The world of data breaching not only affects consumers who have to monitor their monthly statements, order new credit cards, and face the risk of their identity being compromised in the future. Federal courts of appeals are making tough calls in class action data breach cases when it comes to a fundamental question in federal court: Do the plaintiffs have standing?
To bring an action in federal court, the plaintiff must have standing under Article III of the Constitution. The Supreme Court has described standing as an injury that is (1) concrete, particularized, and actual or imminent; (2) fairly traceable to the defendant; and (3) redressable by a court ruling in the plaintiff’s favor.
The conundrum appellate courts are facing with standing and large data breach cases is whether the compromised information constitutes an “injury.” When a consumer’s information is used fraudulently, like when a hacker makes unauthorized charges on a credit card or opens a bank account with the consumer’s information, it is clear there has been an actual injury. But what about consumers whose information has potentially been accessed? Consumers who have had their information accessed, but no fraudulent activity has occurred? When does this invasion become an imminent injury for the purpose of Article III standing?
Data Breach Cases Pre-Clapper
This query was first considered on the circuit level in 2007—albeit briefly—by the 7th Circuit in Pisciotta v. Old National Bancorp. After failing to protect the personal data Old National Bancorp solicited online from thousands of consumers, the company fell prey to a hacker who accessed this information. The 7th Circuit held that the plaintiffs had standing because the injury requirement of Article III could be satisfied by a threat of future harm or an increased risk of future harm (a rationale that had been used by other circuits in factually different situations). In 2010, the 9th Circuit joined the 7th Circuit in Krottner v. Starbucks Corporation when it decided the increased threat of misuse from the theft of a laptop with personal, unencrypted data to the plaintiffs’ information qualified as an injury.
A circuit split was born one year later in Reilly v. Ceridian Corporation; the 3rd Circuit criticized the 7th and 9th circuits’ “skimpy rationale” supported by analogies to other areas of the law, namely environmental injuries and defective medical devices. In Reilly, the only cognizable compromise of information was the penetration of a computer firewall that did not indicate whether the hacker copied or even read the personal data. With no evidence of misuse, the court noted, “[T]here is no quantifiable risk of damage in the future,” and held that the possibility of misuse did not constitute an injury. The 3rd Circuit reached this conclusion by focusing on previous cases dismissed by the Supreme Court for failing to allege future harm that was imminent or “certainly impending.”
The Supreme Court Appears to Emphasize “Imminence” in Clapper
Defense attorneys in data breach cases rejoiced after the Supreme Court’s decision in Clapper v. Amnesty International USA, handed down in 2013, which seemed to tighten the requirements for Article III standing. Clapper presented a factually unique case: The respondents (comprised of attorneys and human rights and media organizations) sought a declaration that Section 702 of the Foreign Intelligence Surveillance Act of 1978 (“the Act”) was unconstitutional. Respondents alleged the Act could potentially authorize the government to record surveillance targets that the respondents engaged with in sensitive international communications, thereby compromising the ability of respondents to find witnesses, gather information, and relate confidential information to their clients. The respondents asserted this potential risk caused them to incur the expense of traveling abroad to have in-person conversations instead of using phones or emailing, in addition to other protective measures.
The Supreme Court began its analysis by noting that it had often found standing lacking in cases where the Court was requested to review intelligence actions and foreign affair policies of the political branches. The Court declared that imminence was a “somewhat elastic concept, [but] it cannot be stretched beyond its purpose [to ensure] that the injury is certainly impending.” After promptly rejecting the respondents’ argument that standing existed because there was an “objectively reasonable likelihood” that “at some point in the future” their communications would be monitored under the Act, the Court held the theory, “which relies on a highly attenuated chain of possibilities, does not satisfy the requirement that threatened injury must be certainly impending.”
The Aftermath of Clapper
Defense attorneys began citing Clapper to bolster their argument that an increased risk of identity theft or fraud in data breach cases was insufficient standing, and were successful at the district court level. The 7th Circuit broke the appellate courts’ silence in July 2015 as it once again sided with consumers in Remijas v. Neiman Marcus Group, LLC, and differentiated Clapper’s reasoning. In Neiman Marcus, 350,000 cards of Neiman Marcus customers were potentially exposed during a hack, and 9,200 of those cards were used fraudulently. Neiman Marcus argued that for those consumers who had not already experienced misuse of their personal information, the potential risk of future identity theft or fraudulent charges was too speculative to constitute an injury.
Although the lower court bought this argument, the 7th Circuit disagreed: “Clapper does not, as the district court thought, foreclose any use whatsoever of future injuries to support Article III standing.” Unlike Clapper, in which the plaintiffs “suspected” that their communications with foreigners might be intercepted by the government, the threat of hackers in Neiman Marcus using the credit-card information to commit fraud and identity theft was “immediate and very real.” The 7th Circuit refused to require the affected customers “to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.”
Since the 7th Circuit is the only federal appellate court to consider this issue after the Clapper decision, only time will tell as to whether other circuit courts will follow its reasoning or rely more heavily on Clapper, and whether the Supreme Court will specifically address this issue. Regardless, it is important for companies to utilize the most advanced and credible facilities to prevent data breaches and its consequences. The 7th Circuit has sent a clear message to those who store consumer data—safety and security are paramount.
Authors: Amy Dunn Taylor and Amelia Coates