{"id":3542,"date":"2020-11-19T12:55:25","date_gmt":"2020-11-19T18:55:25","guid":{"rendered":"http:\/\/blogs.luc.edu\/compliance\/?p=3542"},"modified":"2020-11-19T12:55:25","modified_gmt":"2020-11-19T18:55:25","slug":"understanding-circuit-splits-regarding-article-iii-standing-in-data-breach-litigation","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=3542","title":{"rendered":"Understanding Circuit Splits Regarding Article III Standing in Data Breach Litigation"},"content":{"rendered":"

Joseph Ho, MPH<\/em><\/span><\/p>\n

Associate Editor<\/em><\/span><\/p>\n

Loyola University Chicago School of Law, JD 2022<\/em><\/span><\/p>\n

Complex litigation in data breach disputes is not surprising due to the reliance on information technology infrastructure. The Identity Theft Resource Center<\/a> defines a data breach as \u201can incident in which an individual name plus a Social Security number, driver\u2019s license number, medical record or financial record is potentially put at risk because of exposure.\u201d However, the issue that challenges most plaintiffs\u2019 in a data breach lawsuit is the ability to establish an injury-in-fact sufficient to support Article III standing. Injury-in-fact<\/a> is harm that is concrete and particularized, and actual or imminent. \u00a0Currently, the United States Court of Appeals fails to uniformly decide this issue, creating \u201csplits\u201d in the Circuits<\/a> regarding Article III standing in data breach litigation. The Supreme Court<\/a> ruled in fact-distinguishable cases concerning standing, but not in the data breach litigation context. Until the Supreme Court renders guidance, Americans face significant judicial patchwork in privacy protection.<\/span><\/p>\n

Supreme Court decisions on Article III standing<\/strong><\/span><\/p>\n

In Spokeo, Inc v. Robins<\/em><\/a>, the Petitioner, Spokeo, Inc., an alleged consumer reporting agency, operated a \u201cpeople search engine\u201d intended to gather and provide information about individuals to certain users. The Respondent, Thomas Robins, brought a federal class action against Spokeo, alleging a willful failure to comply with the Fair Credit Reporting Act of 1970 (\u201cFCRA\u201d). Procedurally, the Ninth Circuit reversed the lower court\u2019s decision to dismiss the complaint for failure to plead an injury under Article III. The Supreme Court, in a 6-2 decision vacated and reversed, holding that the Ninth Circuit focused on particularity \u2014 the requirement that an injury \u201caffect the plaintiff in a personal and individual way \u2014 but overlooked concreteness, which requires an injury to exist.\u201d Thus, the Ninth Circuit failed to consider both injury-in-fact prongs. Notably, the Court further concluded that \u201ca violation of one of the FCRA\u2019s procedural requirements may result in no harm.\u201d<\/span><\/p>\n

Two other Supreme Court decisions are instructive. In Susan B. Anthony List v. Driehaus<\/em><\/a>, the Court found the plaintiffs (\u201cSBA\u201d) alleged a sufficiently imminent injury under Article III standing for their preenforcment challenge to an Ohio voting law. In its reasoning, the Supreme Court addressed the injury-in-fact requirement, where Justice Thomas found that standing may arise if the \u201cthreatened enforcement [was] sufficiently imminent\u201d and affected a constitutional interest. Here, the Court reasoned there was an alleged credible threat. Finally, in Clapper v. Amnesty International<\/em><\/a>, the plaintiffs challenged new procedural provisions under the Foreign Intelligence Surveillance Act (\u201cFISA\u201d). The Supreme Court rejected the challenge finding that the \u201cthreatened injury must be certainly impending to constitute injury in fact [and] allegations of possible future injury are not sufficient.\u201d<\/span><\/p>\n

Article III standing and data breach litigation across the Circuits<\/strong><\/span><\/p>\n

