As many data breach litigation cases have demonstrated over recent years, the question of a plaintiff’s standing can be quite important to the outcome of each case. While the Supreme Court has addressed standing issues in several cases with potential applicability in the data breach litigation context, most recently in Spokeo, Inc. v. Robins and Clapper v. Amnesty International, the Court has not yet addressed head-on the question of standing requirements for plaintiffs in data breach litigation. More recently, a cert petition in another data breach standing case (In re Zappos.com), discussed below, has been distributed for conference this Friday, December 7, 2018. As the Court considers whether to grant cert and address this issue, this post provides an overview of the circuit split on standing in data breach litigation cases and efforts to convince the Court to revisit the issue and provide more precise guidance.
Background on Standing in Data Breach Litigation
In order to establish Article III standing, a party must adequately allege three elements:
- an injury in fact, described by the Court in Lujan v. Defenders of Wildlife (1992) as the invasion of a legally protected interest that is (a) concrete and particularized and (b) actual and imminent;
- a causal connection between the claimed injury and the alleged act(s) of the defendant, such that the injury is fairly traceable to the defendant’s act(s) and not the independent action of another third party; and
- that it is likely, and not merely speculative, that the alleged injury will be redressed by a favorable decision.
In the context of data breach litigation, plaintiffs may struggle to sufficiently allege many of these elements due to the nature of the data breach itself. For example, a plaintiff may face difficulties in demonstrating that a theft of their data resulted in an injury in fact, especially if the information has not yet been misused by a third party. Even if the plaintiff can demonstrate an injury, it may be difficult to show that any such injury was causally connected to the specific data breach at issue in the litigation as opposed to being traceable to an independent cause.
Recent Supreme Court precedent has hinted at answers to questions surrounding standing in data breach litigation, but has stopped short of directly addressing the issue. In 2013, the Court issued its decision in Clapper v. Amnesty International, which concerned a challenge by the plaintiffs to new processes for approving government surveillance of foreign nationals outside the United States under the Foreign Intelligence Surveillance Act (FISA). The Court rejected this challenge, holding that any “threatened injury must be certainly impending to constitute injury in fact [and] allegations of possible future injury are not sufficient.” More recently, the Court issued its decision in Spokeo, Inc. v. Robins in 2016, a case involving claims under the Fair Credit Reporting Act (“FCRA”) based on Spokeo’s alleged reporting of inaccurate information about the plaintiff. The Court’s Spokeo decision reaffirmed that a plaintiff must demonstrate a “concrete and particularized” harm to satisfy the standing requirements. The Court noted that while a “real risk of harm” may be sufficient to satisfy Article III’s standing requirements, a plaintiff must allege more than a “bare procedural violation” of a statute without “a degree of risk sufficient to meet the concreteness requirement.”
Circuit Court Split on Data Breach Standing
Despite recent Supreme Court precedent on standing issues, the Court has not directly addressed the issue of standing in data breach litigation. In the absence of definitive Supreme Court precedent, circuit courts have interpreted the issue differently and created a circuit split. Several of the most notable circuit court decisions on standing in data breach litigation are summarized below:
- Reilly v. Ceridian Corp. (3d Cir. 2011): The district court dismissed the plaintiffs’ claims regarding a breach impacting a payroll processing firm that allegedly resulted in the compromise of individuals’ personal information based on lack of standing. The Third Circuit affirmed the dismissal, holding that without evidence that the personal information had been “read, copied, and understood” and subsequently used “successfully” by the “hacker,” the plaintiffs could only show a “hypothetical, future injury” that was insufficient to demonstrate standing. (Note that more recently, the Third Circuit has reversed a district court’s dismissal of data breach litigation on standing grounds in In re Horizon Healthcare Services Inc. Data Breach Litigation (3d Cir. 2017), holding that the plaintiff’s allegations under the Fair Credit Reporting Act sufficiently pled a de facto injury).
- Remijas v. Neiman Marcus (7th Cir. 2015) and Dieffenbach v. Barnes & Noble (7th Cir. 2018): The plaintiff in Remijas brought various claims stemming from a 2013 data breach that resulted in the compromise of information regarding approximately 350,000 payment cards, 9,200 of which were found to have been used fraudulently. The Seventh Circuit reversed the district court’s dismissal, finding that the plaintiffs had demonstrated an “objectively reasonable likelihood” that harm would occur and that the plaintiffs had adequately alleged standing under Article III. As the Seventh Circuit explained, “customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing.” Three years later, the Seventh Circuit reversed another district court dismissal of a data breach lawsuit on standing grounds in Dieffenbach, where customers of Barnes & Noble brought a putative class action lawsuit stemming from a breach of payment card information. The Seventh Circuit rejected the district court’s conclusion that the complaint failed to adequately plead damages, finding that the plaintiffs’ allegations of time spent addressing the breach, loss of availability of funds in their accounts, and payment for credit monitoring services would be sufficient under applicable state law to support damages claims.
