Fourth Circuit Decision Seizes Middle Ground on the Issue of Standing in Data Breach Cases

Advertisement

In the latest decision in the concerning standing in data breach cases, the Fourth Circuit has vacated a district court’s dismissal and reinstated putative class action data breach litigation against the  National Board of Examiners in Optometry Inc.,. (“NBEO”).  In Hutton v. National Board of Examiners in Optometry, Inc., the court ruled that the plaintiffs alleged sufficient injury to meet the Article III standing requirement by virtue of hackers’ theft and misuse of plaintiffs personally identifiable information (“PII”), notwithstanding the absence of any allegation that the misuse had resulted in pecuniary loss to the plaintiffs.  In so ruling, the Fourth Circuit struck a middle course on the question of when misuse of sensitive PII results in a sufficient injury to confer standing to sue in federal court.

Plaintiffs in Hutton were optometrist members of the defendant NBEO.  They brought the lawsuit after NBEO members learned that credit cards had been opened in their names.  Doing so required access to PII, including members’ correct social security numbers and birthdates.  Members surmised that the NBEO, which collected such PII from its members, was the likely source of the PII used to open the credit cards, and the lawsuit ensued.

Advertisement

NBEO moved to dismiss, arguing that because plaintiffs were held harmless for the fraudulent credit card accounts, they had suffered no injury as a result of the data theft and, therefore, lacked standing to sue.  The trial judge in the District of Maryland agreed, and dismissed plaintiffs’ claims.  In order to establish Article III standing, the district court reasoned, a plaintiff must have suffered an injury that is concrete and actual or imminent, is traceable to the defendant, and is remediable by a favorable judicial decision. The court found that the plaintiffs were not injured because they neither incurred fraudulent charges nor had been denied credit. Applying reasoning from a prior Fourth Circuit decision, Beck v. McDonald, the trial court concluded that although the plaintiffs’ PII was compromised, it was not accompanied by misuse and, therefore, plaintiffs failed to satisfy the injury-in-fact requirement for standing.

On appeal, the Fourth Circuit rejected the lower court’s finding that the plaintiffs suffered no injury. The appellate panel distinguished this case from Beck, focusing on the plaintiffs’ allegations that they were victims of identity theft and credit card fraud. The appellate panel in Hutton found that identity theft and credit card fraud constituted misuse of the compromised personal information sufficient to satisfy the injury requirement of Article III standing. Furthermore, the court recognized that the plaintiffs incurred out-of-pocket expenses related to the effects of the data breach. The court found that these costs further supported that the plaintiffs’ have standing.

Advertisement

The result falls somewhere in the middle of the divide among the federal appellate circuits as to whether stolen PII results in a sufficient injury to give rise to standing. The D.C. Circuit recently aligned with the SixthSeventh, and Ninth Circuits, which have held that the threat of misuse of personal data is an injury sufficient to confer standing. The SecondThird, and Eighth Circuits, however, require actual misuse of personal information in order for a plaintiff to establish standing. Hutton reinforces the Fourth Circuit stance that misuse must accompany the compromise of personal data, but departs from other circuits requiring misuse in that there need not be any pecuniary loss for the misuse to confer standing.  The inconvenience of having to rectify fraudulent credit card accounts was deemed sufficient injury to trigger standing.  This signals further development of the standing issue in the lower courts which could, over time, influence the Supreme Court to agree to weigh in on this question.

Advertisement

Thanks to San Diego summer associate Kyle Hess for his contributions to this post.

©1994-2018 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.