Data Breach Claims Require Concrete Injury for Legal Standing

Summary

• How does one sue an elephant?
• Appellate court finds standing for some claims, locks tusks with other circuits.

Matt Dirksen via Getty Images

Jump to:

Data breaches seem to be an unfortunate reality of the digital age. These events impact millions of people every year and provide a fertile area for litigation. Nevertheless, the lack of concrete and particularized injury is a substantial hurdle for many data breach victims. While recent cases have chipped away at the extent of the injury necessary for establishing standing in such cases, ABA Litigation Section leaders suggest that standing remains a viable defense in standard data breach cases. Plaintiffs making data breach claims must identify specific, immediate harms to survive motions to dismiss, and the mere fact of stolen data is not enough to create standing to bring suit.

Data Breach Results in Class Claims

In Holmes v. Elephant Insurance Co., the U.S. Court of Appeals for the Fourth Circuit rejected the vast majority of claims a plaintiff class asserted in a complaint due to an insurance company’s failure to protect their information. The defendant insurance company used an online quote feature, in which potential customers filled out a form by providing certain information about themselves. The company then added additional information the potential customers had not provided, by way of access to third-party sources, such as department of motor vehicle records. Hackers breached the company’s online defenses and stole drivers’ license numbers for nearly three million persons.

The plaintiffs asserted four categories of damages: (1) compromise of personal information; (2) increased risk of identity theft; (3) risk of information being stolen again in a potential future hack of the same company; and (4) emotional distress and additional time spent monitoring financial records to avoid future harm. In support of the identity theft claim, one plaintiff specifically alleged having seen their driver’s license number on the dark web, and a second alleged having seen an offer of sale of their driver’s license. Plaintiffs sought damages, a declaration that the company’s security systems were inadequate, and an injunction requiring the company to improve its data security.

The defendant company moved to dismiss, arguing that the plaintiffs lacked standing. The district court granted the motion and dismissed all claims. The plaintiffs appealed to the Fourth Circuit, which affirmed the dismissal with respect to all but two plaintiffs.

Standing Requires More Than Data Breach or Fear of Potential Harm

The Fourth Circuit stated, in plain language, that the question of standing requires a plaintiff to be able “to sufficiently answer the question ‘What’s it to you?’” In Elephant, the particular standing problem the plaintiffs faced was demonstrating that they had “injury-in-fact,” meaning an injury that is “concrete, particularized, and actual or imminent.”

For three of the plaintiffs’ claims, the appellate court held that there was no injury-in-fact. First, as to the risk of future misuse, the court noted that the risk must be imminent to justify injunctive relief. In the case at hand, however, there was no such risk “in the near future.” Additionally, based on precedent, the appellate court quantified the level of risk required, determining that it was necessary that there be “at least 33%” chance of the injury occurring, to potentially satisfy this element. The plaintiffs’ “speculative chain of possibilities” did not carry that burden. In rendering this decision, the Fourth Circuit acknowledged that it was splitting from five other circuits, the First, Second, Seventh, Eleventh, and D.C. Circuit Courts of Appeals. The Fourth Circuit did not find the decisions from those appellate courts to be persuasive. Second, the appellate court held insufficient the allegation that another data breach may occur at the company, because there was no allegation that it would occur imminently or would impact the same plaintiffs.

Third, the Elephant court rejected time spent mitigating damages and emotional harm, without an additional injury, as a sufficient basis, by itself, for standing.

The claim for risk of identity theft, however, at least as to the two plaintiffs who alleged their information was actually for sale on the dark web, was sufficient to convey injury-in-fact. This, the Fourth Circuit held, was sufficient to create standing.

How Does One Eat an Elephant? One Injury at a Time

In coming to this conclusion, the court relied heavily on the Supreme Court’s decision in TransUnion LLC v. Ramirez and the “harm-analogue” test announced in that case. In TransUnion, the plaintiffs had complained about misleading information in their credit reports. The Court considered standing by looking for analogues between the harm the plaintiffs identified and the harm that was traditionally protected against with the common-law claim of defamation. Because the defamation claim required publication as an essential element of the harm, and publication was not present in TransUnion, there was no standing.

In Elephant, the common-law analogue was to the claim of public disclosure of private information. Because that claim requires that the information “reaches, or is sure to reach, the public,” only those plaintiffs who alleged that their information had appeared on the dark web had standing to pursue a claim.

In reaching this decision, the Elephant court parted ways from the Seventh Circuit in Baysal v. Midvale Indemnity Co. In that case, also involving an insurance company data breach related to consumers’ drivers’ license numbers, the Seventh Circuit affirmed dismissal. Applying the harm-analogue test from TransUnion, the Baysal court reiterated that only embarrassing details were protected under the common-law tort analogue. The Elephant court, however, noted that the common-law tort also protected against theft of mundane information, such as tax returns, and that TransUnion merely required “analogues, not duplicates.” Accordingly, for those plaintiffs who could allege that their information had been made publicly available, there was standing to proceed.

Elephant Is a Signpost on the Road to Clarity Regarding Data Breach Claims

“The [Elephant ] decision is a continuation of battles over standing,” says Robert A. Jenkin II, Princeton, NJ, Co-Chair of the Litigation Section’s Privacy & Data Security Litigation Committee. He notes that, “in the majority of cases, there is no tangible harm alleged.” In the battle over standing here, the Elephant court reasonably disagreed with the other circuits because the “other circuits weren’t applying [TransUnion ], and were allowing claims to move forward based solely on allegations of access to personal information.”

Nevertheless, standing remains a fraught issue. “This seems to be a bridge too far,” cautions Michael P. Daly, Philadelphia, PA, Co-Chair of the Section’s Consumer Litigation Committee. He references the court’s reliance on the common-law analogue tort of public disclosure of private information, and says that “the problem with that analogy is that the defendant didn’t make such a disclosure.” Further, the public disclosure tort is “is meant to protect against disclosure of things like ‘loathsome diseases.’” In contrast, “[t]his wasn’t even a Social Security number; it was just disclosure of a driver’s license number,” Daly says.

Indeed, it may be that the “opinion didn’t go far enough,” says Jenkin, meaning the appellate court in Elephant may not have fully developed the issue of concrete injury, because one of the two plaintiffs whose claims survived “merely alleged that a third party claimed to be selling his information.” He explains that, if there is no claim in identity theft fraud unless someone has actually sold the information, as the court stated, “that should also be the conclusion for disclosure of private information.”

Daly offers some practical advice: “It is always important to scrutinize any threshold defense to a claim. But it is also important to consider whether to assert that defense at the pleading stage or reserve it for later.” He advises caution in deciding upon litigation strategy. “[Making such claims at the beginning of the case] can lead to dismissal without prejudice, which can allow the claims to reappear in state court.”

Resources

Alexander R. Bilus and Erik VanderWeyden, “ After TransUnion, Lower Courts Grapple with Article III Standing in Data Breach Lawsuits,” Priv. & Data Sec. (Apr. 27, 2022).

Josephine Bahn, “ Does Anxiety Create Standing?,” Litigation News (May 22, 2024).

Greg Szewczyk, “ The Year 2021 in Review: Trends in Data Breach Litigation,” Consumer Litig. (Feb. 11, 2022).

Endnotes

Author

View Bio →

Author

Brownstein Hyatt Farber Schreck

Related Content