Companies Outside Retail And Financial Industries May Have Additional Arguments To Challenge Standing In Data Breach Cases

The data breach at the U.S. Office of Personnel Management was one of the most serious and possibly one of the top ten largest data breaches of the 21^st century, compromising background investigation records for some 22 million current and former federal employees. But a class action lawsuit brought on behalf of those employees was recently dismissed for lack of Article III standing. In that case, In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig.[1] (“OPM Data Security Breach”), the U.S. District Court for the District of Columbia concluded that, with the exception of two employees who had incurred unreimbursed out-of-pocket expenses to remedy actual identity theft, the named plaintiffs failed to establish injury-in-fact.[2] The court reached this conclusion even with respect to plaintiffs who had incurred fraudulent charges (for which they ultimately did not have to pay), who alleged that they had suffered stress due to a fear of identity fraud, and who had purchased credit monitoring services. The court was influenced by reports that the breach had been perpetrated by the Chinese government, and did not jeopardize the kind of credit card or other financial information that could be useful in committing credit card fraud.[3] Thus, the court in OPM Data Security Breach was not willing to make assumptions about the likelihood of future harm, although such claims are routinely made (albeit with mixed success) in the context of retail and financial establishment breaches that involve a theft of credit card information.[4]

Even with respect to the two plaintiffs in OPM Data Security Breach who had incurred unreimbursed expenses to rectify actual identity theft, the court found that the complaint did not plausibly allege a connection between the data breach and the claimed harm.[5] The court observed that all those plaintiffs could point to regarding the required nexus was that the data breach had preceded the identity theft. But the court was not ready to presume that the theft was not done by other criminals or as a result of some other data breach, particularly where around 3.3 percent of general population will experience some form of identity theft, regardless of the sources, and in this case, identity theft had affected only 0.00009 percent of individuals.[6] Similarly, because the court did not believe that the identity theft was impending, the court was not swayed by the out-of-pocket expenses some of the employees had incurred for credit monitoring services.[7]

The OPM Data Security Breach matter illustrates that standing remains a robust defense in data breach cases, particularly in cases that do not involve a breach of financial information. Other recent cases exemplify this principle. For example, in K.R Stapleton on behalf of C.P. v. Tampa Bay Surgery Ctr., Inc.,[8] a federal district court in Florida recently tossed a lawsuit against a medical center arising out of a data breach exposing information of over 142,000 of its patients.[9] The information, which was posted on a public file-sharing website, included children’s names, dates of birth, home addresses, and social security numbers.[10] In dismissing the case for lack of standing, the Court relied on the absence of any suggestion that the information has actually been misused for any of the 142,000 patients affected.[11] The court also found that the alleged imminent nature of harm was mitigated because the defendant provided free credit monitoring, including a credit lock service, for everyone affected by the breach.[12] Thus, because patients would suffer actual harm only if a series of unlikely events were to occur (including that the credit lock would somehow be inadequate to prevent information misuse), the threshold of impending injury or substantial risk that harm would occur was not met.[13]

Finally, earlier in the year, in Foster v. Essex Prop., Inc.,[14] yet another court dismissed a class action against a real estate management company related to a data breach that compromised information of the company’s tenants, including their rental applications and files. Although the named plaintiffs were able to point to unauthorized charges on their credit cards, defendant rebutted a causal connection between these charges and the breach by submitting affidavits attesting to the fact that plaintiffs’ credit cards and other personal information had not been stored on the company’s system and, in fact, plaintiffs never paid rent using a credit or debit card.[15] Based on this unrebutted evidence, the court concluded that the data breach could not have been the cause of unauthorized charges, and dismissed the case.[16]

Cases in the data breach context frequently harken back to the U.S. Supreme Court’s standing analysis in Clapper v. Amnesty Int’l USA.[17] Clapper involved a constitutional challenge to a provision of the Foreign Intelligence Surveillance Act of 2008 (“FISA”), allowing the United States to conduct foreign intelligence surveillance without having to meet some requirements of traditional FISA surveillance. The respondents, a group of international organizations, lawyers, and media personnel, asserted they were likely to be targets of surveillance and thus had standing to sue. The high court disagreed, finding it speculative whether the Government would target communications to which the respondents were parties, particularly where they did not allege that the Government ever sought approval for surveillance of their communications, did not explain how the Government chooses its targets, and speculated whether the FISA court would authorize such surveillance and the surveillance would ultimately be successful.[18] Notably, even though some of the challengers had taken costly and burdensome measures to protect confidentiality of their communications, the Supreme Court rejected the assertion of standing on this basis, noting “respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”[19]

The application of Clapper in the data breach context has varied among different courts. See, e.g., In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *12 (N.D. Cal. Aug. 30, 2017) (holding that plaintiffs established standing because they suffered an increased risk of future identity theft as a result of data breaches); In re SuperValu, Inc., 870 F.3d 763, 772 (8th Cir. 2017) (finding that although allegations of future injury are insufficient, the named plaintiffs alleged a present injury-in-fact because they suffered a fraudulent charge on the credit card used to make purchases at defendants’ stores affected by the data breaches). Still, the recent decisions in OPM Data Security Breach, Tampa Bay Surgery and Foster bolster Clapper’s rationale and hesitation to infer imminent injury and causation with a breach, particularly as applied to defendants outside the retail or financial services industry. Even companies that do collect credit card and other similar financial information should explore whether the named plaintiffs’ files indeed included the type of information that could lead to identity theft and unauthorized charges, to evaluate a potential challenge to redressability and causation in the named plaintiffs’ cases.

[1] No. MC 15-1394 (ABJ), 2017 WL 4129193, at *1 (D.D.C. Sept. 19, 2017), appeal pending.

[2] Id. at *11-25.

[3] Id. at *22-23.

[4] See id. at *2.

[5] Id. at *25.

[6] Id. at *27.

[7] Id. at *25.

[8] Id.

[9] No. 8:17-CV-1540-T-30AEP, 2017 WL 3732102, at *1 (M.D. Fla. Aug. 30, 2017).

[10] Id.

[11] Id. at *3.

[12] Id.

[13] Id.

[14] No. 5:14-CV-05531-EJD, 2017 WL 264390, at *2 (N.D. Cal. Jan. 20, 2017).

[15] Id. at *2-3.

[16] Id. at *3.

[17] 568 U.S. 398 (2013).

[18] Id. at 411-14.

[19] Id. at 416.

Disclaimer

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.