Logo Placeholder

The Supreme Court Looks into Data Breach

On Behalf of | Jun 22, 2018 | Cybersecurity & Data Privacy

Hutton, et al., v. National Board of Examiners in Optometry, Inc., U.S. Court of Appeals for the 4th Circuit, No. 17-1506 (12 June 2018)

The plaintiffs are three persons who on different dates submitted their personal information to the National Board of Examiners in Optometry, Inc. (NBEO).  In July 2016, optometrists across the United States noticed that Chase Amazon Visa credit cards had been fraudulently opened in their names.  The creation of those fraudulent accounts, which required the use of an applicant’s correct social security number and date of birth, convinced several of the victims that data containing their personal information had been stolen.  Some of the victims discussed the thefts among themselves on a Facebook group dedicated to optometrists.  They determined that the NBEO was the only common source to which they had given their personal information.

The NBEO soon became aware of the concerns and suspicions of the victim optometrists, and in August 2016 the NBEO issued a statement that its data systems had not been compromised.  However, three weeks later NBEO revised its announcement and stated that it was still investigating, but the NBEO has never said that its data systems were breached.

The plaintiffs — Hutton, Kaeochinda and Mizrahi – sued in federal district court alleging negligence, breach of contract, breach of implied contract and unjust enrichment.  Hutton alleged damages in the form of time and money spent implementing credit freezes with the three credit agencies, Experian, TransUnion, and Equifax.  Kaeochinda alleged damages from her time and effort submitting reports to the FTC, IRS and the FBI.  Mizrahi alleged that her credit score was decreased shortly after a false credit card application and that Chase Amazon demanded certified letters and a police report to remedy the dispute over her credit score.

The NBEO moved to dismiss pursuant to FRCP 12(b)(1) for lack of jurisdiction because the plaintiffs did not have Article III standing.  To have Article III standing, a plaintiff must sufficiently allege three elements: (1) an injury-in-fact that is concrete and particularized; (2) a causal connection between the injury and the defendant’s conduct (i.e., traceability); and (3) the injury can be redressed by a favorable judicial decision. Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992).

The district court dismissed the lawsuits for lack of standing, citing Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), a case in which there was no evidence that information on a stolen laptop had been accessed or misused, and, therefore, there was no injury-in-fact.  However, in the instant case, the 4th Circuit reversed, distinguishing Beck and holding that under the facts alleged in the complaints the plaintiffs had Article III standing.

The Court acknowledged that “a mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of evidence of an identity theft.  However, in the instant case the plaintiffs “allege that they have already suffered actual harm in the form of identity theft and credit card fraud.  Plaintiffs have been concretely injured by the data breach because the fraudsters used – and attempted to use – the Plaintiffs’ personal information to open Chase Amazon Visa credit card accounts without their knowledge or approval.  Accordingly, there is no need to speculate on whether substantial harm will befall the Plaintiffs.”  Even though the plaintiffs have not suffered sizable economic loss, they can still have an injury-in-fact, because the Supreme Court long ago made clear that “interpreting injury in fact … standing [is] not confined to those who [can] show economic harm.”  United States v. Students Challenging Regulatory Agency Procedures, 412 U.S. 669, 686 (1973).

Here, the plaintiffs have incurred costs to mitigate future harm.  The 4th Circuit said that mitigation costs may not constitute injury-in-fact when the injury is speculative, but the Supreme Court has “recognized standing to sue on the basis of costs incurred to mitigate or avoid harm when a substantial risk of harm actually exists.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5 (2013).  The 4th Circuit’s opinion in Hutton stands for the proposition that if the risk of future harm is substantial, then mitigation costs are sufficient injury-in-fact for Article III standing.  It all depends on the magnitude of risk of future harm, which is the key point.

Turning to the element of traceability of the harm to the defendant’s act, the 4th Circuit’s opinion is muddled on one point.  The court first said that traceability means a causal connection between the injury and the defendant’s conduct, citing Lujan v. Defenders of Wildlife, supra. 504 U.S. at 560-61 (1992); but later in the opinion the court said that the “fairly traceable standard is not equivalent to a requirement of tort causation.”  Are these statements contradictory?  Perhaps not if “cause” for the purpose of Article III standing is distinct from proximate cause as an element of a tort.  The 4th Circuit obviously thinks that they are distinct.  I do not know if the Supreme Court would agree.

In Bank of America Corp. v. City of Miami, ___ U.S. ___, No. 15-1111 (1 May 2017), a case in which the issue was statutory (prudential) standing under the zone-of-interests test, not Article III standing, the Court held that the City of Miami failed to allege that the Bank’s conduct proximately caused the City’s injury.  The Court also said that the foreseeability of injury alone is not sufficient to establish proximate cause.  However, as mentioned City of Miami is prudential standing case, not an Article III standing case.

