Do plaintiffs in data breach cases have a leg to stand on?

By Kacie Donovan.

Data breaches and resulting amounts of compromised personal information are increasing rapidly. The FBI has said “[T]here are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.” Unsurprisingly, plaintiffs affected by these ever-common data breaches are seeking relief in court.

Standing doctrine is a hotly contested battleground for the parties to litigation following a data breach. In some courts, plaintiffs experience difficulty demonstrating that the theft of their data alone gives them standing. Several courts require that the data be misused in order for a plaintiff to establish standing.

Background on Standing in Data Breach Litigation

Justice Scalia once described standing in “pedestrian terms,” as the “answer to the very first question that is sometimes rudely asked when one person complains of another’s actions: “What’s it to you?” In other words, standing doctrine determines whether a person is the proper party to bring suit in federal court. Standing doctrine comes from the Constitution, namely Article III’s “case and controversy” requirement and serves values such as sharpened judicial decision making and judicial economy.

In order to establish standing, a plaintiff must show:

  1. An “injury in fact that is ‘concrete and particularized,’ and ‘actual or imminent,’ not ‘conjectural or hypothetical.’”
  2. The injury must be “fairly traceable” to the alleged unlawful conduct.
  3. It must be “likely” as opposed to speculative that a court can redress the injury.

The battle for standing in data breach cases concerns the “injury in fact” requirement. Specifically, when a plaintiff’s data has been compromised, but not (yet) misused, can they establish a sufficiently concrete injury- in-fact based only on a heightened risk of identity theft? Federal Circuit courts are currently split on this issue.

The Heightened Risk Standard

The Sixth, Seventh, Ninth, and D.C. Circuits have held that plaintiffs can establish standing based on a heightened risk of identity theft alone.

An illustrative case is the Seventh Circuit’s decision in Lewert v. P.F. Chang’s China Bistro, Inc. In Lewert, hackers breached P.F. Chang’s credit card machines in order to obtain customer’s card information.The Court held that plaintiffs had standing based on a heightened risk of identity theft because, “it is plausible to infer a substantial risk of harm from the data breach, because a primary incentive for hackers is ‘sooner or later to make fraudulent charges or assume those consumers identities.’”

The “Risk-Plus” Standard

The Third, Fourth, and Eighth Circuits have held that a heightened risk of identity theft is not an actual or imminent injury sufficient to confer standing. These circuits require some misuse of the data for standing to be established.

Typical of this side of the circuits’ reasoning is the Third Circuit’s decision in Reilly v. Ceridian Corporation. In Reilly, a payroll processing firm that collected employee information from 1,900 companies in order to issue paychecks was hacked.

The Third Circuit denied the plaintiffs’ claim of an increased risk of identity theft. The court pointed out that the plaintiffs’ contentions relied on “speculation that the hacker: (1) read, copied, and understood their personal information; (2) intends to commit future criminal acts by misusing the information; and (3) is able to use such information to the detriment of [plaintiffs] by making unauthorized transactions in [plaintiffs’] names.” The Third Circuit also noted that the alleged risk of future injury was further attenuated because it was dependent on the future actions of an unknown third-party.

Additionally, this side of the circuit split has argued that data breaches are increasingly motivated by espionage and other cybercrime, rather than identity theft, in which case a concrete injury in fact would never materialize. Thus, granting judicial review would be frivolous.

Moving Forward

The Supreme Court has not yet directly addressed the issue of standing in data breach cases and declined to do so this term. Because data breaches are not going away, the Supreme Court’s reluctance to take certiorari is considered a setback for those seeking clarity in this area of the law.

As a result, plaintiffs will likely to bring their suits in more favorable venues in order to have a better chance of surviving the standing inquiry and businesses will continue to develop comprehensive cybersecurity protocols to reduce their chances of litigating in this uncertain landscape.