And Now…It’s the 8th Circuit’s Turn

Perhaps no place is the tension between our legal concepts and the new issues created by technology as evident as in the cases dealing with data breach and standing. Standing is a fundamental constitutional concept: simply put, to sue in our system you must have damage. Or at least a real, serious and identifiable threat of damage. The guy who cuts us off in traffic may make us mad but he hasn’t caused us any real damage, at least we can recover for. Standing is a bedrock principle of our legal system.

But what happens when the event does not involve road rage but theft of information. Personal information. Information that can but is not always used to harm us. And layer on top of this the fact that in some cases involving stolen financial information, if you are harmed, then a third party, a bank, will protect you against loss.

But what about in the meantime. What about worry. Inconvenience. And its downright creepy that someone may know and have access to some of your innermost secrets you keep online. Is the loss of that privacy real damage?

And its downright creepy that someone may know and have access to some of your innermost secrets you keep online. Is the loss of that privacy real damage?

This is the dilemma facing courts in addressing standing issues in data breach. Looking at it traditionally, maybe you say, yeah, it’s no fun but lots of inconvenient things happen to us we can’t sue for. Come back when your really injured. But if privacy has any importance to us as a society, don’t we want to encourage protection against losing it? As a society, we value privacy. So much so that the Supreme Court many years ago recognized privacy as a fundamental right. Griswold v. Connecticut. But most experts will tell you that its impossible to prevent data breaches from occuring. To paraphrase Dan Patrick of ESPN: “you can’t stop them you can only hope to contain them.” Does it make sense to impose liability based on events that we recognize are inevitable?

So, it easy to see why courts struggle. And why different federal courts and circuits have reached radically different views of the subject. As I have written (“Data Breach Litigation: the Sky is Falling or a Failure of Proof?”, What’s Your Privacy Really Worth, “O’ Standing, Where Art Thou”; “On the Brink of a Class Action Sea Change? SCOTUS to Hear Robins and Critical Standing Issues” and “Robins v. Spokeo Inc: the Light at the End of the Tunnel for Rule 23 Privacy Class Actions…or the Headlights of an Oncoming Train.” “Spokeo v. Robins”), the law is developing and there is no clear answer other than the resolution may depend on the forum. Never a great answer. Just like mass tort-- a vineyard in which I labored many years--where the sheer number of alleged victims colors judicial perceptions. the number and severity of data breaches have placed pressure on the judiciary to find solutions and remedies for those who understandably fear what might happen to them. Courts are torn between wanting to do something about what seems to be a tidal wave of cyber intrusions that must be curtailed and sympathetic innocent “victims”’, on the one hand, and long-standing damage concepts on the other.

So, as a result, if you are in the 3rd Circuit, the 7th Circuit and more recently, the Court of Appeals for Washington D.C., see Chantal Attias v. CareFirst, Inc. you might be able to proceed. If you are in the 2nd Circuit or 4th Circuit you might not.

And most recently, the 8th circuit in Kuhns v. Scottrade, Inc. has weighed in with frankly some pretty colorful language. The case involved the compromise of some 4.6 Scottrade customers personally identifiable information (PII) in 2013. After the inevitable plethora of class actions, the case reached the Court of Appeals. Focusing on language on what many believe the seminal Supreme Court case, Clapper v. Amnesty Int’l, the Court noted, “As described, the hackers stole PII data and used that data in several illegal schemes. But [plaintiff] does not contest Scottrade’s assertion that no customer affected by the 2013 data breach suffered fraud or identity theft that resulted in financial loss from the use of their stolen PII in the more than two years that passed between the data breach and the filing of the …Complaint.”

And in language that will not doubt serve as a rallying cry for data breach defendants the Court held: “…Massive class action litigation should be based on more than allegations of worry and inconvenience.”

 Massive class action litigation should be based on more than allegations of worry and inconvenience

(While several commenters have asserted that Kuhns stands for the proposition there is Article III standing for data breach claims, a closer reading of Kuhns shows that while the Court did find standing for breach of contract claims against Scottrade based on the notion that its customer agreements contained representations that certain cybersecurity standards could be met, it rejected standing claims based on the notion that a mere breach of PII without more, provided standing. It is this latter claim that forms the basis for the split in the jurisdictions.  

Conversely those seeking to show standing in data breach cases based on a mere breach will point to Chantal where the Court using “experience and common sense” found “an unauthorized party has already accessed personally identifying data on CareFirst’s servers, and it is much less speculative-at the very least, it is plausible-to infer that this party has both the intent and the ability to that data for ill”. These two diametrically opposed holdings illustrate the crux of the tension and struggles courts are having with our technology and the law and how to best protect both our systems and individuals.

Many commentators believe and hope that this conflict and tension can and will be resolved by the Supreme Court. But even that may be a pipe dream. First SCOTUS has to be willing to take on the dispute. The Court could easily conclude that it addressed the issue the best it knew how in Clapper and beyond that, it depends on the facts of each case whether the threat of harm is imminent. And just because SCOTUS weighes in doesn’t mean the answer will be clear: everyone thought the Spokeo decision would resolve whether a statutory or regulatory violation without more could supply standing. In fact, it’s not clear but that SCOTUS may have created even knottier issues in its decision. See Spokeo v. Robins: A Well Executed Punt?”

 In the meantime, even in Chantal, the Court noted, “CareFirst does not seriously dispute that plaintiffs would face a substantial risk of identity theft if their social security and credit card numbers were accessed by a network intruder." As I said in a post back in August of 2015: “The bottom line is that standing in data breach class action cases has become, and perhaps always was, a factual issue. It’s important to realize and understand the factual issues involving standing: does the breach in fact present a credible imminent threat of harm or does it, as in Clapper and In Re Zappos, present only a speculative one? The key to success for defendants is understanding the difference and knowing how to marshal the facts to diminish the concrete nature of any threat.”

The key to success for defendants is understanding the difference and knowing how to marshal the facts to diminish the concrete nature of any threat.

So even though the law may not be clear and won’t be for some time, marshaling facts and arguments, the blocking and tackling of litigation, may still be the best protection in an uncertain world.

Photo Attribution: Paul L Dineen via Flickr