Cybersecurity incidents are on the rise, and so too is data breach litigation brought by plaintiffs who allege they were harmed by the unauthorized exposure of their personal information. Federal circuits across the United States are grappling with the issue of what satisfies the Article III standing requirement in data breach litigation, when often only a “risk of future harm” exists.
The United States Court of Appeals for the Fourth Circuit (“the Fourth Circuit”) is the latest circuit court to weigh in on standing in data breach litigation. In Hutton v. National Board of Examiners in Optometry, the court held that the plaintiffs satisfied the Article III standing requirement by alleging hackers stole and misused their personally identifiable information (PII), even though no financial loss was incurred. Circuit courts have been split on the issue of standing in the data breach context, with some courts finding standing where only a heightened “risk of future harm” exists, i.e. the likelihood that stolen data may be misused (Sixth, Seventh, and Ninth Circuits), while other circuit courts require actual harm such as financial loss (Second, Third, and Eighth Circuits). The Fourth Circuit in Hutton has reached a middle ground finding that actual theft and misuse of the PII satisfied the standing threshold, even though no pecuniary damages resulted.
In Hutton, the plaintiffs, members of the National Board of Examiners in Optometry (NBEO), noticed that credit card accounts were fraudulently opened in their names, which required knowledge of their social security numbers and dates of birth. Although the NBEO never admitted to a security breach, plaintiffs concluded that the NBEO was the only common source to which they had provided their personal information. As a result, plaintiffs filed a lawsuit alleging the NBEO failed to adequately safeguard their personal information.
The NBEO filed a motion to dismiss arguing that although fraudulent credit card accounts were opened, no actual harm had occurred, and thus the plaintiffs lacked Article III standing to sue. The U.S. District Court for the District of Maryland granted the NBEO’s motion, finding, inter alia, that plaintiffs failed to sufficiently allege they had suffered an “injury-in-fact” because they had incurred no fraudulent charges and had not been denied credit or required to pay a higher credit rate as a result of the fraudulent credit card accounts.
The Fourth Circuit, however, reversed the district court’s holding, concluding that credit card fraud and identity theft alone were sufficient to establish Article III standing. The court distinguished Hutton, from their ruling in Beck v. McDonald, in which the court concluded that the plaintiffs lacked standing because they only alleged a “threat of future injury” – laptops and boxes were stolen containing personal information, but that information was not misused. In Hutton, the court emphasized, unlike in Beck, plaintiffs were “concretely injured” as credit card accounts were open without their knowledge or approval, qualifying as misuse, even if fraudulent charges were yet to occur.
The circuit court split on the issue of Article III standing has made it difficult for businesses to assess the likelihood of litigation and its associated costs in the wake of a data breach. Until the Supreme Court weighs in on this issue, it is crucial for businesses to assess their breach readiness and develop an incident or breach response plan that takes into consideration the possibility of litigation.