On February 6, 2017, the Court of Appeals for the Fourth Circuit affirmed a district court judgement’s dismissal of two data breach class actions for lack of subject-matter jurisdiction: Plaintiffs failed to establish a non-speculative, imminent injury-in-fact identity theft after a 2013 and 2014 data breach.
This was a consolidated appeal of veterans against William Jennings Bryan Dorn Veterans Affairs Medical Center in Columbia, South Carolina. In one case, a laptop containing unencrypted personal information of approximately 7,400 patients was stolen from the Center while in the other case four boxes of pathology reports containing identifying information of over 2,000 patients had been stolen.
Plaintiffs brought separate actions against the Secretary of Veterans Affairs and Dorn VAMC officials alleging violations of the Privacy Act of 1974, 5 U.S.C. § 552a et seq. and the Administrative Procedure Act (“APA”), 5 U.S.C. § 701 et seq.
In both cases, Plaintiffs sought to establish Article III standing based on the harm from the increased risk of future identity theft and the cost of measures to protect against it but in both cases Plaintiffs had lost because the alleged damage was found to be speculative by the district court.
On appeal, the Fourth Circuit affirmed the dismissal for lack of subject-matter jurisdiction, holding that the “Plaintiffs failed to establish a non-speculative, imminent injury-in-fact for purposes of Article III standing”.
The three “irreducible minimum requirements” of Article III standing are the following: (1) an injury-in-fact (i.e., a concrete and particularized invasion of a legally protected interest); (2) causation (i.e., a fairly traceable connection between the alleged injury in fact and the alleged conduct of the defendant); and (3) redressability (i.e., it is likely and not merely speculative that the plaintiff’s injury will be remedied by the relief plaintiff seeks in bringing suit).
Focusing on the first element of Article III standing – the injury-in-fact requirement– the Court noted that Plaintiffs pressed two grounds for Article III standing in their Privacy Act claims: (1) the increased risk of future identity theft, and (2) the costs of protecting against the same.
Increased Risk of Future Identity Theft. The Fourth Circuit noted how the Sixth, Seventh, and Ninth Circuits have all recognized, at the pleading stage, “that plaintiffs can establish an injury-in-fact based on this threatened injury”. By contrast, the First and Third Circuits have rejected such allegations holding a plaintiff may not establish an Article III injury-in-fact based on an increased risk of future identity theft.
The Fourth Circuit aligned with the latter , holding Plaintiffs’ contention of an “enhanced risk of future identity theft too speculative.” In fact, three years after the data breach, Plaintiffs didn’t provide evidence that the stolen information had been accessed or misused or that plaintiffs suffered any identity theft, nor even that the violation had the intent to steal private information. Moreover, “as the breaches fade further into the past, the Plaintiffs’ threatened injuries become more and more speculative.”
The Fourth Circuit declined to infer a substantial risk of harm of future identity theft from an organization’s offer to provide free credit monitoring services to affected individuals. “To adopt such a presumption would surely discourage organizations from offering these services to data-breach victims, lest their extension of goodwill render them subject to suit.”
“To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.’”
Cost of Mitigative Measures. Plaintiffs alleged that they suffered an injury-in-fact “because they have incurred or will in the future incur the cost of measures to guard against identity theft, including the costs of credit monitoring services”. The Fourth Circuit rejected Plaintiffs’ attempt to “create standing by choosing to purchase credit monitoring services or taking any other steps designed to mitigate the speculative harm of future identity theft.” These “self-imposed harms” “did not amount to an injury-in-fact because they were taken solely “to mitigate a speculative future harm”; they cannot confer standing.
More on data breach class actions cases in 2013, 2014, and 2015 and the problem of “standing” is available here.
For more information on the right to pursue damages for data breach, contact Francesca Giannoni-Crystal