When companies are hit with cybersecurity incidents, class action privacy litigation often follows. However, claimants in these kinds of cases face a threshold challenge of showing they have suffered a sufficient “injury in fact” to establish that they have standing to assert their claims. The following guest post, written by Paul Ferrillo, Kristine Argentine, Emily Dorner, and Alexandra Drury of the Seyfarth Shaw law firm, provides a survey of the current state of play for the standing requirements in this type of litigation. I would like to thank the authors for allowing me to publish their article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is the authors’ article.
Now more than ever, it is important for organizations to review and update their basic information security protocols (their incident response, business continuity and crisis communications plans), and to ensure they’re keeping apprised of potential and developing security threats that may imperil their organizations (like a catastrophic ransomware attack). Nation state attacks and cyber criminal gangs efforts seem to be aimed daily at US businesses. And the ransomware plague that continues unabated, affects nearly all industry verticals.[i]
Unfortunately, sometimes even when threats are known and being addressed, when employees are trained frequently regarding information security, and when the highest security precautions are taken, a threat-actor can quickly capitalize on miniscule vulnerabilities, and an organization is faced with the grueling task of picking up the pieces. This usually includes conducting a forensic investigation, updating written information security protocols, deploying patches and password resets, replacing hardware, conducting additional employee training, as well as analyzing differing state breach legislation and notifying consumers, attorneys general, and credit bureaus in accordance with those laws.
Even after these efforts, an organization is still at risk of privacy class action litigation. This might arise through a state attorney general, federal regulator, or a consumer whose data was wrongly accessed or in fact stolen during the cyber-attack.
But in order for a consumer to sue, the threshold, and hot-button, question is whether the consumer has standing under Article III of the US Constitution. [T]he “irreducible constitutional minimum” of standing consists of three elements. The plaintiff must have (1) suffered an “injury in fact” (2) that is “fairly traceable” to the challenged conduct of the defendant and (3) that is likely to be redressed by a favorable judicial decision.[ii]
This article discusses the first prong of the standing elements: injury in fact. Because it is generally difficult for plaintiffs in these actions to show financial harm, or other actual damages, arguments have been raised by the plaintiffs’ bar that the future risk of harm should suffice to meet the first prong of the standing elements. The Supreme Court stated in Spokeo, Inc. v. Robins that even when a statute has been violated, plaintiffs must show that an “injury-in-fact” has occurred that is both concrete and particularized. While this did provide some additional information, the question of how the future risk of harm fits in was left outstanding. Fortunately, on June 25, 2021 the Supreme Court revisited this issue in TransUnion LLC v. Ramirez, 20-297, 2021 WL 2599472, at *1 (U.S. June 25, 2021), when a credit reporting agency flagged certain consumers as potential matches to names on the United States Treasury Department’s Office of Foreign Assets Control (OFAC) list of terrorists, drug traffickers, or other serious criminals. The Court found that those “flagged” consumers whose information was divulged to third party businesses as being included in this list suffered a concrete injury in fact. Id. With regards to those consumers who were flagged as potential matches, but the information was never disseminated, the Court was unconvinced that a concrete injury occurred. Id. The Court further examined the risk of future harm for these individuals, but declined to find injury in fact, stating that risk of harm cannot be speculative, it must materialize, or have a sufficient likelihood of materializing. Id. It will be interesting to see how this ruling plays out in the circuits in the context of a data breach. The Court included in its opinion some interesting information regarding certain circumstances that may give rise to a concrete harm. Id. Aside from physical or financial harm, the Court also stated that reputational harm, the disclosure of private information, or intrusion upon seclusion may rise to the level of concrete harm. Id. This then begs the question of whether a risk of harm analysis might be necessary in the context of a breach, where private information is indeed accessed and disclosed (i.e., disseminated) to an unauthorized 3rd party.
In light of this ruling, we surveyed certain of the most active Circuit Court’s behavior on the Article III standing issue (post-data breach). While there are certainly trends in each circuit, it seems risk of future harm in particular, is often evaluated, rightly, based on the specific facts of the matter, which still does cause some variance within each circuit. Below we explore these trends, and the circumstances under which injury in fact is often found. Given the recent TransUnion ruling, we expect the circuits to maintain some variability and look to distinguish the TransUnion case when possible.
The Second Circuit very recently faced this issue, and acknowledged “join[ing] all of [its] sister circuits that have specifically addressed the issue in holding that plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.” The court held that plaintiffs lacked standing due to a failure to plead a sufficient risk of future identity fraud. This is in contrast to its decision in Whalen v. Michael Stores, Inc., 689 F. App’x 89, 90-91 & n.1 (2d Cir. 2017), which seemed to favor the Sixth and Seventh Circuit’s approach.
