient to establish a “substantial risk” of identity theft. Id.
Both the district court and the Fourth Circuit Court of Appeals relied on Clapper to determine what is required of a plaintiff to prove an injury-in-fact based on a threatened injury: the threatened injury must be “certainly impending,” or there must be a “substantial risk” that the harm will occur such that a party may reasonably incur costs to mitigate or avoid the harm. Id. at 272, 275.
The Fourth Circuit applied the “certainly impending” test for the first time in the context of a data breach case, and looked to the First, Third, Sixth, Seventh, and Ninth Circuits for guidance. See id. at 273-74 (citing Galaria v. Nationwide Mut. Ins. Co., No. 15–3386, 663 Fed.Appx. 384, 387–89, 2016 WL 4728027, at *3 (6th Cir. Sept. 12, 2016); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692, 694–95 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139, 1142–43 (9th Cir. 2010); Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 632–34 (7th Cir. 2007); Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012); Reilly v. Ceridian Corp., 664 F.3d 38, 40, 44 (3d Cir. 2011)). Ultimately, the Fourth Circuit distinguished the facts of the case before it from those decided by its sister circuits, and provided some hints as to what evidence would establish “certainly impending” injury: specific misuse of the personal information and intent to steal the personal information. However, the Beck court emphasized that its decision does not require a plaintiff to show that the stolen information has already been misused—such evidence has merely proven to be sufficient before other courts in the past. See id. at 275.
With regard to the “substantial risk” standard, the court’s decision provides unclear guidance for future plaintiffs. While the court unambiguously held that the Beck plaintiffs’ calculations of increased risk did not amount to a “substantial risk,” the court also declined to set a numerical “floor.” See id. at 275-76. While plaintiffs will face some uncertainty when bringing data breach cases going forward, at the very least, plaintiffs can rely on the fact that calculations such as those put forth in Beck will not suffice.
Have You Been Injured (in the Eyes of the Fourth Circuit)?
Although the Fourth Circuit did not state so outright, its analysis in Beck strongly indicates that the “certainly impending” and “substantial risk” inquiry is fact-specific. Beyond the examples that can be culled from the cases discussed in the Fourth Circuit’s opinion, there is a broader question of when a data breach causes injury in real life, and what evidence a plaintiff can present to substantiate that injury.
||Probably No Standing
|There is evidence of actual misuse or access to the personal information by the “data thief” (e.g., fraudulent charges on a credit card, or attempts to open a fraudulent account using a stolen social security number).
The data breach occurred 3-4 years ago, and no harm has occurred as a result.
The item that was stolen could have been stolen for reasons other than the sensitive data it contained.
The increased likelihood of becoming a victim of identity theft due to the data breach is 33% or lower.
The entity that held the sensitive information has offered to provide free credit monitoring. There is evidence that the “data thief” intentionally targeted the personal information compromised in a data breach.
| There is evidence that the "data thief" intentionally targeted the personal information compromised in a data breach.
For example, HAVE I BEEN PWNED? (www.haveibeenpwned.com) is a website that aggregates personal account data that has been illegally accessed and then released into the public domain. By simply entering an email address or username, a visitor can know whether that account has been associated with a known breach, and what data was exposed in that breach, including names, genders, dates of birth, physical addresses, email addresses, usernames, passwords, password hints, security questions and answers, IP addresses, credit card numbers, and phone numbers.
If an individual’s data is picked up by the website, it is very likely that the “data thief” intentionally targeted that sensitive data in the attack—a fact that “sufficed to push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent” in Galaria, Remijas, and Pisciotta. Id. at 274. Yet, if a plaintiff’s information is on the website, but there is no evidence of actual misuse, and the breach happened several years ago, it seems unlikely that the Fourth Circuit would find an injury in fact.
It is possible that reputational injury could suffice to show injury in fact. HAVE I BEEN PWNED? contains a subset of data relating to “sensitive breaches (such breaches are considered “sensitive” in that someone’s presence on the website may adversely impact them if that information became public). Ashley Madison, an online dating service marketed to people who are married or in committed relationships, is considered one of these “sensitive” websites. Even if the Ashley Madison breach had happened five years ago, and there was no evidence of actual misuse of private information, the reputational and marital injury caused by the mere revelation of membership could potentially constitute an injury in fact.
As a final hypothetical, imagine that the compromised information consists of an email address, a hashed password, and a password hint. The potential for injury in such a case is magnified by the fact that individuals tend to use the same email address and the same or similar password across many sites. Indeed, a common method of gaining unauthorized access to an online account is called a “brute-force attack,” where an attacker tries many different passwords until the correct password is found. The number of guesses needed in a brute-force attack is greatly reduced if the attacker has a hint, or the hash used to obscure the actual password is not very strong. If the hypothetical owner of the compromised information can prove that there were multiple login attempts on websites where he/she uses the same email address (an indication of a brute-force attack), would that be enough evidence of actual misuse? Like the plaintiffs in Beck, we will have to wait and see what happens.
This article originally appeared in Volume 7, Issue 1 – May 2017 of "The Middle Ground", the publication of the Federal Bar Association - Middle District of North Carolina Chapter. Reprinted with authors permission.