CPW previously has covered multiple decisions that address Article III standing requirements for pleading a claim in federal court. A recent decision out of a federal court in Missouri is an example of a Court finding that Plaintiff properly alleged facts to constitute standing in a data event litigation. Specifically, the Court analyzed the question of whether Plaintiff had standing and found that she had sufficiently alleged an injury in fact, with imminent risk of further injury that was fairly traceable to defendant, looking to allegations of stolen personally identifiable information (“PII”) that individuals attempted to use in filing a fraudulent tax return on Plaintiff’s behalf. Mackey v. Belden, Inc., 2021 U.S. Dist. LEXIS 145000 (E.D. Mo. Aug. 3, 2021).

Plaintiff was a Belden employee. During her employment, she received a letter stating that her PII may have been exposed in a data event. Particularly, the outside party accessed servers containing current and former employees PII such as social security numbers and bank account information. Directly in response to this data breach, Belden offered 24 months of identity theft and protection services. Several weeks later, Turbo Tax notified Plaintiff that unauthorized individuals attempted to file a tax return on her behalf using her social security number. Thus, Plaintiff sued Belden individually and behalf of a class of similarly situated individuals for a number of causes of action including negligence, breach of implied contract, and breach of fiduciary duty. Belden swiftly moved to dismiss each of Plaintiff’s causes of action for lack of Article III standing.

The Court first turned to analyzing injury in fact. Plaintiff alleged that she suffered injuries including diminution in value of her PII, loss of her privacy, time spent directly attributable to the data breach, and imminent and impending injury arising from the increased risk of fraud and identity theft. In particular, the Court emphasized that Social Security numbers are “the gold standard for identity theft, their theft is significant.” The Court further found that spending hours with Turbo Tax regarding the false tax return and reviewing her credit monitoring service results were cognizable injuries because she took these steps to prevent further damages. Thus, the Court held that Plaintiff sufficiently plead injury in fact given 1) the nature of the PII stolen and 2) individuals already attempted to file a tax return on her behalf using the stolen data.

Next, the Court turned to Defendant’s argument that Plaintiff’s injuries are not fairly traceable to any of Defendant’s conduct because Plaintiff’s First Amended Complaint “does not identify a single alleged deficiency in Belden’s security practices, and does not allege anything about what steps Belden could have but did not take to prevent the [data breach].” The Court disagreed; Plaintiff’s First Amended Complaint adequately proposed actions Defendant could have taken to prevent the data breach. At this stage of the litigation, the Court found that the following alleged facts were sufficient to establish traceability: Belden failed to secure current and former employees’ PII; Belden’s servers were hacked; PII was stolen by the hackers; and Plaintiff was a victim of attempted identity theft after the Data Breach. Therefore, as Plaintiff purportedly suffered a concrete and particularized injury fairly traceable to Defendant’s conduct, the Court found standing.

Ultimately, after addressing standing Defendant’s motion to dismiss Plaintiff’s First Amended Complaint was granted in part (dismissing Plaintiff’s claims for breach of fiduciary duty, breach of confidence, and intrusion upon seclusion as well as counts for declaratory relief) and denied in part. As a result, the Court allowed Plaintiff to proceed on her negligence and breach of implied contract claims and seek injunctive relief as a remedy for the alleged employees PII remaining in Defendant’s possession.

Article III standing can be a formidable hurdle for plaintiffs to clear when filing data incident and cyber-related claims in federal court. As we know from previous posts, standing is a case specific inquiry—and federal courts have not ruled consistently on the various permutations presented by these and other cases.