The United States has thirteen United States Courts of Appeals<\/a>. A circuit split occurs when the U.S. Court of Appeals Courts differ in their respective decisions. For example, in the Ninth and Seventh<\/a> Circuits, the courts maintain a lower standard in showing Article III injury at the pleading stage while the Third, Fourth, and Eighth<\/a> circuits require a \u201cheightened\u201d showing of present harm. Here, the courts struggle<\/a> to agree on how \u201cimminent a future injury\u201d is before a person can show standing. Adding to the uncertainty, in Whalen v. Michaels Stores, Inc.<\/em>,<\/a> the Second Circuit affirmed a district court\u2019s dismissal because the plaintiff failed to show \u201cparticularized and concrete injury.\u201d The court also reasoned that the plaintiff could not show a risk of future harm because she canceled her credit card immediately. Whereas the Sixth Circuit, in Galaria v. Nationwide Mutual Insurance Co.<\/em>,<\/a> found \u201c[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims\u2019 data for [] fraudulent purposes\u2026.\u201d<\/span><\/p>\n

Another case that illustrates the divide is In re U.S. Office of Personnel Management Data Security Breach Litigation <\/em>(In re OPM)<\/em><\/a>. The D.C Circuit<\/a> allowed plaintiffs to continue on the grounds that the heightened risk of identity theft allowed the plaintiff to pass the threshold or the \u201clow bar\u201d for establishing standing at the pleading stage. The decision In re OPM\u2019s<\/em> is consistent with an additional D.C. Circuit holding in CareFirst<\/em><\/a>. In CareFirst<\/em>, the court found a substantial risk that their information was stolen for \u201cill\u201d purposes regardless of whether misuse occurred at the time.<\/span><\/p>\n

Mayer Brown partner Stephen Lilley<\/a> aptly describes the Circuit splits when he stated, “some courts are looking at breaches and assuming bad things are going to happen to people affected, and some are not willing to make that assumption.” This is instructively apparent as the In <\/em>re OPM <\/em>and CareFirst<\/em><\/a> cases illustrate the future risk of harm. While cases in the Fourth Circuit such as Beck v. McDonald, <\/em>and the Third Circuit, in Reilly v. Ceridian Corp.<\/em>, highlight mere speculation, such as theft of medical records that is not immediately used to commit identity theft or failure to prove hacker ever read the information is insufficient<\/a> to show standing.<\/span><\/p>\n

\u2018Hacking\u2019 the standing issue<\/strong><\/span><\/p>\n

A Supreme Court decision to rule on a case involving a standing issue in data breach cases should adopt the lesser<\/a> standard that the Ninth, Second, Seventh, and D.C Circuit found. The Supreme Court should take a broader view of imminent and particularized to protect the right to privacy and define what standards are needed. Alternatively, Congress should enact legislation. Laws and Regulations like California\u2019s Consumer Privacy Act<\/a> may guide policymakers in enacting federal privacy legislation in this regard.<\/span><\/p>\n

Industry Concern<\/strong><\/span><\/p>\n

An example of the effect \u2018standing\u2019 creates on industries is illustrated in healthcare and HIPAA<\/a>. In certain instances, unsecured electronic health records do not automatically create standing for plaintiffs. These instances are favorable for health service providers because, without a showing of breach or concrete injury, there is precedent in federal court that there is no standing. Therefore, the Supreme Court should adhere to a lesser standard and define the standing criteria to protect individuals\u2019 privacy.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"

Complex litigation in data breach disputes is not surprising due to the reliance on information technology infrastructure. The Identity Theft Resource Center defines a data breach as \u201can incident in which an individual name plus a Social Security number, driver\u2019s license number, medical record or financial record is potentially put at risk because of exposure.\u201d However, the issue that challenges most plaintiffs\u2019 in a data breach lawsuit is the ability to establish an injury-in-fact sufficient to support Article III standing. Injury-in-fact is harm that is concrete and particularized, and actual or imminent. \u00a0Currently, the United States Court of Appeals fails to uniformly decide this issue, creating \u201csplits\u201d in the Circuits regarding Article III standing in data breach litigation. The Supreme Court ruled in fact-distinguishable cases concerning standing, but not in the data breach litigation context. Until the Supreme Court renders guidance, Americans face significant judicial patchwork in privacy protection.<\/p>\n","protected":false},"author":77,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[491,571,1249,1623],"class_list":["post-3542","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-constitution","tag-data-privacy","tag-litigation","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/3542","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/77"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3542"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/3542\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3542"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3542"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3542"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}