The Standing Question in Consumer Data Breach Litigation
A Practitioner’s Guide (Updated)
Cyber + Co., No. 8
When customer data is compromised, can the consumers sue the company that was supposed to keep the data secure? The answer turns in large part on standing—more precisely, whether the customers can show an “injury in fact.”
Here’s a guide to the twelve latest decisions of the federal courts of appeals on the subject, including the Fourth Circuit decision hot off the presses earlier this week.
The key takeaway from all these cases can be summed up in two words: intent matters.
The standing requirement comes from Article III of the Constitution, which limits federal courts’ jurisdiction to actual cases and controversies. To establish standing, an injury must be: (1) “concrete, particularized, and actual or imminent”; (2) “fairly traceable to the challenged action”; and (3) “redressable by a favorable ruling.”
The first element—actual or imminent injury—is the most challenging for data breach plaintiffs. Concerned about future misuse of their data, they often struggle to show present misuse. The Supreme Court instructs that allegations of future injury are sufficient if the harm is “certainly impending,” but “allegations of possible future injury are not sufficient.”
How does this test apply to consumer data breach litigation? Although the Supreme Court has been asked to decide the question, to date the Court has declined to take up the issue.
So the best guidance we have is from the federal courts of appeals. Here’s the latest from those courts.
The Latest Appellate Guidance
Over the past 36 months, the Courts of Appeals for the Second, Third, Fourth, Sixth, Seventh, Eighth, Ninth, and D.C. Circuits have weighed in on the issue.
Here's the circuit-by-circuit roundup of those decisions.
Whalen v. Michaels Stores, Inc., 689 F. App’x 89 (2d Cir. 2017) (no standing)
After hackers breached a retail store network and stole three million customers’ payment card numbers, a customer in New York brought suit for breach of implied contract and violation of state consumer protection law.
The district court dismissed for lack of standing. The Second Circuit affirmed in a non-precedential summary order.
The court of appeals explained that the plaintiff: (1) “never was either asked to pay, nor did pay, any fraudulent charge”; (2) did not “plausibly face a threat of future fraud, because her stolen credit card was promptly canceled after the breach”; and (3) “pleaded no specifics about any time or effort that she herself has spent monitoring her credit.”
In a footnote, the court added that these shortcomings distinguished the case from the Seventh Circuit decisions in P.F. Chang’s and Neiman Marcus (both are discussed below).
In re Horizon Healthcare Services Inc. Data Breach Litigation, 846 F.3d 625 (3d Cir. 2017) (standing)
Two laptops were stolen from an insurer. The laptops contained personal information of 839,000 customers, who brought suit alleging violations of the Fair Credit Reporting Act, or “FCRA,” and state consumer protection laws.
The district court dismissed for lack of standing. The Third Circuit reversed, holding “In light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.”
The court explained, “We are not suggesting that Horizon’s actions would give rise to a cause of action under common law. No common law tort proscribes the release of truthful information that is not harmful to one’s reputation or otherwise offensive. But with the passage of FCRA, Congress established that the unauthorized dissemination of personal information by a [consumer] reporting agency causes an injury in and of itself.”
Hutton v. National Board of Examiners in Optometry, Inc., 2018 U.S. App. LEXIS 15748 (June 12, 2018) (standing)
Hackers breached a testing organization's database and stole social security numbers, names, addresses, and birth dates. After credit card accounts were fraudulently opened in the students' names, they brought five claims against the organization, including negligence, breach of contract, and breach of implied contract.
The district court dismissed for lack of standing. The Fourth Circuit reversed, holding that the students had sufficiently alleged injury by alleging "their data has been stolen, accessed, and used in a fraudulent manner." The court further held that because the risk of identity theft was not speculative," the costs of mitigating measures to safeguard against future identity theft support the other allegations and together readily show sufficient injury-in-fact."
Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (no standing)
A laptop with patient information and four boxes of medical records went missing from a medical facility. The parties engaged in discovery on the laptop compromise. But they found no evidence that any unauthorized person accessed or misused the data.
The district court dismissed for lack of standing. The Fourth Circuit affirmed, distinguishing the case from those in which “the data thief intentionally targeted the personal information compromised in the data breaches.”
The court of appeals explained that “even after extensive discovery, the Beck plaintiffs have uncovered no evidence that the information contained on the stolen laptop has been accessed or misused or that they have suffered identity theft, nor, for that matter, that the thief stole the laptop with the intent to steal their private information.”
Galaria v. Nationwide Mutual Insurance Co., 663 F. App’x 384 (6th Cir. 2016) (standing)
Hackers breached an insurer and stole the personal information of 1.1 million customers, who brought suit alleging FCRA and state law violations.
The district court dismissed for lack of standing. The Sixth Circuit reversed, holding “Plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury at the pleading stage of the litigation.”
The court explained, “There is no need for speculation where Plaintiffs allege that their data has already been stolen and is now in the hands of ill-intentioned criminals,” adding “Where a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in Plaintiffs’ complaints.
Dieffenbach v. Barnes & Noble, Inc., 887 F.3d 826 (7th Cir. 2018) (standing)
Hackers breached a bookstore chain’s credit card readers, stealing the payment card information of an undisclosed number of customers. A group of customers brought suit.
