Data breaches, identity theft, and Article III standing: will the Supreme Court resolve the split in the circuits?

• Author: Mank, Bradford C.

In data breach cases, the plaintiff typically alleges that the defendant used inadequate computer security to protect the plaintiffs personal data. In most, but not all cases, the plaintiff cannot prove that a hacker or thief has actually used or sold the data to the plaintiffs detriment. In most cases, a plaintiff alleges that the defendant's failure to protect his personal data has caused him damages by increasing his risk of suffering actual identity theft in the future and therefore imposed costs on the plaintiff when he reasonably takes measures to prevent future unauthorized third-party data access by purchasing credit monitoring services.

In data breach cases, the lower federal courts have split on the question of whether the plaintiffs meet Article III standing requirements for injury and causation. In its 2013 decision Clapper v. Amnesty International USA, the Supreme Court, in a case involving alleged electronic surveillance by the U.S. government's National Security Agency, declared that a plaintiff alleging that it will suffer future injuries from a defendant's allegedly improper conduct must show that such injuries are "certainly impending. " Since the Clapper decision, a majority of the lower federal courts addressing "lost data" or potential identity theft cases in which there is no proof of actual misuse or fraud have held that plaintiffs lack standing to sue the party who failed to protect their data. But a significant minority of lower court decisions have disagreed that the Clapper decision requires denial of standing in data breach cases in which there is no proof of present harm, because a footnote in Clapper acknowledged that the Court had sometimes used a less strict "substantial risk" test when plaintiffs alleged that a defendant's actions increase their risk of future harm.

Demonstrating its concern for digital privacy, the Court in Riley v. California recently required police to obtain a Fourth Amendment warrant before examining the digital data on the cellphones of arrested suspects. It would be easy for courts to distinguish the government's seizure of digital data from arrestees in Riley from a third party's hacking of data from a retailer or employer. The Riley decision involves Fourth Amendment warrant issues that are not relevant to private data breach cases. Yet in both cell phone seizure cases and data breach cases, there is the common concern that vast amounts of personal data are often at stake. The new privacy concerns in a digital age should lead the Supreme Court to take a broader view of standing in data breach cases. It is also possible that the Court will follow the Seventh Circuit's Remijas decision to distinguish between cases where there is only a possible risk of theft from those where actual harm has occurred to some plaintiffs.

INTRODUCTION

Because Article III of the Constitution limits the authority of federal judges to deciding "Cases" and "Controversies," (1) the U.S. Supreme Court has interpreted Article III to impose mandatory standing requirements that require each plaintiff in federal court to demonstrate that he has suffered a concrete injury that is fairly traceable to the actions of the defendant and redressable by a favorable judgment of a federal court. (2) The injury and traceable causation prongs of the Article III standing test have raised problems for plaintiffs in "lost data," "data breach," or potential "identity theft" cases in which plaintiffs allege damages when computer hackers or thieves of physical property such as laptops or hard drives breach a defendant's computer system or network that contains the plaintiffs personal information such as birth dates or Social Security numbers. (3) Data breach cases can involve tens of millions of Americans, as in the Target retail breach, which led to sixty-eight class action lawsuits (4) in twenty-one states and the District of Columbia in less than one month, (5) and, therefore these cases raise important policy concerns. (6)

In data breach cases, the plaintiff typically alleges that the defendant used inadequate computer security to protect the plaintiff's personal data from being accessed by third party hackers or thieves. (7) In most, but not all cases, the plaintiff cannot prove that a hacker or thief has actually used or sold the data to the plaintiff's detriment. (8) In most cases, a plaintiff alleges that the defendant's failure to protect his personal data has caused him damages by increasing his risk of suffering actual identity theft in the future and therefore imposed costs on the plaintiff when he reasonably takes measures to prevent future unauthorized third-party data access by purchasing credit monitoring services. (9) However, if a plaintiff's credit cards or bank accounts have actually been misused by thieves because of a data breach, then there is a much stronger argument that the plaintiff has demonstrated standing injury and causation. (10)

