Two recent decisions out of the U.S. District Court for the District of Maryland illustrate the difficulty that cyber breach victims can have in establishing standing to sue. In both cases, the court dismissed the cyber breach suits for lack of standing because the plaintiffs had not yet sustained actual damages. The decisions reflect that whether a cyber breach victim has suffered cognizable damages is extremely fact intensive. Notably, the cases were dismissed or remanded for lack of subject matter jurisdiction under Federal Rule of Civil Procedure 12(b)(1), which can be raised at any point and is never waived.
Chambliss v. CareFirst, Inc., 1:15-cv-02288, involved a well-publicized data breach at CareFirst, a health insurance provider. Data breaches of confidential personal information of CareFirst’s subscribers occurred in 2014 and 2015. The personal information included the names, birthdays, e-mail addresses, and subscriber identification numbers of 1.1 million people. Plaintiffs sought to bring a putative class action alleging that CareFirst should have known earlier that the breaches could occur, as the stolen information was “highly coveted by and a frequent target of hackers.”
Plaintiffs further claimed that they had a reasonable expectation that their confidential personal information would remain private and confidential. Due to CareFirst’s failure to secure the personal information, plaintiffs claimed that they “have lost or are subject to losing money and property.” However, as the Court noted, the plaintiffs did not allege that they had yet suffered any actual injury, and thus there was not yet a ripe controversy under Article III of the Constitution.
The facts in Khan v. Children’s National Health System, 8:15-cv-02125, were substantially similar. Mr. Khan filed a putative class action against Children’s National Health System, asserting that hackers had obtained access to certain employee e-mail accounts that contained subscriber personal data.
Judge Chuang considered the increased risk of identity theft to be plaintiff’s most promising argument that she had an injury that could support Article III standing. Judge Chuang noted that district courts and even circuit courts have differed on whether identity theft is a cognizable injury that can support standing. However, he noted that rather than applying a different legal standard, the difference in the courts’ treatment of these cases is largely determined by their unique facts.
Both courts noted that the plaintiffs had not alleged that their data had yet been misused in any way. In Chambliss, the court also observed that the breach compromised names, birth dates, email addresses and subscribed identification numbers, not their social security numbers, credit card information or any other similarly sensitive data that could heighten the risk of harm. (The Court may have been overly optimistic about whether names, birth dates and subscriber identification numbers can be used in a nefarious way.)
Both judges also rejected the claim that the plaintiffs had suffered harm in the way of mitigation costs, such as expenses incurred from obtaining credit monitoring services. The Chambliss Court reasoned that a plaintiff cannot manufacture standing by inflicting harm on himself, and the Khan Court stated that incurring costs as a reaction to a mere risk of harm does not establish a standing if the harm to be avoided is not itself “certainly pending.” Both judges also disregarded claims for decreased value of personal information, especially since plaintiffs had not yet alleged that they attempted to sell their personal information and/or that they were forced to accept a decreased price for that information.
The Maryland District Court in these two cases joined other courts across the nation in holding that there is no standing to sue, and thus no subject matter jurisdiction, until there has been actual misuse of data. In layman’s terms, the message to those affected by cyber breaches is, “Come back when you have a real problem.”
The judges in Chambliss and Kahn probably got this right. Still, it seems like only a matter of time before the hackers in those cases misuse the stolen data and, unwittingly, convey standing on their victims.