The Effects of Clapper v. Amnesty International Usa: an Improper Tightening of the Requirement for Article Iii Standing in Medical Data Breach Litigation

• Publication year: 2022

49 Creighton L. Rev. 467. THE EFFECTS OF CLAPPER V. AMNESTY INTERNATIONAL USA: AN IMPROPER TIGHTENING OF THE REQUIREMENT FOR ARTICLE III STANDING IN MEDICAL DATA BREACH LITIGATION

THE EFFECTS OF CLAPPER V. AMNESTY INTERNATIONAL USA: AN IMPROPER TIGHTENING OF THE REQUIREMENT FOR ARTICLE III STANDING IN MEDICAL DATA BREACH LITIGATION

Claire Wilka

I. INTRODUCTION

Imagine a car accident victim requiring a blood transfusion, but the medical providers used the wrong blood type because a hacker previously impersonated the victim to use his medical identity to access free health care.(fn1) The doctors treating the car accident victim followed the documentation on file, nonetheless, the victim sustained even more serious health problems following an incorrect transfu-sion.(fn2) After it was too late, the car accident victim found out he was also a victim of medical identity theft and suffered its most dangerous consequence-altered medical records.(fn3) A medical identify theft hacker may have also used the victim's health insurance to pay for hundreds of thousands of dollars' worth of surgeries, potentially making the victim's health and life insurance more expensive or unavailable.(fn4)

Medical identity theft occurs when a hacker-without a victim's knowledge or consent-misuses the victim's medical identity, such as records, health insurance, or personal information, to obtain medical care.(fn5) Medical identity theft is currently the fastest growing identity theft crime but is very difficult to detect.(fn6) Medical identity theft, as a type of identify theft, sometimes occurs following a data security breach.(fn7) However, since the United States Supreme Court decision in Clapper v. Amnesty International USA,(fn8) the majority of federal district courts around the country have dismissed data security breach victims' lawsuits, determining that a threat of future identity theft following a data breach does not constitute a sufficient injury for Article III standing.(fn9)

In Clapper, the United States Supreme Court held a group of respondents lacked standing to challenge the constitutionality of the Foreign Intelligence Surveillance Act because their claimed injury was hypothetical and not certainly impending.(fn10) Many federal district courts have determinedly applied the certainly impending standard to data breach lawsuits.(fn11) On the other hand, courts have noted that because Clapper did not overrule the substantial risk line of cases, plaintiffs can establish standing if there is a substantial risk that the harm will occur.(fn12)

This Topic Article will first discuss the facts, holding, and implications of Clapper v. Amnesty International USA.(fn13) It will then discuss several federal district court cases that, in following Clapper, have dismissed data breach lawsuits for a lack of standing.(fn14) Next, this Article will review a handful of federal court cases that have interpreted Clapper more narrowly to determine data breach victims successfully demonstrated an injury in fact for standing purposes.(fn15) This Article will then discuss a recent Supreme Court case that established standing under the substantial risk of harm standard.(fn16) This Article will subsequently explain the rise of medical identity theft in recent years and how its grave consequences differ from personal or financial identity theft.(fn17) This Article will then argue that Clapper's certainly impending standard for standing should not apply to medical security breaches because Clapper did not even involve a data security breach, and the dangerous consequences of medical identity theft require medical security breaches to be held to a lower standing standard than financial identity theft.(fn18) This Article will then propose that the substantial risk of harm standard should instead apply to medical security breach claims in order to allow victims to have the merits of their cases heard.(fn19) It will discuss the potential objections to this Article's alternative proposal and offer a response to those objections.(fn20)

