Cyber attacks causing widespread data breaches are more prevalent than ever. In the early months of 2018, Facebook revealed that Cambridge Analytica had ‘scraped’ detailed user personal information of 87 million users, causing intense Congressional investigation with a pending class action. In 2013 Yahoo’s 3 billion accounts were hacked, although the former internet leader did not discover the breach until a few years later. The class action price tag - $85 million. In early 2014 eBay found 145 million users account passwords had been breached. Class action lawsuit – dismissed.
Just imagine a long list with equally disparate judicial results. One big reason --- not all cyber attacks or data breaches are the same. Different breaches give rise to different risks of harm. Sometimes data breaches obtain ‘Personally Identifiable Information’ (PII) containing sensitive information such as names, addresses, email addresses, birthdates, places of birth, and biometric data. Other times social security, driver’s license, and passport numbers. In other circumstances, financial account numbers, passwords, credit card numbers, and medical records are obtained.
Breaches also differ depending on how the compromised data was stored. Was the data encrypted? Is the data only accessible with specialized equipment and software? How did the breach occur? Was phishing, ransomware, malware, skimming, scrapping, unauthorized access, insider theft, accidental exposure, employee error, improper disposal, and/or physical theft utilized? The wide variety of source exposure fact patterns often determine the level of harm caused by the breach, or alternatively, whether the alleged harm is too speculative to provide class action plaintiffs withstanding, generating a unique split in law among nine different federal circuits of the U.S. Court of Appeals. And these issues will only change and evolve as misuse varies, and technology is continuously changing. Issues of new sources of information, biometric databases, retinal scans, fingerprints, and genetic profiles are newly considered courtroom issues to determine whether a plaintiff has standing to sue, either individually or as a class representative.
As in any lawsuit, the plaintiff must demonstrate ‘injury.’ In Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC) Inc., the U.S. Supreme Court held that for a plaintiff to maintain a lawsuit they must show:
1. it has suffered an “injury in fact” that is
2. concrete and particularized, and
3. actual or imminent, not conjectural or hypothetical;
4. the injury is fairly traceable to the challenged action of the defendant; and
5. it is likely, as opposed to merely speculative, that a favorable decision will redress the injury.
Of concern regarding data breach cases is the Supreme Court standard that a plaintiff threatened with future injury has the standing to sue “if the threatened injury is ‘certainly impending,’ or there is a ‘substantial risk that the harm will occur. Susan B. Anthony List v. Driehaus¸ or as stated in its earlier decision of Lujan v. Defenders of Wildlife injury must be “actual or imminent, not conjectural or hypothetical.” In Clapper v. Amnesty International USA, it was alleged that the Foreign Intelligence Surveillance Act caused plaintiffs greater inconvenience and higher cost needing to conduct secure communications with parties overseas that the U.S. Government probably targeted for surveillance. Finding plaintiffs’ theory too speculative, the court required that allegations of future harm must be “certainly impending” and the “allegations of possible future injury are not sufficient,” commenting that plaintiffs do not need proof they were “literally certain” the stated harm would occur.
Cyber or other criminals have stolen your data from a third party, but to date, no adverse effects are known. Does the U.S. consumer have standing and a remedy? Are they necessary if no harm has yet occurred? Why would hackers steal information and never use it? Is it just a problem waiting to happen?
And Not so Basic - Federal Circuits Almost Equally Divided
Faced with these issues, the federal circuits are almost equally divided. Five circuits, the Third, Sixth, Seventh, Ninth, and District of Columbia have found the reasonable future threat of identity theft is adequate to confer standing. Four circuits, the First, Second, Fourth, and Eighth, finding no standing to sue the holder of data subjected to a data breach by merely pointing to the breach itself, requiring a greater threat instead.
3rd Circuit - In re Horizon Healthcare Services Inc. Data Breach Litigation involved two stolen laptops containing policyholders’ personal information that was not encrypted. Of over 800,000 Horizon members, a single plaintiff alleged stolen information, a social security number, caused a denial of retail credit. Plaintiffs alleged defendants violated the Federal Credit Reporting Act by furnishing information in an unauthorized fashion by failing to adopt reasonable procedures to maintain confidential information despite the theft. Standing was found based on the allegations of a direct violation of a statute. Courts often, but not always, find standing adequately pled on this basis alone.
