Understanding Circuit Splits Regarding Article III Standing in Data Breach Litigation

Joseph Ho, MPH

Associate Editor

Loyola University Chicago School of Law, JD 2022

Complex litigation in data breach disputes is not surprising due to the reliance on information technology infrastructure. The Identity Theft Resource Center defines a data breach as “an incident in which an individual name plus a Social Security number, driver’s license number, medical record or financial record is potentially put at risk because of exposure.” However, the issue that challenges most plaintiffs’ in a data breach lawsuit is the ability to establish an injury-in-fact sufficient to support Article III standing. Injury-in-fact is harm that is concrete and particularized, and actual or imminent.  Currently, the United States Court of Appeals fails to uniformly decide this issue, creating “splits” in the Circuits regarding Article III standing in data breach litigation. The Supreme Court ruled in fact-distinguishable cases concerning standing, but not in the data breach litigation context. Until the Supreme Court renders guidance, Americans face significant judicial patchwork in privacy protection.

Supreme Court decisions on Article III standing

In Spokeo, Inc v. Robins, the Petitioner, Spokeo, Inc., an alleged consumer reporting agency, operated a “people search engine” intended to gather and provide information about individuals to certain users. The Respondent, Thomas Robins, brought a federal class action against Spokeo, alleging a willful failure to comply with the Fair Credit Reporting Act of 1970 (“FCRA”). Procedurally, the Ninth Circuit reversed the lower court’s decision to dismiss the complaint for failure to plead an injury under Article III. The Supreme Court, in a 6-2 decision vacated and reversed, holding that the Ninth Circuit focused on particularity — the requirement that an injury “affect the plaintiff in a personal and individual way — but overlooked concreteness, which requires an injury to exist.” Thus, the Ninth Circuit failed to consider both injury-in-fact prongs. Notably, the Court further concluded that “a violation of one of the FCRA’s procedural requirements may result in no harm.”

Two other Supreme Court decisions are instructive. In Susan B. Anthony List v. Driehaus, the Court found the plaintiffs (“SBA”) alleged a sufficiently imminent injury under Article III standing for their preenforcment challenge to an Ohio voting law. In its reasoning, the Supreme Court addressed the injury-in-fact requirement, where Justice Thomas found that standing may arise if the “threatened enforcement [was] sufficiently imminent” and affected a constitutional interest. Here, the Court reasoned there was an alleged credible threat. Finally, in Clapper v. Amnesty International, the plaintiffs challenged new procedural provisions under the Foreign Intelligence Surveillance Act (“FISA”). The Supreme Court rejected the challenge finding that the “threatened injury must be certainly impending to constitute injury in fact [and] allegations of possible future injury are not sufficient.”

Article III standing and data breach litigation across the Circuits

The United States has thirteen United States Courts of Appeals. A circuit split occurs when the U.S. Court of Appeals Courts differ in their respective decisions. For example, in the Ninth and Seventh Circuits, the courts maintain a lower standard in showing Article III injury at the pleading stage while the Third, Fourth, and Eighth circuits require a “heightened” showing of present harm. Here, the courts struggle to agree on how “imminent a future injury” is before a person can show standing. Adding to the uncertainty, in Whalen v. Michaels Stores, Inc., the Second Circuit affirmed a district court’s dismissal because the plaintiff failed to show “particularized and concrete injury.” The court also reasoned that the plaintiff could not show a risk of future harm because she canceled her credit card immediately. Whereas the Sixth Circuit, in Galaria v. Nationwide Mutual Insurance Co., found “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for [] fraudulent purposes….”

Another case that illustrates the divide is In re U.S. Office of Personnel Management Data Security Breach Litigation (In re OPM). The D.C Circuit allowed plaintiffs to continue on the grounds that the heightened risk of identity theft allowed the plaintiff to pass the threshold or the “low bar” for establishing standing at the pleading stage. The decision In re OPM’s is consistent with an additional D.C. Circuit holding in CareFirst. In CareFirst, the court found a substantial risk that their information was stolen for “ill” purposes regardless of whether misuse occurred at the time.

Mayer Brown partner Stephen Lilley aptly describes the Circuit splits when he stated, “some courts are looking at breaches and assuming bad things are going to happen to people affected, and some are not willing to make that assumption.” This is instructively apparent as the In re OPM and CareFirst cases illustrate the future risk of harm. While cases in the Fourth Circuit such as Beck v. McDonald, and the Third Circuit, in Reilly v. Ceridian Corp., highlight mere speculation, such as theft of medical records that is not immediately used to commit identity theft or failure to prove hacker ever read the information is insufficient to show standing.

‘Hacking’ the standing issue

A Supreme Court decision to rule on a case involving a standing issue in data breach cases should adopt the lesser standard that the Ninth, Second, Seventh, and D.C Circuit found. The Supreme Court should take a broader view of imminent and particularized to protect the right to privacy and define what standards are needed. Alternatively, Congress should enact legislation. Laws and Regulations like California’s Consumer Privacy Act may guide policymakers in enacting federal privacy legislation in this regard.

Industry Concern

An example of the effect ‘standing’ creates on industries is illustrated in healthcare and HIPAA. In certain instances, unsecured electronic health records do not automatically create standing for plaintiffs. These instances are favorable for health service providers because, without a showing of breach or concrete injury, there is precedent in federal court that there is no standing. Therefore, the Supreme Court should adhere to a lesser standard and define the standing criteria to protect individuals’ privacy.