A split continued to develop in the federal courts last month as the Fourth Circuit denied Article III standing to the plaintiffs in a data breach case whose alleged injuries were limited to the increased risk of future identity theft and the cost of measures to protect against it. The Fourth Circuit joins the First and Third Circuits in rejecting this theory as grounds for standing, finding it too great of a stretch. In contrast, the Sixth, Seventh and Ninth Circuits have all recognized in certain circumstances that, at the pleading stage, plaintiffs can establish an injury-in-fact based on possible future injury.
In the Fourth Circuit case, Beck v. McDonald, No. 15-1395 (4th Cir. Feb. 6, 2017), veterans in two consolidated cases alleged that the William Jennings Bryan Dorn Veterans Affairs Medical Center (Dorn VAMC), had violated the Privacy Act of 1974 and the Administrative Procedure Act (APA) after a laptop containing their unencrypted personal information, such as names, birthdates, and the last four digits of their social security numbers was stolen; and, in another case, four boxes of pathology reports containing confidential patient information went missing. The plaintiffs sought declaratory relief and monetary damages under the Privacy Act, and broad injunctive relief under the APA, potentially placing the entire VA’s privacy program under judicial oversight.
Upholding the districts court’s dismissal for lack of subject-matter jurisdiction, the Fourth Circuit found the plaintiffs’ grounds for standing did not satisfy the Supreme Court’s Article III standard that qualifies the threat of injury as an injury-in-fact: harm that is particular, concrete and imminent. The court found the increased risk of future identity theft to be speculative because, unlike the Sixth, Seventh and Ninth Circuit cases cited by plaintiffs, there was no evidence that any of the personal information had actually been accessed or misused. In those cases, the breaches at issue had been carried out by malicious hackers who intended to use the information they had culled for fraudulent purposes. In the absence of such facts, the Fourth Circuit reasoned, it must “engage with the same attenuated chain of possibilities” rejected by the Supreme Court in Clapper v. Amnesty International. It would have to assume not only that that the thieves targeted the stolen items for a pernicious purpose, but chose from thousands of people to use the personal information of the named plaintiffs to steal their identities.
In an attempt to establish that they faced a substantial risk of future harm, the plaintiffs argued that 33% of health-related data breaches result in identity theft. The court was not swayed, reasoning that, even if the figure were true, it would mean that over 66% of those affected would suffer no harm. The plaintiffs even took a stab at irony, deriding the VA’s offer to provide free credit monitoring services to affected individuals as a tacit admission that the plaintiffs faced a substantial risk of future harm. The court rejected this argument as well, though it acknowledged that other circuits have shown some tolerance on the issue. In response to the plaintiffs’ allegations that they had suffered an injury-in-fact because of expenses they have or will in the future incur to shield themselves against identity theft, the court characterized these mitigation efforts, like Clapper, as “self-imposed harms” because, again, there was no evidence that the threat of harm went beyond speculation. Finally, the court found that the allegations of “substantial harm,” “embarrassment,” “inconvenience” and “unfairness” under the Privacy Act and APA would not relieve them of the burden to prove Article III standing. Both statutes were interpreted as requiring evidence of actual harm.
One final note: the Fourth Circuit leaned on the procedural posture of Beck in making its decision. Since the plaintiffs’ standing was challenged not during the pleadings, but on summary judgment, which occurs after the discovery of evidence phase in litigation, the court held them to a higher threshold, demanding that allegations must be backed by specific facts to meet the burden of Article III standing.