- Galaria v. Nationwide Mutual Insurance Co. (6th Circuit, 2016): The plaintiffs brought various claims, including alleged violations of the FCRA, stemming from a 2012 data breach that allegedly impacted the personal information of over 1 million Nationwide customers. The Sixth Circuit Court reversed the district court’s partial dismissal of the case, finding that the increased risk of identity fraud was sufficient pleading of injury under Article III. The Sixth Circuit noted that, “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for  fraudulent purposes….”
- In re SuperValu, Inc. (8th Cir. 2017): The plaintiff’s allegations stemmed from a 2014 incident that allegedly resulted in the compromise of payment card and personal information from SuperValu customers. The Eighth Circuit affirmed the district court’s dismissal of the case, stating that plaintiffs could not “manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.” However, one plaintiff was allowed to proceed with his claims by alleging that fraudulent charges had been made to his payment card account following the incident.
- Whalen v. Michaels Stores, Inc. (2d. Cir. 2017): The plaintiff in this case alleged various harms stemming from a 2014 data breach affecting the payment card information of Michaels’ customers. The Second Circuit affirmed the district court’s dismissal, holding that the plaintiff had not suffered a “particularized and concrete injury” because any resulting fraudulent charges had been reimbursed. The court also noted that the plaintiff could not plausibly allege a risk of future harm where her credit card had been promptly cancelled after the incident and she did not allege that any other personal information had been stolen.
- Attias v. Carefirst, Inc. (D.C. Cir. 2017): The plaintiffs brought a putative class action lawsuit against Carefirst after a 2015 data breach allegedly resulted in the compromise of their personal information. The D.C. Circuit reversed the district court’s dismissal for lack of standing, finding that “a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”
- Beck v. McDonald (4th Cir. 2017) and Hutton vs. National Board of Examiners in Optometry, Inc. (4th Cir. 2018): This litigation represented multiple consolidated putative class-action lawsuits following separate incidents in 2013 and 2014 involving the theft or loss of items containing the personal information of patients of the Dorn Veterans Affairs Medical Center. The Fourth Circuit affirmed the dismissal of these cases at the district court level, holding that the increased risk of future harm of identity theft was insufficient to demonstrate injury-in-fact and specifically noting that the inability to point to a proven instance of identity theft three to four years after the breaches in question illustrated the “speculative” nature of the plaintiffs’ claimed injuries. In contrast, the Fourth Circuit reversed the district court’s dismissal of the Hutton complaint on standing grounds, distinguishing the case from Beck on the grounds that the plaintiffs in Hutton could point to specific instances where their personal information had been used fraudulently.
- In re Zappos.com, Inc., (9th Cir. 2018): After a class of plaintiffs brought various claims stemming from a 2012 incident that allegedly resulted in the compromise of personal information from Zappos’ customers, the district court held that only plaintiffs claiming to have already suffered financial losses resulting from the breach had standing to sue. The Ninth Circuit reversed this decision on appeal, holding instead that even those plaintiffs who had only alleged that financial losses were “imminent” also had sufficient standing to sue. The Ninth Circuit noted that the “substantial risk that the harm will occur” is sufficient to plead the injury requirement for standing under existing Ninth Circuit precedent.
Possibilities for Granting Cert
Despite differing interpretations between the circuits of the application of standing doctrine in data breach litigation, the Supreme Court has thus far declined to directly address the issue. After declining a cert petition from Beck in June 2017, the Court denied another cert petition in Attias during the 2017-2018 term and let the D.C. Circuit’s holding stand. Most recently, Zappos.com has filed a cert petition for the 2018-2019 Supreme Court term, once again seeking to have the Court directly address the issue of standing in data breach litigation. On November 20, 2018, the cert petition was distributed for the Court’s conference on Friday, December 7, 2018, indicating that the Court may soon decide whether the grant cert in this case. It will bear watching whether the Court will grant the Zappos.com petition and bring clarity to an issue that has seen differing interpretations among the circuit courts, or pass on the issue for another day.