The data breach at the U.S. Office of Personnel Management was one of the most serious and possibly one of the top ten largest data breaches of the 21st century, compromising background investigation records for some 22 million current and former federal employees. But a class action lawsuit brought on behalf of those employees was recently dismissed for lack of Article III standing. In that case, In re U.S. Office of Pers. Mgmt. Data Sec. Breach Litig.[1] (“OPM Data Security Breach”), the U.S. District Court for the District of Columbia concluded that, with the exception of two employees who had incurred unreimbursed out-of-pocket expenses to remedy actual identity theft, the named plaintiffs failed to establish injury-in-fact.[2] The court reached this conclusion even with respect to plaintiffs who had incurred fraudulent charges (for which they ultimately did not have to pay), who alleged that they had suffered stress due to a fear of identity fraud, and who had purchased credit monitoring services. The court was influenced by reports that the breach had been perpetrated by the Chinese government, and did not jeopardize the kind of credit card or other financial information that could be useful in committing credit card fraud.[3] Thus, the court in OPM Data Security Breach was not willing to make assumptions about the likelihood of future harm, although such claims are routinely made (albeit with mixed success) in the context of retail and financial establishment breaches that involve a theft of credit card information.[4]
Even with respect to the two plaintiffs in OPM Data Security Breach who had incurred unreimbursed expenses to rectify actual identity theft, the court found that the complaint did not plausibly allege a connection between the data breach and the claimed harm.[5] The court observed that all those plaintiffs could point to regarding the required nexus was that the data breach had preceded the identity theft. But the court was not ready to presume that the theft was not done by other criminals or as a result of some other data breach, particularly where around 3.3 percent of general population will experience some form of identity theft, regardless of the sources, and in this case, identity theft had affected only 0.00009 percent of individuals.[6] Similarly, because the court did not believe that the identity theft was impending, the court was not swayed by the out-of-pocket expenses some of the employees had incurred for credit monitoring services.[7]
The OPM Data Security Breach matter illustrates that standing remains a robust defense in data breach cases, particularly in cases that do not involve a breach of financial information. Other recent cases exemplify this principle. For example, in K.R Stapleton on behalf of C.P. v. Tampa Bay Surgery Ctr., Inc.,[8] a federal district court in Florida recently tossed a lawsuit against a medical center arising out of a data breach exposing information of over 142,000 of its patients.[9] The information, which was posted on a public file-sharing website, included children’s names, dates of birth, home addresses, and social security numbers.[10] In dismissing the case for lack of standing, the Court relied on the absence of any suggestion that the information has actually been misused for any of the 142,000 patients affected.[11] The court also found that the alleged imminent nature of harm was mitigated because the defendant provided free credit monitoring, including a credit lock service, for everyone affected by the breach.[12] Thus, because patients would suffer actual harm only if a series of unlikely events were to occur (including that the credit lock would somehow be inadequate to prevent information misuse), the threshold of impending injury or substantial risk that harm would occur was not met.[13]
Finally, earlier in the year, in Foster v. Essex Prop., Inc.,[14] yet another court dismissed a class action against a real estate management company related to a data breach that compromised information of the company’s tenants, including their rental applications and files. Although the named plaintiffs were able to point to unauthorized charges on their credit cards, defendant rebutted a causal connection between these charges and the breach by submitting affidavits attesting to the fact that plaintiffs’ credit cards and other personal information had not been stored on the company’s system and, in fact, plaintiffs never paid rent using a credit or debit card.[15] Based on this unrebutted evidence, the court concluded that the data breach could not have been the cause of unauthorized charges, and dismissed the case.[16]
Cases in the data breach context frequently harken back to the U.S. Supreme Court’s standing analysis in Clapper v. Amnesty Int’l USA.[17] Clapper involved a constitutional challenge to a provision of the Foreign Intelligence Surveillance Act of 2008 (“FISA”), allowing the United States to conduct foreign intelligence surveillance without having to meet some requirements of traditional FISA surveillance. The respondents, a group of international organizations, lawyers, and media personnel, asserted they were likely to be targets of surveillance and thus had standing to sue. The high court disagreed, finding it speculative whether the Government would target communications to which the respondents were parties, particularly where they did not allege that the Government ever sought approval for surveillance of their communications, did not explain how the Government chooses its targets, and speculated whether the FISA court would authorize such surveillance and the surveillance would ultimately be successful.[18] Notably, even though some of the challengers had taken costly and burdensome measures to protect confidentiality of their communications, the Supreme Court rejected the assertion of standing on this basis, noting “respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”[19]
The application of Clapper in the data breach context has varied among different courts. See, e.g., In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *12 (N.D. Cal. Aug. 30, 2017) (holding that plaintiffs established standing because they suffered an increased risk of future identity theft as a result of data breaches); In re SuperValu, Inc., 870 F.3d 763, 772 (8th Cir. 2017) (finding that although allegations of future injury are insufficient, the named plaintiffs alleged a present injury-in-fact because they suffered a fraudulent charge on the credit card used to make purchases at defendants’ stores affected by the data breaches). Still, the recent decisions in OPM Data Security Breach, Tampa Bay Surgery and Foster bolster Clapper’s rationale and hesitation to infer imminent injury and causation with a breach, particularly as applied to defendants outside the retail or financial services industry. Even companies that do collect credit card and other similar financial information should explore whether the named plaintiffs’ files indeed included the type of information that could lead to identity theft and unauthorized charges, to evaluate a potential challenge to redressability and causation in the named plaintiffs’ cases.
[1] No. MC 15-1394 (ABJ), 2017 WL 4129193, at *1 (D.D.C. Sept. 19, 2017), appeal pending.
[2] Id. at *11-25.
[3] Id. at *22-23.
[4] See id. at *2.
[5] Id. at *25.
[6] Id. at *27.
[7] Id. at *25.
[8] Id.
[9] No. 8:17-CV-1540-T-30AEP, 2017 WL 3732102, at *1 (M.D. Fla. Aug. 30, 2017).
[10] Id.
[11] Id. at *3.
[12] Id.
[13] Id.
[14] No. 5:14-CV-05531-EJD, 2017 WL 264390, at *2 (N.D. Cal. Jan. 20, 2017).
[15] Id. at *2-3.
[16] Id. at *3.
[17] 568 U.S. 398 (2013).
[18] Id. at 411-14.
[19] Id. at 416.