Circuit Courts are split on plaintiff standing in data breach cases and so far the Supreme Court has declined to weigh in on interpretations of Article III standing in this context. The principal split in interpretation is on whether data theft alone is sufficient for standing under Article III or whether actual misuse of the stolen information is required to have occurred for plaintiffs to have standing. The D.C., Third, Sixth, Seventh, Ninth, and Eleventh Circuits have aligned with the former of these standards, whereas the Second, Fourth, and Eighth apply the latter standard.
Although certiorari petitions have been made in some of these cases, the Supreme Court has not taken the opportunity to resolve this split, with the latest certiorari denial coming in February 2018. In that case, petitioners were seeking to overturn the D.C. Circuit Court’s ruling that plaintiffs established Article III standing by pleading that they were exposed to a substantial risk of future injury due to the theft of their personal information in a data breach at CareFirst. The D.C. Circuit Court explained its rationale for maintaining that standing standard in stating that, “[p]resumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
However, this “sooner or later” language does not gel with the Supreme Court’s position on Article III standing, most recently summarized in its decision in Spokeo v. Robins, Inc. There, the Supreme Court stated that to satisfy standing under Article III, a “plaintiff must have (1) suffered an injury in fact, (2) directly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by favorable judicial decision.” The Court expanded on this, stating that to establish an injury in fact, the plaintiff must show concrete and particularized injury that is not merely “conjectural or hypothetical.” Basing standing on the fact that “sooner or later” fraudulent charges are likely to occur as a result of a breach of personal information thus seems squarely at odds with the Supreme Court’s direction on Article III standing, thus making its silence on the current Circuit split confusing.
However, there are still solid grounds for the D.C. Circuit’s position on standing in data breach cases. Since consumer information and data has become monetized, there is intrinsic value to the information that is stolen in a cyber breach based on consumer ability to control that information and retain exclusivity over it. As a breach compromises that control and exclusivity, it also effectively acts to diminish the value of their personal data—which is a cognizable and immediate injury, prior to any shown data access or misuse. This is one of the streams of argument that the Ninth Circuit relied on in finding plaintiffs had standing in their In re Facebook Privacy Litigationdecision.
As private data continues to become increasingly commoditized as smart appliances, activity trackers, smart phones, and online access become more central elements in many people’s lives and companies become more reliant on this information to produce revenue, the argument for standing due to loss of sales value in that information due to a breach is likely to be even more persuasive if and when this issue comes before the Supreme Court. For now, however, the denial of certiorari in CaseFirst has the effect of permitting plaintiffs in the D.C. Circuit to have standing based on a substantial risk of harm from data stolen in a breach.
Despite the lack of uniform standards, the consequence of the split is not all bad. While the disparate interpretations of Article III standing amongst the Circuit Courts remains, data breach plaintiffs will likely seek to steer their cases to the six Circuits that permit standing without a showing of actual data misuse. Allowing plaintiffs to take advantage of the more relaxed standing requirements in those courts has the potential effect of pushing companies to invest in more comprehensive cybersecurity as a way to better protect against litigation risk and therefore better protect these consumers in the first place.
Though companies are incentivized to invest more heavily in digital technology for efficiency purposes, they are not equally incentivized to protect the data they are putting at risk. Lower plaintiff-standing thresholds can have the consequence of providing a positive feedback loop toward more data privacy protection that is currently being underproduced. The Supreme Court may indeed see such a policy consequence as beyond its purview, but until such a time as U.S. regulators step up to provide an adequate solution to the data protection issue, this positive fallout is welcome.
The Courts fundamentally face a moving target as the use of data has hit the point where each individual, knowingly or not, has economic value that can be derived from their activities and personal information. That economic value is only increasing. The theft of personal information has a direct effect on that economic value from compromising an individual’s abilities to completely control the sale of that information and indeed from its misuse. Although there have been some policy attempts to manage concerns that data breaches give rise to, without more direction from the Supreme Court on applying Article III requirements to these issues, companies, individuals, and in particular their lawyers, are left hovering in an undetermined legal environment.