The district court dismissed the complaint. The Seventh Circuit reversed. Writing for the court, Judge Easterbrook applied his characteristic law and economics reasoning, explaining “The plaintiffs have standing because the data theft may have led them to pay money for credit-monitoring services, because unauthorized withdrawals from their accounts cause a loss (the time value of money) even when banks later restore the principal, and because the value of one’s own time needed to set things straight is a loss from an opportunity-cost perspective.”
Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (standing)
Hackers breached a restaurant chain and stole the payment card numbers of as many as seven million customers. A group of customers brought suit.
The district court dismissed for lack of standing. The Seventh Circuit reversed. Writing for the court, Chief Judge Wood pragmatically reasoned it’s “plausible to infer a substantial risk of harm from the data breach, because a primary incentive for hackers is sooner or later to make fraudulent charges or assume those consumers’ identities.”
In doing so, the court rejected the argument “that the plaintiffs’ mitigation here was unreasonable because, unlike the situation in Remijas [v. Neiman Marcus (discussed next)] and similar data breaches, this one posed a risk only of fraudulent charges to affected cards, not of identity theft.” Chief Judge Wood explained that “information stolen from payment cards can be used to open new cards in the consumer’s name,” adding “P.F. Chang’s itself implicitly acknowledged this — in its August press release, P.F. Chang’s encouraged consumers to monitor their credit reports (in part for new account activity) rather than simply the statements for existing affected cards.”
Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (standing)
Hackers breached a luxury retailer and stole payment card numbers of 350,000 customers. A group of customers brought claims for negligence, breach of implied contract, unjust enrichment, and consumer protection law violations.
The district court dismissed for lack of standing. The Seventh Circuit reversed, holding that the plaintiffs “should not have to wait until hackers commit identity theft or credit card fraud in order to give the class standing, because there is an objectively reasonable likelihood that such injury will occur.”
The court reasoned, “Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
In re SuperValu, Inc., Customer Data Security Breach Litigation, 870 F.3d 763 (8th Cir. 2017) (mixed)
Hackers breached a grocery store chain and stole payment card numbers of an undisclosed number of customers. A group of customers brought claims for negligence, breach of implied contract, unjust enrichment, and violations of consumer protection statutes, among others.
The district court dismissed for lack of standing. The Eighth Circuit affirmed the dismissal of claims based on future injury, while reversing the dismissal of claims based on present injury.
Affirming the dismissal of the claims for risk of future identity theft, the court explained that although the plaintiffs’ complaint alleged that, the stolen data had been accessed, they had not alleged that it been misused. The court also rejected the plaintiffs’ assertion that, “on information and belief” the compromised cards were being offered for sale on the black market, concluding these allegations were simply speculative.
The court did, however, permit one plaintiff’s claims to proceed because he alleged that he had suffered a fraudulent charge on his compromised credit card.
Kuhns v. Scottrade, Inc., 868 F.3d 711 (8th Cir. 2017) (standing)
Hackers breached a securities brokerage firm and stole the personal information of 4.6 million customers. A group of customers brought contractual, equitable, and consumer protection statute claims. It was undisputed, however, that no customers had suffered fraud or identity theft causing financial injury.
The district court dismissed for lack of standing. The Eighth Circuit concluded that the plaintiffs had standing, at least for their contract-related claims, but nevertheless affirmed for failure to state a claim.
The court explained that the allegations that the plaintiffs did not receive the full benefit of their bargain with respect to data security was sufficient to allege actual injury: the diminished value of their contractual bargain.
But the court held the contract-related claims must nevertheless be dismissed because they did not plausibly allege the breach of an express or implied term. The contract provided for services “on a per order basis.” Given this, the court concluded that “the allegation that the failure of Scottrade’s security measures was a breach of contract that diminished the benefit of Kuhns’s bargain is not plausible.”
In re Zappos.com, Inc., Customer Data Security Breach Litigation, 884 F.3d 893 (9th Cir. 2018) (standing)
Hackers breached an online retailer and stole the personal information of 24 million customers, including payment card numbers. Customers brought suit and were sorted into two classes: (1) those who alleged that they had already suffered financial losses from identity theft; and (2) those who did not allege that they had already suffered financial losses.
The district court held the first class had standing, the second class did not. The second class appealed, and the Ninth Circuit reversed.
Holding the second class had standing, the court observed “Congress has treated credit card numbers as sufficiently sensitive to warrant legislation prohibiting merchants from printing such numbers on receipts—specifically to reduce the risk of identity theft.”
Pointing to the first class, the court also noted “Although those plaintiffs’ claims are not at issue in this appeal, their alleged harm undermines Zappos’s assertion that the data stolen in the breach cannot be used for fraud or identity theft.
Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017) (standing)
Hackers breached health insurer and stole 1.1 million customers’ information. They brought suit, alleging an increased risk of identity theft.
The district court dismissed for lack of standing. The D.C. Circuit reversed, reasoning “an unauthorized party has already accessed personally identifying data on CareFirst’s servers, and it is much less speculative—at the very least, it is plausible—to infer that this party has both the intent and the ability to use that data for ill.”
Quoting Neiman Marcus, the court added, “Why else would hackers break into a database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
The answer to the standing question in customer data breach litigation remains in flux. And the specific facts of the particular matter enormously. But for now, one trend is clear: intent matters.
About Cyber + Co.
Cyber + Co. covers the intersection of cybersecurity and the law for companies and consumers.
About the Author
Tom Cummins is the founder of Potomac Litigation. He has deep experience assisting clients in some of history’s largest data breaches, as well as a host of other cybersecurity incidents.