No Injury, No Data Breach Claims? Depends on the Circuit

Cyber criminals attack a company’s network and consumer class actions follow. Plaintiff’s counsel choose the initial forum, but the defendant may have some ability to influence where the suit will be litigated. Location could matter because the circuits disagree on whether the plaintiff must allege actual injury to establish Article III standing or whether risk of future harm is sufficient.

The Article III Standing Requirement

The black letter law on standing is well established. To sue in federal court, plaintiff must allege: (1) injury in fact; (2) a causal connection between the claimed injury and the alleged acts of defendant; and (3) that it is likely, and not merely speculative, that the alleged injury will be redressed by a favorable decision.[1]

Proving or disproving injury in fact—cognizable harm caused by the breach—is the key battlefield in data breach litigation. The most contested standing issue in data breach lawsuits tends to be the first factor: injury in fact. In order to show that they suffered an injury in fact, plaintiffs must show an invasion of a legally protected interest that is (a) concrete and particularized, and (b) actual and imminent.

The Supreme Court has yet to decide a data breach standing case, but it has provided relevant guidance in two recent decisions. 

In Clapper v. Amnesty International USA, the Supreme Court confirmed that the mere “possibility” of future injury is insufficient for standing.[2] The Court rejected plaintiffs’ argument that possible government interception of communications under the Foreign Intelligence Surveillance Act (FISA) and related costs to mitigate that harm constituted injury in fact. Plaintiffs’ “highly attenuated chain of possibilities” meant their harm was not “certainly impending.”[3] Plaintiffs had not demonstrated a “substantial risk” of future harm and they cannot “manufacture standing by incurring costs in anticipation of non-imminent harm.”[4] 

The Supreme Court again addressed “injury in fact” in Spokeo, Inc. v. Robins, holding that a consumer cannot satisfy Article III standing requirements based on a “bare procedural” statutory violation.[5] The Court confirmed that an injury must cause “both concrete and particularized” harm.[6] “Concreteness . . . is quite different from particularization”—a “concrete” injury must actually exist, and it must be “real,” not “abstract.”[7] A “risk of real harm,” even if intangible, may sometimes suffice, but the degree of risk must be sufficient to satisfy the concreteness requirement.[8]

Circuits Disagree on Data Breach Standing Requirements

Courts agree that alleged actual misuse of personal information exposed in a data breach satisfies standing requirements.[9] Plaintiffs experiencing fraud or identity theft suffer concrete injury from the criminal activity and time and money spent addressing it.[10] Some courts find this true even if plaintiffs are reimbursed for fraudulent charges, citing lost time spent “sorting out” fraud as sufficient injury for standing.[11] Courts generally reject arguments that alleged fraud is not “fairly traceable” to a data breach, citing the low pleading bar for plaintiffs’ causation allegations.[12]

The circuits are split, however, on whether alleged future risk of identity theft—without more evidence—satisfies Article III injury requirements. 

The Sixth, Seventh, Ninth, and D.C. Circuits have each found alleged future risk of identity theft, without any alleged misuse of data, satisfies Article III requirements.[13] These courts reason that theft of sensitive personal information raises a substantial risk that hackers will commit identity theft, thereby distinguishing plaintiffs’ future injuries from the speculative harm alleged in Clapper.[14] These courts have also found that mitigation measures create standing, noting that plaintiffs should not have to wait until they suffer actual fraud to protect themselves.[15]

The Third, Fourth, and Eighth Circuits have reached the opposite conclusion, citing Clapper to find that alleged future identity theft is too speculative to confer Article III standing without actual or attempted misuse of personal information.[16] These courts reject mitigation measures as a basis for standing “[b]ecause plaintiffs have not alleged a substantial risk of future identity theft, the time [plaintiffs] spent protecting themselves against this speculative threat cannot create an injury.”[17]

The Eleventh Circuit has not taken a position, but it is considering whether heightened risk of identity theft satisfies the injury-in-fact requirement in a case alleging violation of the Fair and Accurate Credit Transactions Act.[18] The panel held that risk of identity theft suffices; the full Eleventh Circuit vacated the decision and heard the case en banc. The case was argued in February 2020 and is under submission.

Forum Matters

Unless and until the Supreme Court provides further guidance, litigants will face these differing views on standing in data breach cases. Litigating in a circuit that views Article III standing as a hurdle to pursuing data breach claims may give defendants a basis for an early dismissal.

