As the number of data breaches increases, so do the number of data breach-related lawsuits, whether styled as class actions or individual lawsuits. To the extent these lawsuits are commenced in the federal courts, it gives rise to the question of what satisfies Article III standing. Merely because a data breach may have occurred and personally identifiable information may have been exposed, or is at risk of being exposed, does not necessarily confer standing of the party whose information has been compromised in the absence of actual harm. As with most litigations, the answer also depends, at least in part, in what jurisdiction the lawsuit is commenced.
In Gilot v. Equivity, 18-CV-3492 (WFK), 2018 WL 3653150, at *1 (E.D.N.Y. July 31, 2018), the district court reinforced the Second Circuit’s position on what is required for a plaintiff to have Article III standing. In Gilot, an action commenced by an individual was dismissed for lack of standing where it was only alleged that the unauthorized release of her personally identifiable information to a third party without her consent could lead to potential identity theft. The words “could” and “potential” are important because in the Second Circuit, as in the First, Third and Eighth Circuits, having been put at risk, without actual harm, is insufficient to confer Article III standing upon a plaintiff.
The Eleventh Circuit generally follows the First, Second, Third, and Eighth Circuits; however, the threshold for damages to confer standing is lower. In Muransky v. Godiva Chocolatier, Inc., 905 F.3d 1200 (11th Cir. 2018), the plaintiff alleged that the merchant violated the Fair and Accurate Credit Transactions Act (FACTA) by printing an untruncated receipt with more than five digits of the customer’s credit card number. This statutory violation was sufficient to withstand a motion to dismiss for lack of standing since it constituted damages in the form of the plaintiff needing to bear the cost of safely keeping or disposing of the receipt to avoid someone obtaining the credit card number.
The Sixth, Seventh, and Ninth Circuits have taken a different approach, whereby the courts require only a heightened/substantial risk of future harm, or, in other words, that there is a likelihood of misuse of the stolen data. See, e.g., In re Zappos.com Inc., 888 F.3d 1020 (9th Cir. 2018). In a similar vein in Attias v. Carefirst, 865 F.3d 620 (D.C. Cir. 2017) the District of Columbia Circuit Court noted that the court frequently upholds claims of standing based on claims of substantial risk of future injury. Attias, 865 F.3d at 627. It was also noted that the fact that an actual breach occurred was enough to show damages, regardless of whether the stolen data was misused, because it required the plaintiff to incur the cost of responding to the breach, acquire identify theft monitoring, conduct a damage assessment and mitigate costs.
While the rule in the Fourth Circuit was generally more aligned with the Second Circuit, in a recent decision, Hutton v. National Board of Examiners in Optometry, 892 F.3d 613 (4th Cir. 2018), the Fourth Circuit adopted a middle ground approach and held that it is not necessary to show damages, but there must at least be actual theft and misuse.
While this specific type of case has not yet reached the U.S. Supreme Court, Article III standing has been a recent topic of consideration. In Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016), the Supreme Court remanded a matter back to the Ninth Circuit regarding standing in the context of an alleged violation of the Fair Credit Reporting Act of 1970 (“FRCA”). The complaint was dismissed by the district court for the plaintiff’s failure to plead injury in fact. On appeal, the Ninth Circuit reversed, holding that Spokeo’s violation of Robins statutory rights as related to his individualized personal interests was sufficient. The Supreme Court held that the Ninth Circuit’s Article III standing analysis was incomplete because it did not consider whether the alleged injury in fact was concrete, as opposed to particularized, and remanded the matter back to the Ninth Circuit. On remand, the Ninth Circuit again found that sufficient injury and concrete harm was alleged to establish Article III standing and that the alleged harm was not merely a statutory violation (purely legal or procedural), but real. Robins v. Spokeo, Inc., 867 F.3d 1108 (9th Cir. 2017). The questions queried and answered by the Ninth Circuit on remand were, “[i]n evaluating [plaintiff’s] claim of harm, we thus ask: (1) whether the statutory provisions at issue were established to protect his concrete interests (as opposed to purely procedural rights), and if so, (2) whether the specific procedural violations alleged in this case actually harm, or present a material risk of harm to, such interests.” Id. at 1114. As noted therein, whether intangible injury is sufficient for standing purposes remains a “somewhat murky area.” Spokeo, already an oft cited case in litigation concerning Article III standing, is instructive, but the murkiness still remains, as does the split among the circuits.
Depending what side of the “v” you find yourself on – plaintiff or defendant – where your case is venued may very well dictate the outcome of the litigation. A case on point will likely find its way to the Supreme Court, but, until then, it is important to know the law of the jurisdiction in the event you find yourself brought to court for an alleged breach or if you plan to bring suit.