The Second Circuit also recently looked to this issue in McMorris v. Carlos Lopez & Assocs., LLC, No. 19-4310, at 11 n.3 (2d Cir. April 26, 2021). When the defendant employer accidentally sent an email containing employee PII, plaintiff employees sued for negligence and violation of state consumer protection laws. Plaintiffs’ PII was not, at the time of the case, misused or stolen. The court remained consistent with its decision in Whalen concluding that despite measures taken to avoid identity theft, the plaintiffs could not show injury in fact.
The Third Circuit has taken its own approach, allowing standing when data is statutorily protected, but rejecting risk of harm arguments for common law claims. This is demonstrated by the court in In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 641 (3d Cir. 2017), which found standing when personal data was breached in violation of the Fair Credit Reporting Act. The court did not delve into the future risk of harm issue, as it had already found a “cognizable injury.” Id.
The future risk of harm issue was discussed however in Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011) (“Unless and until  conjectures [about alleged future identity theft] come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.”), and Kamal v. J. Crew Grp., Inc., 918 F.3d 102, 113 (3d Cir. 2019) (denying standing where no information was stolen or disclosed, or where a threat-actor would need to piece together information from different sources in order to proceed with identity theft, and stating “[i]f a procedural violation does not present a material risk of harm to an underlying interest, a plaintiff fails to demonstrate concrete injury under Article III”).
The Fourth Circuit additionally rejects the risk of future harm argument, finding in Beck v. McDonald, 848 F.3d 262, 274-75 (4th Cir. 2017) that the plaintiffs’ supposed risk of future identity theft was “too speculative” when plaintiffs failed to present evidence that their personal information had been accessed or misused.
A year later however, in Hutton v. Natl. Bd. of Examiners in Optometry, Inc., 892 F.3d 613, 621 (4th Cir. 2018), the court of appeals distinguished the Beck decision and vacated a district court’s dismissal of class action suit. There, the Fourth Circuit found injury in fact when Plaintiffs alleged that they were victims of identity theft and credit card fraud, which constituted misuse and thus satisfied the injury prong of Article III. Id.
The Seventh Circuit favors standing when a breach causes an increased risk of harm to the affected individuals, when the data exposed is likely to lead to identity theft. This is supported by the decisions in Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007), which found injury in fact when plaintiffs claimed an increased risk of data theft after their information had been accessed by a malicious and sophisticated hacker; Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) where injury in fact was found when plaintiffs spent time resolving fraudulent charges even when the bank prevented charges from going through; and Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692 (7th Cir. 2015), where similarly, victims of identity theft suffered “aggravation and loss of value of time needed to set things straight, to reset payment associations after credit card numbers are changed and pursue relief for unauthorized charges.”
However, some recent cases show that the Seventh Circuit is not quite ready to accept that any potential for identify theft satisfies the injury in fact element of standing. For example, in Kylie S. v. Pearson PLC, 475 F. Supp. 3d 841, 846 (N.D. Ill. 2020), the court did not find standing where the data breached could not “easily be used in fraudulent transactions,” and where plaintiffs were unable to show any consequences of the breach a year following the incident.
The Ninth Circuit has determined that a plaintiff can establish standing by showing injury in fact based on the increased risk of identity theft following a data breach. In Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010), the court found that the plaintiffs had standing where they “alleged credible threat of real and imminent harm stemming from the theft of a laptop containing their unencrypted personal data.” Likewise, the court in In re Zappos.com, Inc., 888 F.3d 1020, 1028 (9th Cir. 2018), found that “Plaintiffs sufficiently alleged an injury in fact based on a substantial risk that the Zappos hackers will commit identity fraud or identity theft.”
The Eleventh Circuit has found that a plaintiff must show more than an increased risk of identity theft to establish injury in fact for Article III standing. In Tsao v. Captiva MVP Rest. Partners, LLC , 986 F.3d 1332, 1343 (11th Cir. 2021), the court explained that the information allegedly accessed by the hackers “generally cannot be used alone to open unauthorized or new accounts” therefore, “it is unlikely that the information allegedly stolen [ ], standing alone, raises a substantial risk of identity theft.”
While the Supreme Court did provide further color to the issue of risk of future harm, we have yet to see how this plays out in the context of a data breach. The trends in the circuits tell us that in the absence of a showing that individual data was indeed misused, we can expect courts across the circuits to evaluate each case based on the facts and circumstances at hand, and continue to draw conclusions based on the trends discussed above. However, with the Supreme Court using dissemination of information as the threshold to determine harm, it will be interesting to see what is to come in this space.
[i] See Georgia hospital system hit with ransomware attack following Biden-Putin summit | Fox Business
[ii] Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016), as revised (May 24, 2016).