There is a basis for the 4th Circuit’s holding that the plaintiffs’ asserted injuries are traceable to the NBEO’s negligence, but the basis is not rock solid.  It is important to note that this is not a case in which the NBEO conceded that its data system was breached; its database may not have been breached, and the NBEO may not be the source of the plaintiffs’ injury.  Nevertheless, the 4th Circuit finds traceability because, according to the allegations, “. . . amongst the group of optometrists the NBEO is the only common source that collected and continued to store social security numbers that were required to open a credit card account . . . .”  The court’s opinion does not compare the number of optometrists whose data was compromised with the total number of optometrists in the NBEO’s database.  From the opinion, there is no way to judge the statistical probability of the court’s conclusion on traceability.  Is the percentage of optometrists whose data was stolen large enough to reasonably draw the conclusion that the NBEO is the only source?  Obviously, the 4th Circuit thinks so even though the statistics are not explained in the opinion.  The court said, “[p]ut simply, the Complaints contained sufficient allegations that the NBEO was a plausible source of the Plaintiffs’ personal information.”  Thus, in the 4th Circuit, “plausible source” is the legal standard for deciding if the plaintiff’s injury is fairly traceable to the defendant’s conduct.

Considering the many breaches of data systems in recent years, is the NBEO really a plausible source of the plaintiffs’ stolen information, or any more plausible than other data systems that have been hacked, such as the Office of Personnel Management (hacked twice), Equifax, Anthem, SunTrust, for example?  The 4th Circuit thinks so, on the facts alleged. Of course, the 4th Circuit ruled on a case that was dismissed at the pleading stage and before an answer was filed and before discovery.  Eventually, the plaintiffs must prove by a preponderance of the evidence that the information used by the fraudsters was information hacked from the NBEO.

Hutton is not the first case addressing these issues.  In 2017, the U.S. Court of Appeals for the D.C. Circuit decided Attias v. CareFirst, Inc., 865 F.3d 620 (2017), a case similar to Hutton and reaching the same result.  In 2014, health insurer CareFirst, Inc. suffered a cyberattack in which customers’ personal information was allegedly stolen.  A group of CareFirst customers attributed the breach to the company’s carelessness and brought a putative class action.  The district court dismissed for lack of standing, finding the risk of future injury to the plaintiffs too speculative to establish injury-in-fact.  The court of appeals reversed, stating that the plaintiffs have “cleared the low bar to establish their standing at the pleading stage.”

As in Hutton, the issue was whether the plaintiff had Article III standing under the well-established standard set forth in Lujan v. Defenders of Wildlife, supra, and other cases.  A plaintiff must show that she has suffered an “injury-in-fact,” that is “fairly traceable” to the defendant’s actions, and that is likely to be redressed by the relief that she seeks.  Spokeo, Inc. v. Robins, ___ U.S. ___, 136 S. Ct. 1540, 1547 (2016).

Regarding the second element, the D.C. Circuit said that a plaintiff must demonstrate only that her injury is “fairly traceable” to the defendant’s actions, not caused or proximately caused by the defendant’s actions.  However, the burden to prove the elements of standing always remains with the plaintiff, and the burden grows as the litigation progresses. Lujan, 504 U.S. at 561.  According to the D.C. Circuit, at the pleading stage, the plaintiff is required only to state a “plausible claim” that each of the standing elements is present.

Attias primarily concerned the injury-in-fact requirement, which serves to ensure that the plaintiff has a personal stake in the litigation.  An injury-in-fact must be concrete, particularized, and actual or imminent, rather than speculative. Spokeo, 136 S.Ct. at 1548.  The plaintiffs alleged that the data breach at CareFirst exposed them to a heightened risk of identity theft.  The principal question was whether the plaintiffs had plausibly alleged a risk of future injury that was substantial enough to create Article III standing.  The court of appeals held that they had.

According to the court of appeals, the plaintiffs alleged the theft of their social security numbers, credit card numbers, and health insurance subscriber ID numbers.  The court said that the theft of such personal information creates a substantial risk that the hacker has “both the intent and the ability to use the data for ill . . . . Why else would hackers break in to a . . . database and steal consumer’s private information?”  Attias was not a case in which the future harm was speculative and depended on a long series of contingent events or a series of acts by actors independent of the hackers.  The risk of future, wrongful use of the customers’ identifying information was substantial, and, as the D.C. Circuit saw it,  the plaintiff’s injury-in-fact was fairly traceable to the alleged negligence of CareFirst.  The court also held that the plaintiffs had incurred alleged “risk-mitigation costs” that could be compensated by an award of money damages.  Thus, the plaintiffs had satisfied the three elements for Article III standing.

We can read Attias as standing for the following propositions:

  1. At the pleading stage, a plaintiff need only plausibly allege the elements of Article III standing.
  2. An injury-in-fact, for Article III standing, can be a future injury, provided that the risk of future injury is substantial.
  3. If a company’s alleged negligence allows a hacker to steal customers’ social security numbers, credit card numbers, and health insurance subscriber ID numbers from the company’s database, then the risk of future injury from the wrongful use of such personal information is substantial and satisfies the injury-in-fact requirement for Article III standing.
  4. The owner or operator of a database can be sued for negligently preventing a third-party hacker from stealing customers’ personal information.

Like the 4th Circuit, the D.C. Circuit has opened a wide door at the pleading stage for litigating data breaches.

John Polk is a Special Counsel at Berenzweig Leonard, LLP. John can be reached at [email protected].