Earlier this month, a Texas federal judge rejected a data breach plaintiff’s claim of a relaxed standard for Article III standing based on the “heightened risks” posed by potential identity theft and security fraud. The court ruled that despite the possibility that thieves could drain her back accounts, charge her credit cards, and perpetrate tax, medical, and insurance fraud, the plaintiff’s injuries were not “imminent” or “certainly impending,” as required under Constitutional precedent. As such, the court held that the plaintiff lacked standing to sue.
Although some courts have recently shown a willingness to recognize standing for victims of hackers who deliberately target and intentionally misappropriate stolen information, this case illustrates that data breach plaintiffs still face an uphill battle in bringing suit for intangible damages. See, e.g., In re Adobe Sys., Inc. Privacy Litig., No. 13-CV-05226-LHK (N.D. Cal. Sept. 4, 2014).
One year ago, St. Joseph Services Corporation and St. Joseph Regional Health Center (collectively “St. Joseph”), reported that hackers had infiltrated its computer network and gained access to the names, social security numbers, birthdates, addresses, medical records, and bank account information of approximately 405,000 patients. The Texas-based healthcare provider arranged to provide potentially affected patients with one year of free credit monitoring and identity theft protection. It also encouraged victims to take steps to safeguard personal information by monitoring credit reports and account statements.
Named plaintiff Beverly Peters, a former patient of St. Joseph, sued the healthcare provider via class action for violations of the Fair Credit Reporting ACT (FCRA), claiming that but for its failure to safeguard her personal information and notify her of the breach in a timely way, her identity would not have been exposed, stolen, or misused. Specifically, she alleged that individuals fraudulently attempted to access her Amazon.com account and make retail purchases with her Discover card. She also reported receiving unsolicited telephone and email communications from medical products and service companies. In this way, she and other class members were particularly vulnerable to future attacks by thieves seeking to commit any number of identity theft-related crimes.
In order to satisfy Constitutional requirements for standing, plaintiffs must establish the existence of an injury that is “concrete, particularized, and either actual or imminent.” Clapper v. Amnesty Intern. USA, 133 S. Ct. 1138, 1147 (2013). Prior to Clapper, a split existed among the Third, Seventh, and Ninth Circuits over whether the increased risk of harm to victims of data security breaches constituted “imminent injury” under Article III. See e.g., Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (finding such risk sufficient to confer standing); but see Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (holding that risk falls short of Constitutional requirements). Clapper, however, resolved the split and held that a threatened injury must be “certainly impeding” in order to satisfy Article III standing. Clapper, 133 S. Ct. at 1147. In other words, data breach plaintiffs who do not suffer actual misuse of stolen information may be left without a remedy.
Like many other data breach defendants in the wake of Clapper, St. Joseph moved to dismiss for lack of standing. Specifically, St. Joseph emphasized that Discover never charged Peters for the fraudulent purchase, closed her account to prevent future fraud, and issued her a new secure card. St. Joseph further noted that Peters changed her Amazon.com and Yahoo passwords after her accounts had been compromised. In this way, they argued, Peters did not suffer a quantifiable actual or imminent injury as a result of the data breach.
Southern District Judge Kenneth Hoyt agreed, reiterating that Peters could not describe her injuries without beginning the explanation with the word “if.” The court explained that Peters’s theory of standing relied on a “highly attenuated chain of possibilities” and, as such, failed to satisfy the requirement that the threatened injury be “certainly impending.” In other words, the court concluded, her alleged future injuries were speculative at best.
The court further rejected Peters’s assertion that she suffered present injury because the risk of surveillance forced her to take costly and burdensome measures to protect the confidentiality of her identity. It explained that costs incurred to monitor “hypothetical future criminal acts” are not “actual injuries” that confer standing. Clapper, 133 S. Ct. at 1150-51 (reasoning that otherwise, “enterprising plaintiffs would be able to secure a lower standard for Article III standing simply by making an expenditure based on nonparanoid fear”). Rather, prophylactic spending to monitor credit services and “ease fears of future third-party criminality” were speculative measures not proximately caused by St. Joseph’s conduct. As such, the court granted the motion to dismiss.
This case demonstrates the difficulty for data breach plaintiffs to bring suit, particularly where damages are intangible or impending. Although sweeping attacks on corporate technology systems continue to occur with increased frequency, victims face an uphill battle in securing judicial relief.