From left: David J. Oberly and Jeffrey N. Rosenthal of Blank Rome.Third Circ. Offers Blueprint for Defeating Data Breach Class Actions
Companies handling consumer personal information must be prepared to forcefully defend such high-stakes litigation.
May 14, 2020 at 12:46 PM
11 minute read
Data breaches continue to grow at torrid pace, often spurring consumer class action litigation in their wake. And successful data breach litigation can empty a corporate defendant's coffers. Take, for instance, the $575 million deal Equifax recently reached to settle class litigation stemming from its 2017 mega-breach that impacted over 100 million individuals. Consequently, companies handling consumer personal information must be prepared to forcefully defend such high-stakes litigation.
Fortunately, Article III standing serves as a viable defense to obtain dispositive dismissals from a wide range of data breach class actions in federal court. While a current circuit split exists over the threshold for establishing standing in such cases, the U.S. Court of Appeals for the Third Circuit recently articulated a middle-of-the-road standard that provides a significant opportunity for defendants to completely dispose of litigation at the pleading stage based on an absence of constitutional standing.
Overview of Article III Standing in Data Breach Class Actions
To establish Article III standing in federal court, a plaintiff must establish three core elements: an injury-in-fact; causation; and a likelihood that the injury will be redressed by a favorable decision. To establish a cognizable injury-in-fact, a plaintiff must show that he or she suffered "an invasion of a legally protected interest" that is "concrete and particularized" and "actual or imminent, not conjectural or hypothetical." Where a plaintiff seeks to establish an injury-in-fact based on an imminent injury, that threatened injury must be "certainly impending."
In the context of data breach class action litigation, the question of whether Article III standing can be satisfied is often dispositive of the outcome of an action. However, a deep circuit split currently exists between the federal appellate courts regarding the level of proof required to establish standing in data breach class actions—particularly as it relates to demonstrating a sufficiently "concrete" injury-in-fact, and whether allegations of an increased risk of future identity theft are sufficient to satisfy this aspect of the standing test.
|Article III Standing in the Third Circuit
The Third Circuit first addressed the applicable standard for establishing Article III standing in the data breach context in Reilly v. Ceridian, 664 F.3d 38 (3d Cir. 2011). Despite being handed down almost a decade ago, Reilly remains the seminal data breach standing decision in the Third Circuit.
Reilly involved allegations that an unknown hacker infiltrated the defendant's payroll system and potentially gained access to personal and financial information belonging to the plaintiffs and approximately 27,000 other employees at 1,900 companies. It was unknown whether the hacker read, copied, or understood the data. The plaintiffs alleged injuries in the form of an increased risk of identity theft, costs incurred to monitor their credit activity, and emotional distress—but did not allege any actual misuse of their data.
On appeal, the Third Circuit held plaintiffs' allegations of hypothetical, future injuries were insufficient to establish standing, as their alleged future harm was neither imminent nor certainly impending.
First, the court found plaintiffs' claimed injury relating to an increased risk of identity theft did not establish standing under Article III. In doing so, the Third Circuit emphasized the plaintiffs' contentions relied on speculation that the hacker: read, copied, and understood their personal information; intended to commit future criminal acts by misusing the information; and was able to use that information to the detriment of the plaintiffs. The court characterized this harm as a "string of hypothetical injuries" that was insufficiently "actual or imminent" to confer standing.
In addition, the absence of any evidence the intrusion was intentional or malicious or that any data was misused further supported the conclusion this claimed harm was not an "actual or imminent" injury. Ultimately, because plaintiffs had yet to suffer any harm, their alleged increased risk of future identity theft was nothing more than speculation—which failed to meet "certainly impending" injury-in-fact standard.
The Third Circuit also held plaintiffs' alleged time and money expenditures to monitor their information failed to establish standing. Here, the court reasoned costs incurred to watch for a speculative chain of future events based on hypothetical criminal acts were no more of an actual injury than the alleged increased risk of injury underpinning plaintiffs' claims. Because any expenses incurred by plaintiffs were not the result of an actual injury, but rather, related only to the speculative misuse of their data, this injury also failed to confer standing.
Combined, the Third Circuit held plaintiffs failed to plead sufficient facts to demonstrate standing under Article III and affirmed the district court's order granting the defendant's motion to dismiss.
The Third Circuit again addressed the issue of standing in In re Horizon Healthcare Services Data Breach Litigation, 846 F.3d 625 (3d Cir. 2017). Horizon involved the theft of two laptops containing plaintiffs' unencrypted personal health information. The plaintiffs sued under the Fair Credit Reporting Act (FCRA), arguing the violation of their statutory right to have their personal information secured against unauthorized disclosures was, in-and-of itself, an injury-in-fact, even absent any allegation that their data had been misused.
On appeal, the Third Circuit held the violation of the plaintiffs' FCRA statutory rights constituted a cognizable injury-in-fact sufficient to confer standing. In doing so, the Third Circuit relied heavily on its prior decisions in In re Google Cookie Placement Consumer Privacy Litigation, 806 F.3d 125 (3d Cir. 2015), and In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016), which were decidedly in favor of allowing individuals to sue to remedy violations of their statutory rights, even without additional injury.
