Third Circ. Offers Blueprint for Defeating Data Breach Class Actions
Data breaches continue to grow at torrid pace, often spurring consumer class action litigation in their wake. And successful data breach litigation can empty a corporate defendant’s coffers. Take, for instance, the $575 million deal Equifax recently reached to settle class litigation stemming from its 2017 mega-breach that impacted over 100 million individuals. Consequently, companies handling consumer personal information must be prepared to forcefully defend such high-stakes litigation.
Fortunately, Article III standing serves as a viable defense to obtain dispositive dismissals from a wide range of data breach class actions in federal court. While a current circuit split exists over the threshold for establishing standing in such cases, the U.S. Court of Appeals for the Third Circuit recently articulated a middle-of-the-road standard that provides a significant opportunity for defendants to completely dispose of litigation at the pleading stage based on an absence of constitutional standing.
Overview of Article III Standing in Data Breach Class Actions
To establish Article III standing in federal court, a plaintiff must establish three core elements: an injury-in-fact; causation; and a likelihood that the injury will be redressed by a favorable decision. To establish a cognizable injury-in-fact, a plaintiff must show that he or she suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” Where a plaintiff seeks to establish an injury-in-fact based on an imminent injury, that threatened injury must be “certainly impending.”
In the context of data breach class action litigation, the question of whether Article III standing can be satisfied is often dispositive of the outcome of an action. However, a deep circuit split currently exists between the federal appellate courts regarding the level of proof required to establish standing in data breach class actions—particularly as it relates to demonstrating a sufficiently “concrete” injury-in-fact, and whether allegations of an increased risk of future identity theft are sufficient to satisfy this aspect of the standing test.
Article III Standing in the Third Circuit
The Third Circuit first addressed the applicable standard for establishing Article III standing in the data breach context in Reilly v. Ceridian, 664 F.3d 38 (3d Cir. 2011). Despite being handed down almost a decade ago, Reilly remains the seminal data breach standing decision in the Third Circuit.
Reilly involved allegations that an unknown hacker infiltrated the defendant’s payroll system and potentially gained access to personal and financial information belonging to the plaintiffs and approximately 27,000 other employees at 1,900 companies. It was unknown whether the hacker read, copied, or understood the data. The plaintiffs alleged injuries in the form of an increased risk of identity theft, costs incurred to monitor their credit activity, and emotional distress—but did not allege any actual misuse of their data.
On appeal, the Third Circuit held plaintiffs’ allegations of hypothetical, future injuries were insufficient to establish standing, as their alleged future harm was neither imminent nor certainly impending.
First, the court found plaintiffs’ claimed injury relating to an increased risk of identity theft did not establish standing under Article III. In doing so, the Third Circuit emphasized the plaintiffs’ contentions relied on speculation that the hacker: read, copied, and understood their personal information; intended to commit future criminal acts by misusing the information; and was able to use that information to the detriment of the plaintiffs. The court characterized this harm as a “string of hypothetical injuries” that was insufficiently “actual or imminent” to confer standing.
In addition, the absence of any evidence the intrusion was intentional or malicious or that any data was misused further supported the conclusion this claimed harm was not an “actual or imminent” injury. Ultimately, because plaintiffs had yet to suffer any harm, their alleged increased risk of future identity theft was nothing more than speculation—which failed to meet “certainly impending” injury-in-fact standard.
The Third Circuit also held plaintiffs’ alleged time and money expenditures to monitor their information failed to establish standing. Here, the court reasoned costs incurred to watch for a speculative chain of future events based on hypothetical criminal acts were no more of an actual injury than the alleged increased risk of injury underpinning plaintiffs’ claims. Because any expenses incurred by plaintiffs were not the result of an actual injury, but rather, related only to the speculative misuse of their data, this injury also failed to confer standing.
Combined, the Third Circuit held plaintiffs failed to plead sufficient facts to demonstrate standing under Article III and affirmed the district court’s order granting the defendant’s motion to dismiss.
The Third Circuit again addressed the issue of standing in In re Horizon Healthcare Services Data Breach Litigation, 846 F.3d 625 (3d Cir. 2017). Horizon involved the theft of two laptops containing plaintiffs’ unencrypted personal health information. The plaintiffs sued under the Fair Credit Reporting Act (FCRA), arguing the violation of their statutory right to have their personal information secured against unauthorized disclosures was, in-and-of itself, an injury-in-fact, even absent any allegation that their data had been misused.
On appeal, the Third Circuit held the violation of the plaintiffs’ FCRA statutory rights constituted a cognizable injury-in-fact sufficient to confer standing. In doing so, the Third Circuit relied heavily on its prior decisions in In re Google Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016), which were decidedly in favor of allowing individuals to sue to remedy violations of their statutory rights, even without additional injury.
