Today the U.S. Supreme Court denied a cert petition in a matter aimed at resolving whether a plaintiff who alleges a substantial risk of harm in the future has standing under Article III of the Constitution. A ruling in the case, CareFirst v. Attias, would have had major implications for data-breach litigation and in class actions generally.
A quick refresher on standing. To satisfy Article III’s standing requirements, a plaintiff must show (1) he has suffered an “injury in fact” that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision. Friends of the Earth, Inc. v. Laidlaw Environmental Services (TOC), Inc., 528 U.S. 167, 180-81 (2000). Thus, to invoke the jurisdiction of a federal court, a plaintiff must allege that he has either actually been injured or that injury is imminent.
In the context of data breaches, however, a plaintiff’s injury can be difficult to establish. Individuals across the country are frequently notified by companies that their personal information has been stolen by hackers. Can they sue the company in negligence before their identities are stolen or fraudulent activity appears on their accounts? What does the Supreme Court mean by imminent?
In its most recent case on this issue, the Court held that allegations of future harm can establish standing if the harm is “certainly impending,” but “allegations of possible future injury are not sufficient.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013) (cleaned up).
The trickiness of the question is illustrated by the facts of the case before the Court, CareFirst v. Attias. The petitioner CareFirst, Inc., is a national health-insurance company whose servers were hacked in June 2014. The respondents are individuals insured by CareFirst. They brought a putative class action against petitioner and associated entities alleging that their personal information was stolen, which put them at risk of future identity theft. The personal information taken included respondents’ names, birth dates, email addresses, and subscriber identification numbers. Notably, CareFirst maintained that the respondents’ Social Security numbers and credit-card numbers were not stolen.
The U.S. District Court for the District of Columbia dismissed the action for lack of standing, holding that “[a]bsent facts demonstrating a substantial risk that stolen data has been or will be used in a harmful manner, merely having one’s personal information stolen in a data breach is insufficient to establish standing … .” One flaw in the respondents’ allegations, the court found, was a failure to explain how the hackers could commit identity theft with the specific pieces of information they stole.
The Court of Appeals for the District of Columbia reversed. The circuit court first disagreed with the district court about the information that was stolen. It found that respondents had plausibly alleged that Social Security numbers and credit-card numbers had been accessed, in part because that information was stored on CareFirst’s servers. But even if that information was not stolen, the circuit court held that the unauthorized access to respondents’ names, birth dates, email addresses, and subscriber identification numbers created a material risk of identity theft.
At issue in the cert petition, the D.C. Circuit seemed to distinguish between two different tests for imminent injury: whether a future injury is certainly impending and whether it is merely a substantial risk. A second issue raised by CareFirst was that standing should not be found based on a substantial risk of future injury where the future injury is to be caused by unknown third parties, which CareFirst argued was speculative.
Thus, the question presented by CareFirst was: “[w]hether a plaintiff has Article III standing based on a substantial risk of harm that is not imminent and where the alleged future harm requires speculation about the choices of third-party actors not before the court.”
The courts of appeals have come to a variety of rulings on this issue. As noted by the Fourth Circuit last year, “[o]ur sister circuits are divided on whether a plaintiff may establish an Article III injury-in-fact based on an increased risk of future identity theft.” Beck v. McDonald, 848 F.3d 262, 273 (4th Cir. 2017); see also Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012) (“The courts of appeals have evidenced some disarray about the applicability of this sort of ‘increased risk’ theory in data privacy cases.”).
Our offices at HeplerBroom are in both the Seventh and Eighth Circuits, which have come down on different sides of the risk-of-future-injury question in data-breach cases.
In Remijas v. Neiman Marcus, 794 F.3d 688 (7th Cir. 2015), the plaintiffs alleged that 350,000 individuals had their data taken from Neiman Marcus’s database, including credit-card numbers, resulting in fraudulent charges to the accounts of at least 9,200 putative class members. The Seventh Circuit noted that the hackers deliberately targeted Neiman Marcus to obtain its customers’ credit-card information, so there was no need to speculate whether information had been stolen or what information was taken. The court found that “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur” (citing Clapper).
In In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017), cyber criminals installed malicious software on the defendant grocery stores’ computer network and allegedly accessed customers’ names, credit- and debit-card account numbers, expiration dates, CVV codes, and personal identification numbers. Of the sixteen named plaintiffs in the consolidated class actions, only one had actually discovered fraudulent charges on his credit card. Except for that one plaintiff, the Eighth Circuit held that the other plaintiffs’ allegations of future injury did not support standing. Their allegation that illicit websites were selling their card information was deemed speculative. There was “little to no risk” that the plaintiffs would suffer identity theft because the stolen data did not include personally identifying information, such as Social Security numbers. And a 2007 Government Accounting Office report concluded that “most breaches have not resulted in detected incidents of identity theft.” Therefore, the court found, plaintiffs did not plausibly support their contention that consumers affected by the data breach faced a substantial risk of credit-card fraud.
The Supreme Court’s last decision on risk of future injury, Clapper, split 5-4 finding a lack of standing. Justice Antonin Scalia sided with the majority. With four dissenting justices in Clapper and Justice Gorsuch on the bench now, there seemed to be a strong opportunity for the Court to resolve the split among the circuit courts. However, the facts are complicated and perhaps did not present a clean legal issue. As the Eighth Circuit observed in In re SuperValu, “We need not reconcile … out-of-circuit precedent because the cases ultimately turned on the substance of the allegations before each court.”
The Court seems to want to leave its recent opinions on standing alone. Last month the Court also denied a cert petition in a new appeal of the Spokeo case from the Ninth Circuit. See our prior blog piece by Glenn Davis, “Spokeo Speak: SCOTUS Addresses Injury-in-Fact Standing in Spokeo.”
For now it appears that the standing issues will be resolved on a case-by-case basis in cyber litigation, and the outcome may depend on little more than where you are.
You can find today’s ruling here.