In its analysis, the Third Circuit applied the two tests articulated by the U.S. Supreme Court in Spokeo v. Robins, 136 S. Ct. 1540 (2016), for determining whether an intangible injury is sufficiently "concrete" to establish standing. The court first looked to history—i.e., whether an alleged intangible harm is closely related to a harm that has traditionally been regarded as providing a basis for a lawsuit. Here, the court explained the defendant's actions did not need to give rise to a cause of action under the common law; instead, it was enough that the intangible harm the FCRA sought to remedy has a close relationship to the historical tort of invasion of privacy.
Applying Spokeo's second test—i.e., the congressional test—the Third Circuit reasoned that in enacting the FCRA Congress established that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in-and-of itself—regardless of whether the disclosure of that information increased the risk of identity theft or some other future harm. Taken together, the plaintiffs had standing.
Although the Third Circuit found in favor of the plaintiffs on the issue of standing, the court rejected plaintiffs' argument that the defendant's offering of free credit monitoring should be taken as an acknowledgement that it put the plaintiffs at a significantly increased risk of identity theft. The court reasoned that the offer should not be used against the defendant as either a concession or a recognition that the plaintiffs had suffered injury; as a rule of this nature would disincentivize companies from offering credit or other monitoring services in the wake of a breach.
Importantly, the court also discussed the key factors distinguishing Horizon from Reilly; namely, Congress' decision to prohibit the unauthorized disclosure of data under the FCRA. Thus, the Horizon plaintiffs did not complain solely of future injuries, as Congress has elevated the unauthorized disclosure of information into a tort, which was not speculative in any respect. In contrast, the Reilly plaintiffs' claims were based solely on the common law and concerned alleged injuries of increased risk of identity theft and costs incurred to mitigate that risk. Those common law claims, the court noted, centered on future injuries plaintiffs expected to suffer as a result of a data breach, such as the increased risk of identity theft, which were too speculative to confer standing.
|Analysis and Takeaways
Taken together, Reilly and Horizon operate to create a diving line between circumstances where standing might exist in the Third Circuit.
Under Horizon, standing can often be established where plaintiffs are able to allege violations of federal privacy law—which are considered de facto injuries, and thus sufficient to confer standing even in the absence of any economic loss or other injury
Conversely, where only common law claims are asserted, alleged injuries relating to an increased risk of fraud and identity theft (as well as costs incurred to mitigate such risks)—which involve only claims of future injuries, but where no injury or harm has occurred—may be too speculative to establish standing.
The other significant takeaway from these two cases is the Horizon court's rejection of the use of remedial mitigation efforts to assist breach victims as evidence of an injury sufficient to establish standing. This holding departs from the position taken by other federal courts—including the Sixth Circuit—which have held such offers serve as evidence of a cognizable injury-in-fact. This much more plaintiff-friendly position leaves data breach defendants in a particularly troublesome dilemma: offer credit monitoring services to impacted individuals and, in doing so, assist class action plaintiffs in making their case for Article III standing; or forgo assisting those involved in the breach in an attempt to avoid future class action litigation down the road.
|Conclusion
To date, the Second, Third, Fourth, and Eighth circuits have found allegations of an increased risk of future identity theft fall short of demonstrating a cognizable injury-in-fact in data breach class action litigation. Conversely, the Sixth, Seventh, Ninth, Eleventh, and D.C. circuits have all found such allegations are sufficient to establish Article III standing in the breach context. Ultimately, this uncertainty regarding the level of proof required to establish standing will continue moving forward until a definitive ruling is handed down by the U.S. Supreme Court.
While standing will continue to remain a very fact-specific inquiry, the Third Circuit has provided businesses with a blueprint to procure an early exit from a wide range of data breach class actions via an Article III standing defense. Corporate defendants that find themselves on the receiving end of a data breach class action in the Third Circuit should analyze the potential applicability of this defense at the outset. Pursuant to Reilly and Horizon, where a plaintiff's claims are limited to the common law and involve no actual injury in the form of sustained identity theft, an early motion to dismiss asserting a lack of Article III standing defense should be pursued to dispose of the case at an early juncture. In addition, corporate defendants should highlight any absence of evidence that: malicious actors actually accessed or acquired the data in question; the breach was intentional or malicious; and the data was misused, all of which further demonstrate that the alleged injuries in question are not sufficient to meet the "certainly impending" injury-in-fact standard.
Jeffrey N. Rosenthal is a partner in the Philadelphia office of Blank Rome and a member of the firm's cybersecurity and data privacy and privacy class action defense groups. He concentrates his complex corporate litigation practice on consumer and privacy class action defense, and regularly publishes and presents on class action trends, attorney ethics and social media law. He can be reached at [email protected].
David J. Oberly is an attorney in the Cincinnati office of the firm and is a member of the firm's cybersecurity and data privacy and privacy class action defense groups. Oberly's practice encompasses both counseling and advising sophisticated clients on a wide range of cybersecurity, data privacy, and biometric privacy matters, as well as representing clients in the defense of privacy and biometric privacy class action litigation. He can be reached at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Federal Judge Allows Elderly Woman's Consumer Protection Suit to Proceed Against Citizens Bank
5 minute read
Judge Leaves Statute of Limitations Question in Injury Crash Suit for a Jury
4 minute read
Supreme Court's Ruling in 'Students for Fair Admissions' and Its Impact on DEI Initiatives in the Workplace
6 minute readLaw Firms Mentioned
Trending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