In its analysis, the Third Circuit applied the two tests articulated by the U.S. Supreme Court in Spokeo v. Robins, 136 S. Ct. 1540 (2016), for determining whether an intangible injury is sufficiently “concrete” to establish standing. The court first looked to history—i.e., whether an alleged intangible harm is closely related to a harm that has traditionally been regarded as providing a basis for a lawsuit. Here, the court explained the defendant’s actions did not need to give rise to a cause of action under the common law; instead, it was enough that the intangible harm the FCRA sought to remedy has a close relationship to the historical tort of invasion of privacy.
Applying Spokeo’s second test—i.e., the congressional test—the Third Circuit reasoned that in enacting the FCRA Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in-and-of itself—regardless of whether the disclosure of that information increased the risk of identity theft or some other future harm. Taken together, the plaintiffs had standing.
Although the Third Circuit found in favor of the plaintiffs on the issue of standing, the court rejected plaintiffs’ argument that the defendant’s offering of free credit monitoring should be taken as an acknowledgement that it put the plaintiffs at a significantly increased risk of identity theft. The court reasoned that the offer should not be used against the defendant as either a concession or a recognition that the plaintiffs had suffered injury; as a rule of this nature would disincentivize companies from offering credit or other monitoring services in the wake of a breach.
Importantly, the court also discussed the key factors distinguishing Horizon from Reilly; namely, Congress’ decision to prohibit the unauthorized disclosure of data under the FCRA. Thus, the Horizon plaintiffs did not complain solely of future injuries, as Congress has elevated the unauthorized disclosure of information into a tort, which was not speculative in any respect. In contrast, the Reilly plaintiffs’ claims were based solely on the common law and concerned alleged injuries of increased risk of identity theft and costs incurred to mitigate that risk. Those common law claims, the court noted, centered on future injuries plaintiffs expected to suffer as a result of a data breach, such as the increased risk of identity theft, which were too speculative to confer standing.
Analysis and Takeaways
Taken together, Reilly and Horizon operate to create a diving line between circumstances where standing might exist in the Third Circuit.
Under Horizon, standing can often be established where plaintiffs are able to allege violations of federal privacy law—which are considered de facto injuries, and thus sufficient to confer standing even in the absence of any economic loss or other injury
Conversely, where only common law claims are asserted, alleged injuries relating to an increased risk of fraud and identity theft (as well as costs incurred to mitigate such risks)—which involve only claims of future injuries, but where no injury or harm has occurred—may be too speculative to establish standing.
The other significant takeaway from these two cases is the Horizon court’s rejection of the use of remedial mitigation efforts to assist breach victims as evidence of an injury sufficient to establish standing. This holding departs from the position taken by other federal courts—including the Sixth Circuit—which have held such offers serve as evidence of a cognizable injury-in-fact. This much more plaintiff-friendly position leaves data breach defendants in a particularly troublesome dilemma: offer credit monitoring services to impacted individuals and, in doing so, assist class action plaintiffs in making their case for Article III standing; or forgo assisting those involved in the breach in an attempt to avoid future class action litigation down the road.
To date, the Second, Third, Fourth, and Eighth circuits have found allegations of an increased risk of future identity theft fall short of demonstrating a cognizable injury-in-fact in data breach class action litigation. Conversely, the Sixth, Seventh, Ninth, Eleventh, and D.C. circuits have all found such allegations are sufficient to establish Article III standing in the breach context. Ultimately, this uncertainty regarding the level of proof required to establish standing will continue moving forward until a definitive ruling is handed down by the U.S. Supreme Court.
While standing will continue to remain a very fact-specific inquiry, the Third Circuit has provided businesses with a blueprint to procure an early exit from a wide range of data breach class actions via an Article III standing defense. Corporate defendants that find themselves on the receiving end of a data breach class action in the Third Circuit should analyze the potential applicability of this defense at the outset. Pursuant to Reilly and Horizon, where a plaintiff’s claims are limited to the common law and involve no actual injury in the form of sustained identity theft, an early motion to dismiss asserting a lack of Article III standing defense should be pursued to dispose of the case at an early juncture. In addition, corporate defendants should highlight any absence of evidence that: malicious actors actually accessed or acquired the data in question; the breach was intentional or malicious; and the data was misused, all of which further demonstrate that the alleged injuries in question are not sufficient to meet the “certainly impending” injury-in-fact standard.
“Third Circ. Offers Blueprint for Defeating Data Breach Class Actions,” by Jeffrey N. Rosenthal and David J. Oberly was published in The Legal Intelligencer on May 14, 2020.
Reprinted with permission from the May 14, 2020, edition of The Legal Intelligencer © 2020 ALM Media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382, email@example.com or visit www.almreprints.com.