Fourth Circuit Denies Standing in Data Breach Case
Recently, the Court of Appeals for the Fourth Circuit denied plaintiffs’ standing to bring a case in which the only injuries alleged were harm from the increased risk of future identity theft and the cost of measures to protect against it. Basing its decision on recent Supreme Court cases concerning how concrete an injury must be to qualify for federal court jurisdiction, the Fourth Circuit added to the growing divide of federal circuit courts ruling on standing for victims of data breaches. The Fourth Circuit held that victims must be threatened with an injury that is “certainly impending” to have standing to bring a case.
In the case Beck v. McDonald, a group of plaintiffs had their personal information and data, including names, birth dates, last four digits of social security numbers and physical descriptors, breached because an unencrypted laptop containing that information was stolen from a health care facility where they received treatment.
Importantly, none of the plaintiffs could claim that the stolen information led to theft of their identity or was used for any other illegal purpose.
The main claims by the plaintiffs were fear of harm from future identity theft, the cost of measures to protect against such threat, and a breach of the Privacy Act of 1974. To prove a violation of the Privacy Act, a plaintiff must show that there is a “certainly impending risk of identity theft.” In order to take advantage of the federal court system, a plaintiff must show that they have suffered some harm that is concrete and actual or imminent, and not conjectural or hypothetical.
Holding the “injuries” suffered by the plaintiffs did not meet the requisite level of concreteness, the Fourth Circuit distinguished the facts before it from similar data breach cases where standing was sufficient. Underlying those cases were common allegations that sufficed to push the threatened injury of future identify theft beyond the speculative and to the sufficiently imminent. Specifically, at least one named plaintiff alleged misuse or access of the personal information that was gained as a result of the data breach. There were not such claims made by the plaintiffs in Beck.
The mere theft of personal information, without a more concrete injury, will not create an injury sufficient to create standing. However, standing could be found if there were substantial risk that a harm from the data breach were to occur, causing a party to reasonably incur costs to mitigate or avoid identify theft. On this issue, the Fourth Circuit similarly found that the allegations of a “substantial risk” were too attenuated to confer standing on the parties, as the costs incurred to obtain identify theft protection were in response to a “speculative threat” rather than an imminent injury.
