On the heels of the Target settlement, another security data breach class action has been dismissed for lack of standing under Article III. In the lawsuit In re Horizon Healthcare Servs., Inc. Data Breach Litig., 2015 WL 1472483 (D.N.J. Mar. 31, 2015), a federal district court held that class plaintiffs alleged neither sufficient injury nor causation to establish standing.
In that case, an unknown thief stole from the company’s headquarters two password-protected laptop computers containing personal information of company members. Id. at *1. The company reported the theft to law enforcement the next day. A month later, it notified potentially affected members of the theft by letter and press release. Id. In its notification, the company informed members that “[d]ue to the way the stolen laptops were configured, we are not certain that all of the member information contained on the laptops is accessible.” It also offered credit-monitoring protection. Id.
Plaintiffs filed a putative class action on behalf of themselves and other company members whose information was housed in the stolen laptops. Plaintiffs alleged they were “placed at an imminent, immediate, and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.” Id. The company moved to dismiss on the basis that plaintiffs had not alleged injury or causation to satisfy standing under Article III of the United States Constitution.
To establish standing , a plaintiff must show:
(1) an ‘injury in fact,’ i.e., an actual or imminently threatened injury that is ‘concrete and particularized’ to the plaintiff; (2) causation, i.e., traceability of the injury to the actions of the defendant; and (3) redressability of the injury by a favorable decision by the Court.
Id. at *2. While all three elements are constitutionally required for standing, the injury-in-fact requirement is perhaps the one litigated most often in data breach cases.
An alleged future injury must be “imminent” and “certainly impending” to constitute an injury-in-fact. Allegations of possible future injury are insufficient. E.g., Clapper v. Amnesty Int’l USA, — U.S. –, 133 S. Ct. 1138 (2013). A plaintiff must also show a “causal connection” between the injury and the alleged wrongful conduct. The standard for this criterion is less than that of proximate causation in tort law, but requires more than mere speculation. Id. at *3. “[T]he injury has to be fairly traceable to the challenged action of the defendant, and not the result of the independent action of some third party not before the court.” Id. (emphasis added).
The case involved four named plaintiffs, three of whom alleged injury based on economic injury, violation of statutory law, and imminent risk of future harm (i.e., increased risk of fraud and identity theft). The company argued that because these plaintiffs did not allege that their personal information had been accessed or misused, or that they had suffered unauthorized withdrawals from bank accounts, or identity theft, they failed to allege concrete and particularized harm to satisfy standing. Id. at *4. The Court agreed.
The Court, comparing the claims before it with another case in which plaintiffs suffered identity theft, and in which fraudulent bank accounts and credit cards had been opened and charged, concluded that plaintiffs’ generalized allegations did not show particularized injury. Because plaintiffs did not allege they had carefully guarded their information, or suffered monetary loss, or injuries like identity theft or medical fraud, they did not allege “economic injury” to satisfy standing. Id. at *5. The Court also held that violations of statute or common law do not create standing. The Court explained:
Standing does not merely require a showing that the law has been violated, or that a statute will reward litigants in general upon showing of a violation. Rather, standing demands some form of injury—some showing that the legal violation harmed you in particular, and that you are therefore an appropriate advocate in federal court. [Brackets and quotation marks in text omitted.]
Id. Simply put, a plaintiff cannot rely upon legal violations to bootstrap standing.
Finally, the Court determined that allegations of increased risk of identity theft do not confer standing – an issue that is perhaps the most hotly-disputed area of Article III standing in data breach cases. Many courts have held that allegations of increased risk of identity theft, and accompanying claims of economic injury from subscriptions to credit-monitoring services, do not allege imminent, “certainly impending” injury necessary to confer standing. E.g., In re Science Applications Int’l Corp. (SAIC), — F. Supp. 2d –, (D.D.C. May 9, 2014); Galaria v. Nationwide Mut. Ins. Co., 998 F. Supp. 2d 646 (S.D. Ohio 2014). However, other federal courts have held differently. E.g., In re Adobe Sys. Inc. Privacy Litig., (N.D. Cal. Sept. 4, 2014). The critical factor appears to be whether the stolen data was targeted by data thieves in a manner that would suggest the data’s later use.
Horizon did not depart from this evolving line of jurisprudence, holding that the absence of evidence indicating that the laptop thief would or could use plaintiffs’ information foreclosed any standing from mere allegations of increased risk. The Court guided its conclusion under the Third Circuit’s decision in Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011), a network breach case, and also by Polanco v. Omnicell, Inc., 988 F. Supp. 2d 451 (D.N.J. 2013), a stolen laptop case.