This article in our “Beyond the Breach” series was authored by Nancy R. Thomas, a partner in Morrison & Foerster’s Privacy + Data Security Group who regularly represents companies in data breach and other high-stakes class actions.

[1]Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992) (citation omitted).

[2]568 U.S. 398 (2013).

[3]Id. at 410, 422.

[4]Id. at 414 n.5, 422.

[5] 136 S. Ct. 1540, 1549-50 (2016).

[6] Id. at 1548.

[7] Id.

[8] Id. at 1549-50.

[9] See Attias v. Carefirst, Inc., 865 F.3d 620, 627 (D.C. Cir. 2017) (“Nobody doubts that identity theft, should it befall one of these plaintiffs, would constitute a concrete and particularized injury.”), cert. denied, 138 S. Ct. 981 (2018).

[10]See, e.g., Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692 (7th Cir. 2015) (victims of identity theft suffer “aggravation and loss of value of time needed to set things straight, to reset payment associations after credit card numbers are changed and pursue relief for unauthorized charges”).

[11]Id; see also Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 967 (7th Cir. 2016) (time spent resolving fraudulent charges constituted injury in fact even if bank prevented charges from going through).

[12]See, e.g., In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154, 1159 (D. Minn. 2014) (allegations that injuries are “fairly traceable” to Target’s conduct is “sufficient at this stage to plead standing”).

[13]See Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384 (6th Cir. 2016); Remijas, 794 F.3d 688; In re Zappos.com, Inc., 888 F.3d 1020, 1023 (9th Cir. 2018) (finding Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010), remained good law after Clapper); Attias, 865 F.3d 620. The D.C. Circuit recently reaffirmed its position. See In re Office of Pers. Mgmt. Data Sec. Breach Litig., 928 F.3d 42, 54-61 (D.C. Cir. 2019) (per curiam). The Second Circuit has not yet taken a definitive position, but district courts in the Circuit have speculated that it would adopt the Sixth and Seventh Circuits’ approach based on Whalen v. Michael Stores, Inc., 689 F. App’x 89, 90-91 & n.1 (2d Cir. 2017), which cited favorably to Sixth Circuit precedent and distinguished Seventh Circuit decisions in affirming dismissal of a data breach case on standing grounds. Fero v. Excellus Health Plan, Inc., 304 F. Supp. 3d 333, 339 (W.D.N.Y. 2018) (speculating on Second Circuit’s position in circuit split); Sackin v. TransPerfect Glob., Inc., 278 F. Supp. 3d 739, 746 (S.D.N.Y. 2017) (same). Note that all of these circuit court decisions reach the same result as Judge Koh’s earlier ruling in In re Adobe Systems, Inc. Privacy Litigation, 66 F. Supp. 3d 1197 (N.D. Cal. 2014), which similarly held that plaintiffs in a data breach class action had Article III standing even if they could not allege actual misuse.

[14]See, e.g., Attias, 865 F.3d at 628-29 (distinguishing Clapper to find “a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken”). Distinguishing these cases, courts have found theft of non-sensitive data insufficient to raise a substantial risk of future harm. Cf. Whalen, 689 F. App’x at 90 (theft of credit card number did not raise substantial risk of harm because breach exposed no other personal information (such as Social Security or driver’s license numbers) and plaintiff cancelled her card before experiencing fraud).

[15]See Galaria, 663 F. App’x at 388 (“[I]t would be unreasonable to expect Plaintiffs to wait for actual misuse [of exposed data] before taking steps to ensure their own personal and financial security.”); Remijas, 794 F.3d at 694 (monthly identity theft protection fee “easily qualifies as a concrete injury”).

[16]See Reilly v. Ceridian Corp., 664 F.3d 38, 42 (3d Cir. 2011) (“Unless and until [] conjectures [about alleged future identity theft] come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.”); Beck v. McDonald, 848 F.3d 262, 274-75 (4th Cir. 2017) (relying on Clapper to find plaintiffs’ alleged risk of future identity theft was “too speculative” because plaintiffs presented no evidence that their personal information had been accessed or misused); In re SuperValu, Inc., 870 F.3d 763, 771-73 (8th Cir. 2017) (citing Clapper to hold that plaintiffs failed to sufficiently show a substantial risk that they will suffer identity theft based on stolen credit card information where such information was not misused).

[17]In re SuperValu, 870 F.3d at 769-71(citing Clapper, 568 U.S. at 415).

[18]Muransky v. Godiva Chocolatier, Inc., 922 F.3d 1175 (11th Cir.), vacated by 939 F.3d 1278 (2019) (granting rehearing en banc).