6th Circuit - Galaria v. Nationwide Mutual Insurance Co. Two plaintiffs sought to represent a million putative class members after hackers breached the defendant’s network, stealing personal information. The complaint did not allege any damages suffered as a result of the hack, instead of that the “theft of their personal data places them at a continuing, increased risk of fraud and identity theft.” The Galaria court found that “reasonable inference can be drawn that the hackers will use the victims’ data for … fraudulent purposes.”
7th Circuit - Remigas v. Neiman Marcus Group, LLC. Three hundred fifty thousand credit card numbers were breached, resulting in 9,200 used for fraudulent purposes. The department store chain reimbursed all fraudulent charges, but the plaintiffs alleged mitigation expenses, such as the time lost dealing with stolen personal data issues and protecting against potential future harm. The Remigas court found that the department store database theft “created sufficient risk that ‘identity theft or credit card fraud will occur” … “which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.”
9th Circuit - In Re Zappos.Com, Inc. Cybercriminals used PII to lure victims into divulging more information as password data was cryptographically stored, and credit card information maintained in a separate database. The district court dismissed a class not already suffering losses. In its decision finding standing adequately pled this circuit relied upon its earlier ruling in Krottner v. Starbucks Corp., where employees brought their action after a company laptop was stolen containing their PII. The court found the increased risk of future identity theft as a standing basis because the data breach still provides hackers means to commit identity theft or fraud.
D.C. Circuit - Attias v. Carefirst, Inc. Several health insurance companies’ databases were breached containing the putative class action members PPI. This Circuit found the mere fact information stored in a database created sufficiently ‘substantial risk’ of future identity theft to satisfy III standing requirements. Many of these courts point to cybercriminals intent along with the sheer fact the data was stolen as a valid basis to confer standing to sue.
No Standing Found
1st Circuit - Katz v. Pershing, LLC involved a putative class action against a stockbroker charging fees to protect electronically stored non-public personal information while the data was vulnerable to unauthorized access. The Katz court found that “defendant’s failure to adhere to privacy regulations increases her risk of harms associated with the loss of her data” were alone insufficient to establish standing.
2nd Circuit - Whalen v. Michaels Stores, Inc. Hackers accessed credit card payment data. Plaintiff contended attempted fraudulent purchases and risk of future identity theft, losing time and money resolving those attempts and monitoring her credit. The Second Circuit found that facing the risk of future harm because credit card information was stolen is not a “particularized and concrete injury.” The court found that lost time and money resolving attempted fraudulent charges, monitoring credit, etc., was not adequate to maintain standing.
4th Circuit - Beck v. McDonald Thieves stole laptop boxes containing patients’ personal identifying information, such as names, physical addresses, partial social security numbers, and physical descriptions. Plaintiffs only alleged breach and their costs for preventive actions. Plaintiffs argued 33% of health-related data breaches result in identity theft. The court found this key fact failed to demonstrate a “substantial risk,” adding that plaintiffs failed to show “a certainly impending risk of identity theft” and standing could not derive from an “increased risk of future identity theft and cost of the measure to protect against it.”
8th Circuit - In re SuperValue, Inc. A supermarket chain suffered two cyber-attacks with customer financial information alleged to be accessed and stolen. No class members provided proof their data was misused. The Eighth Circuit found that merely claiming a data breach does not suffice to establish standing.
Uncertain Road Ahead
The Supreme Court has already denied numerous writs for certiorari on these issues. Those opposing review argue grand variations of fact patterns, and that a ‘split’ in law in the circuits does not even exist. Varying facts merely cause the 'split.' Considering the wide array of criminal and technical possibilities, a simple standardized matrix for determining data breach standing will not be settled for quite some time.
In the meantime, keep changing your passwords! Hackers will still hack. Stay a step ahead of the bad guys and imperfect data managers.
At least you know, your data is safe at Simpluris.