Reilly involved an unknown hacker who infiltrated a payroll processing firm’s computer system, potentially gaining access to the information of approximately 27,000 employees. Id. at * 5. In Reilly, as in the present case, the company worked with law enforcement and investigators to identify the information the hacker may have accessed, notified affected persons, and offered free credit-monitoring protection. Id. In the ensuing data breach litigation, the Reilly court held that “an increased risk of identity theft resulting from a security breach was insufficient to secure standing” because there was no indication that the hacker had read and understood the stolen personal information, intended to misuse it, or even had the ability to do so. Id. To suggest otherwise without proof was speculation. Id. In the present case, the Court held that the same circumstance was in the case before it:
With respect to “an imminent risk of future harm”, Plaintiffs contend that, despite their lack of injury thus far, “identity theft could occur at moment”. (Pls.’ Opp’n at 15.) The Third Circuit’s decision in Reilly is both squarely on point and binding on this Court.
In so holding, the Court also rejected plaintiffs’ argument that “[t]he imminence of future harm in data breach cases depends upon two factors: (1) whether any of the compromised data was misused post-breach, causing injury, and (2) whether the facts surrounding the data breach indicate that the data theft was sophisticated, intentional, or malicious.” Id. at *6. Even assuming that such a standard were applicable, the Court held that plaintiffs failed to satisfy it. Plaintiffs had not alleged post-breach misuse of compromised data. Id. They also failed to allege a sophisticated breach:
With respect to the “sophisticated, intentional, or malicious” nature of the data breach—a factor supported only by oblique dicta in Reilly—the Court fails to see how the theft of Horizon laptops here is any more “sophisticated, intentional, or malicious” than the taking of a laptop from a locked car in Polanco or the hacking of a computer system in Reilly. If anything, hacking a computer seems to require more planning, savvy, and sophistication than the simple theft of two laptops.
Id. at *6.
Finally, the Court reasoned that plaintiffs’ claims of increased risk ultimately rested on the same conjecture rejected in Reilly:
Additionally, compared to hypothetical string of events identified in Reilly, Plaintiff’s injury is even more attenuated: (1) the crook must gain access to the information on the password-protected laptops, (2) he or she must read, copy, and understand the personal information; (3) he or she must intend to commit future criminal acts by misusing the information; and (4) the perpetrator must then be able to use such information to the detriment of Plaintiffs by making unauthorized transactions in Plaintiffs’ names. See Reilly, 664 F.3d at 42. As in Reilly and other data breach cases, Plaintiffs’ future injuries stem from the conjectural conduct of a third party bandit and are therefore inadequate to confer standing.
Id. For these reasons, the claims of increased risk did not satisfy standing.
The lawsuit’s fourth named plaintiff alleged fraudulent charges to his credit card and that the laptop thief had filed a fraudulent joint tax return under his and his wife’s names. However, these allegations failed to show causation. There was no evidence that the filed tax return had any connection to the stolen laptops. Underscoring this conclusion was (1) personal information belonging to plaintiff’s wife was not on either stolen laptop and (2) no other putative class member alleged identity theft. Id. In addition, plaintiff admitted to receiving his tax refund. Id. at *8. Therefore, even if there were a casual connection, there was no injury.
Similarly, because plaintiff’s credit card information had not been on the laptops, any alleged injury from fraudulent charges to the card were not “fairly traceable” to the laptops’ theft. The Court explained:
Defendant points out, and Rindner does not contest, that current credit card information (as opposed to a new credit card, which can be fraudulently obtained using a stolen Social Security number) was not on the stolen laptops. (Def.’s Reply at 2.) Thus, any harm stemming from the fraudulent use of Rindner’s current credit card is not “fairly traceable” to Defendant.
Id. at *9.
What This Case Means. Most data breach class actions assert some form of injury from increased risk of identity theft. A few also allege fraudulent financial charges. Realistically, however, not every data breach results in actual injury. Nor is every fraudulent charge on a credit card the result of a headlined data breach. For this reason, Article III standing has become a golden defense in the relatively early stages of data breach litigation. For more information, see Mooney, J., “Standing In Data Breach Litigation: Lessons From 2014,” Law360 Privacy, 1/6/2015.
This case continues the emerging line of case law that holds, in the absence of evidence indicating imminent use of stolen data, claims of increased risk of identity theft do not meet the imminent and certainly impending injury requirement for standing. The case also shows that allegations of fraudulent charges and actual identity theft are not enough – a plaintiff still must plead enough evidence to show a causal connection between the injury and the data breach.