Currently, there is no comprehensive federal statute addressing data breach issues so plaintiffs have invoked a variety of state and federal laws to sue defendant companies that have failed to protect the plaintiffs' data. (11) For example, some of the cases are brought under state common law negligence or breach of contract theories, and others pursuant to federal statutes such as the Fair Credit Reporting Act (FCRA). (12) A related issue arises where a defendant has allegedly falsely reported information about a plaintiff to third parties in violation of various federal statutes, but it is difficult to measure the actual harm to the plaintiff. (13)

In data breach cases, and also in false reporting cases, the lower federal courts have split on the question of standing. (14) In its 2013 decision Clapper v. Amnesty International USA, (15) the Supreme Court, in a case involving alleged electronic surveillance by the U.S. government's National Security Agency, declared that a plaintiff alleging that it will suffer future injuries from a defendant's allegedly improper conduct must show that such injuries are "certainly impending." (16) Since the Clapper decision, a majority of the lower federal courts addressing "lost data" or potential identity theft cases in which there is no proof of actual misuse or fraud have held that plaintiffs lack standing to sue the party who failed to protect their data. (17) But a significant minority of lower court decisions have disagreed that the Clapper decision requires denial of standing in all data breach cases, because a footnote in Clapper acknowledged that the Court had sometimes used a less strict "substantial risk" test when plaintiffs alleged that a defendant's actions increase their risk of future harm. (18) Furthermore, the Seventh Circuit in its 2015 decision Remijas v. Neiman Marcus Group, LLC, distinguished Clapper because a significant number of the plaintiffs had suffered actual fraud or other harms, on the grounds that in such cases other plaintiffs are at increased risk compared to cases where no one has suffered an actual theft of property. (19) In light of the continuing split in the circuits regarding Article III standing in data breach and fraudulent reporting cases, the Supreme Court will eventually have to address this important question. (20) Predicting how the Court will resolve the issue is difficult because the Court's standing precedents could plausibly support either position. (21) It is possible that the Court's decision will depend on how personally vulnerable some of the Justices feel to the threat of identity theft. (22) Alternatively, the Court may follow the Seventh Circuit's Remijas decision to distinguish cases where there is only a possible risk of theft from those where actual harm has occurred to some plaintiffs. (23)

Demonstrating its concern for digital privacy, the Court recently required police to obtain a Fourth Amendment warrant before examining the digital data on the cell phones of arrested suspects in Riley v. California. (24) It would be easy for courts to distinguish the government's seizure of digital data from arrestees in Riley from a third party's hacking of data from a retailer or employer. (25) The Riley decision involves Fourth Amendment warrant issues that are not relevant to private data breach cases against companies that failed to protect data. (26) However, in both cell phone seizure cases and data breach cases, there is a similar policy concern that huge amounts of personal data are often at risk. (27) The Riley decision's recognition of new privacy concerns in a digital era should lead the Supreme Court to take a broader view of standing in data breach cases. (28)

Part I explains the basic principles of constitutional Article III standing. (29) Part II discusses how the recent Clapper and Susan B. Anthony List v. Driehaus30 decisions arguably affect when plaintiffs have Article III standing based on future injuries. (31) Part III examines the split in the circuits regarding Article III standing in data breach and fraudulent reporting cases and the impact of the Clapper and Susan B. Anthony decisions on how lower federal courts decide standing. (32) The Conclusion discusses whether the Court's recent Fourth Amendment decision protecting the privacy of cell phone data might have implications in standing cases involving data breaches. (33)

1. INTRODUCTION TO CONSTITUTIONAL ARTICLE III STANDING

   While the Constitution does not explicitly mandate that each and every plaintiff demonstrate "standing" to file suit in federal courts, the Supreme Court has inferred from Article III's limitation of judicial decisions to "Cases" and "Controversies" that federal courts must impose standing requirements to establish that a plaintiff has a genuine interest and a stake in the outcome of a case. (34) For a federal court to have jurisdiction over a claim, at least one plaintiff must prove it has standing for each form of relief sought. (35) Federal...