II. BACKGROUND

A. CLAPPER V. AMNESTY INTERNATIONAL USA: EFFECTS ON DATA SECURITY BREACH CLAIMS

In Clapper v. Amnesty International USA,(fn21) the respondents brought a claim involving a constitutional challenge to Section 702 of the Foreign Intelligence Surveillance Act ("FISA"), codified at 50 U.S.C. § 1881a.(fn22) To gather foreign intelligence information, FISA authorizes the Attorney General and Director of National Intelligence to gather surveillance information on non-United States persons who are reasonably believed to be outside the United States.(fn23) The respondents challenging FISA were attorneys and labor, human rights, media, and legal organizations that electronically communicated with clients outside the United States and believed their clients were likely targets of the FISA surveillance.(fn24) The respondents sought a declaration that section 1881a was unconstitutional and an injunction to prohibit surveillance authorized by section 1881a.(fn25) They argued that section 1881a inhibited their ability to find witnesses and sources, gather information, and confidentially communicate with their clients.(fn26)

The issue on appeal was whether the respondents had standing to challenge FISA.(fn27) The respondents argued two sources of injuries for standing purposes.(fn28) First, there was an objectively reasonable likelihood that section 1881a would allow gathering of their international communications in the future, and second, section 1881a compelled them to protect their foreign communications through costly and burdensome measures because there was a substantial risk their communication would be subject to section 1881a surveillance.(fn29) The United States District Court for the Southern District of New York determined that respondents failed to establish standing in order to challenge section 1881a.(fn30) On appeal, the United States Court of Appeals for the Second Circuit reversed, reasoning the plaintiffs satisfied the injury-in-fact requirement of standing because it was reasonably likely that their international communications would be monitored under section 1881a.(fn31) The United States Supreme Court granted certiorari because the constitutionality of section 1881a was an important issue and the Court of Appeals adopted an unusual view of standing.(fn32)

The Supreme Court emphasized how a threatened injury must be certainly impending to satisfy the injury-in-fact requirement of standing and alleging a possible future injury is insufficient.(fn33) The Court rejected the Second Circuit's objectively reasonable likelihood standard of establishing a certainly impending injury-in-fact.(fn34) The Court ultimately held respondents lacked standing because their claimed injury, based on a hypothetical harm and an attenuated sequence of possibilities, was not certainly impending.(fn35) The Court also noted that even if respondents did establish an injury-in-fact, they would fail to demonstrate that their injury was fairly traceable to section 1881a because they could only speculate that section 1881a authorized surveillance of their international communications.(fn36)

While Clapper was a constitutional challenge of FISA and factually unrelated to a typical data breach claim, Clapper has had larger effects across the country in the last two years with data breach plaintiffs having difficulty establishing standing in data security class action claims.(fn37) In the last two years, many federal courts across the United States have dismissed data breach claims because plaintiffs have struggled to establish that their increased risk of future harm is certainly impending.(fn38) However, federal courts have not settled what constitutes a sufficient injury for standing in data breach cases.(fn39)

B. DISTRICT COURT CASES DISMISSED FOR LACK OF STANDING POST-CLAPPER

Since the United States Supreme Court's decision in Clapper v. Amnesty International USA,(fn40) was announced in February 2013, there have been at least eight data security breach cases dismissed for lack of standing in federal district courts.(fn41) In Green v. eBay Inc.,(fn42) the United States District Court for the Eastern District of Louisiana found that the plaintiff failed to establish a certainly impending in-jury-in-fact.(fn43) Unknown hackers accessed eBay's files that contained personal information of its users, including names, passwords, birth dates, email addresses, home addresses, and phone numbers.(fn44) A consumer privacy putative class action was filed against eBay, and eBay filed a motion to dismiss the complaint for lack of standing, arguing no one had attempted to commit identity fraud with the eBay users' in-formation.(fn45) eBay then contended the United States Supreme Court's decision in Clapper made it clear that a speculative possibility of a future injury does not constitute an injury-in-fact for standing pur-poses.(fn46) The district court cited numerous other district courts that have dismissed data breach claims for lack of standing since the Clapper decision.(fn47) Aligning with these other decisions, the court stated the plaintiff had not alleged a certainly impending threat of future identity fraud or theft because the plaintiff did not satisfy numerous variables the court deemed relevant to establish injury-in-fact.(fn48) The district court dismissed the plaintiff's complaint without prejudice...