Fourth Circuit: Unsubstantiated Risks Related to Data Breach Insufficient for Article III Standing

Civil Justice/Class Actions

Cruz-Alvarez_FFrank Cruz-Alvarez, a Partner in the Miami, FL office of  Shook, Hardy & Bacon L.L.P. with Rachel Forman, an Associate with the firm.

On February 6, 2017, the U.S. Court of Appeals for the Fourth Circuit, in the consolidated appeal Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), affirmed the district court’s order dismissing the plaintiff veterans’ putative class-action claims against the Secretary of Veterans Affairs and Dorn Veterans Affairs Medical Center (“Dorn VAMC”) officials for lack of subject-matter jurisdiction.  The Fourth Circuit held that the plaintiffs “failed to establish a non-speculative, imminent injury-in-fact for purposes of Article III standing.” Id. at 267.

The plaintiffs in the consolidated appeals are veterans whose claims arose when (1) a laptop that contained unencrypted and sensitive personally identifying information of 7,400 patients was misplaced or stolen from a department at Dorn VAMC (“Beck plaintiffs”); and (2) four boxes of pathology reports containing the same type of identifying information of over 2,000 patients had been misplaced or stolen (“Watson plaintiff”) (collectively, the “plaintiffs”).

The plaintiffs filed two separate lawsuits against Dorn VAMC seeking declaratory relief and money damages under the Privacy Act of 1974, 5 U.S.C. § 552a et seq., for violations of the Act that caused “the threat of current and future substantial harm from identity theft and other misuse of their Personal Information,” and seeking injunctive relief under the Administrative Procedure Act (“APA”), 5 U.S.C. § 701 et seq, against the VA and Dorn VAMC.  The defendants moved to dismiss the Beck plaintiffs’ claims for lack of subject-matter jurisdiction but the motion was denied.  After discovery, the defendants renewed their motion to dismiss and alternatively moved for summary judgment, which the district court granted in its entirety, holding that pursuant to Clapper v. Amnesty International USA, 133 S. Ct. 1138, 1155 (2013), the Beck plaintiffs lacked Article III standing (1) under the Privacy Act because there was not enough evidence of a “certainly impending” risk or “substantial” risk of future harm of identity theft; and (2) to seek injunctive relief under the APA because it was speculative that the plaintiffs’ personal information will be compromised again resulting in injury.

The defendants also moved to dismiss the Watson plaintiff’s claims, which the district court granted, holding that pursuant to Clapper, the plaintiff lacked Article III standing under the Privacy Act because there were no allegations of actual or attempted misuse of her personal information.  The district court also found that the Watson plaintiff’s claims for  injunctive relief under the APA failed because Dorn VAMC’s alleged history of failing to protect personal information, alone, did not establish that the plaintiff remained in danger of sustaining injury.

On appeal, the Fourth Circuit’s primary inquiry was whether the plaintiffs’ established an injury in fact.  Notably, the court found the standard in Clapper to be controlling:  that a threatened injury must be certainly impending.  The court rejected the applicability of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) because the plaintiffs did not allege that Dorn VAMC’s violations of the Privacy Act alone constitute an Article III injury in fact. 

Turning first to the plaintiffs’ argument that the risk of future identity theft established an injury in fact, the court recognized the circuit split between its sister courts, explaining that the Sixth, Seventh, and Ninth Circuits recognize that plaintiffs can establish such an injury in fact at the pleading stage, but that the First and Third Circuits have rejected mere allegations of future identity theft.  The court disagreed that the Sixth, Seventh, and Ninth Circuit cases control because they involved allegations where (1) a data thief targeted the personal information that was compromised, or (2) a data thief misused or accessed the compromised personal information.  The Fourth Circuit highlighted that the plaintiffs not only failed to assert similar allegations, but also rested their claims solely on the increased risk of future identity theft based on an attenuated chain of possibilities.

The panel next assessed whether there was a substantial risk the harm alleged could occur.  The court rejected the plaintiffs’ statistical generalities about the consequences of health-related data breaches.  It also concluded that even though the VA’s investigation into the incidents found a “potential misuse of information” and the defendants offered free credit monitoring services to the plaintiffs, this was not enough to identify a substantial risk of harm because under Clapper, “a threatened event can be ‘reasonabl[y] likel[y] to occur but still be insufficiently ‘imminent’ to constitute an injury-in-fact.”  Beck, 848 F.3d at 276 (citing Clapper, 133 S. Ct. at 1148–48).  As a last-ditch attempt to establish Article III standing, the plaintiffs also argued that they established injury in fact because they have incurred or will incur the cost of measures to defend against identity theft, but the Fourth Circuit likewise rejected that argument as a “repackaged version of [plaintiffs’] first theory of standing” because the cost incurred was in response to a speculative, not impending, threat of harm.  Id. (quoting Clapper, 133 S. Ct. at 1151).

The court finally rejected the plaintiffs’ claims for injunctive relief for lack of Article III standing because the Dorn VAMC’s previous data breaches, including the two alleged by the plaintiffs, did not rise to the level of a “real and immediate” threat of injury nor establish a sufficient likelihood that the plaintiffs will be wronged again in a similar way; there was no continuing case or controversy.  Thus, the Fourth Circuit affirmed the district court’s dismissal of all claims.

Beck is one more decision weighing in on Article III standing—a focal point in the ever-increasing trend of data breach litigation.  One strategic takeaway for a defendant is that should a plaintiff’s claims survive the pleading stage, the defense should be armed and ready to re-litigate Article III standing on summary judgment when a plaintiff fails to produce evidence of actual harm or a substantial risk of harm.  Beyond that, defendants can rest assured that Beck raises the burden for a plaintiff to establish Article III standing in a data breach case within the Fourth Circuit, departing from the trend in the Sixth, Seventh, and Ninth Circuits.  Plaintiffs can no longer rely on bare allegations of future identity theft; a defendant’s offering of data breach mitigation services to consumers, such as credit monitoring services; or personally incurred mitigation costs to infer a certainly impending and substantial risk of harm of future identity theft.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s