In the latest decision in the concerning standing in data breach cases, the Fourth Circuit has vacated a district court’s dismissal and reinstated putative class action data breach litigation against the National Board of Examiners in Optometry Inc.,. (“NBEO”). In Hutton v. National Board of Examiners in Optometry, Inc., the court ruled that the plaintiffs alleged sufficient injury to meet the Article III standing requirement by virtue of hackers’ theft and misuse of plaintiffs personally identifiable information (“PII”), notwithstanding the absence of any allegation that the misuse had resulted in pecuniary loss to the plaintiffs. In so ruling, the Fourth Circuit struck a middle course on the question of when misuse of sensitive PII results in a sufficient injury to confer standing to sue in federal court.
Plaintiffs in Hutton were optometrist members of the defendant NBEO. They brought the lawsuit after NBEO members learned that credit cards had been opened in their names. Doing so required access to PII, including members’ correct social security numbers and birthdates. Members surmised that the NBEO, which collected such PII from its members, was the likely source of the PII used to open the credit cards, and the lawsuit ensued.
NBEO moved to dismiss, arguing that because plaintiffs were held harmless for the fraudulent credit card accounts, they had suffered no injury as a result of the data theft and, therefore, lacked standing to sue. The trial judge in the District of Maryland agreed, and dismissed plaintiffs’ claims. In order to establish Article III standing, the district court reasoned, a plaintiff must have suffered an injury that is concrete and actual or imminent, is traceable to the defendant, and is remediable by a favorable judicial decision. The court found that the plaintiffs were not injured because they neither incurred fraudulent charges nor had been denied credit. Applying reasoning from a prior Fourth Circuit decision, Beck v. McDonald, the trial court concluded that although the plaintiffs’ PII was compromised, it was not accompanied by misuse and, therefore, plaintiffs failed to satisfy the injury-in-fact requirement for standing.
On appeal, the Fourth Circuit rejected the lower court’s finding that the plaintiffs suffered no injury. The appellate panel distinguished this case from Beck, focusing on the plaintiffs’ allegations that they were victims of identity theft and credit card fraud. The appellate panel in Hutton found that identity theft and credit card fraud constituted misuse of the compromised personal information sufficient to satisfy the injury requirement of Article III standing. Furthermore, the court recognized that the plaintiffs incurred out-of-pocket expenses related to the effects of the data breach. The court found that these costs further supported that the plaintiffs’ have standing.
The result falls somewhere in the middle of the divide among the federal appellate circuits as to whether stolen PII results in a sufficient injury to give rise to standing. The D.C. Circuit recently aligned with the Sixth, Seventh, and Ninth Circuits, which have held that the threat of misuse of personal data is an injury sufficient to confer standing. The Second, Third, and Eighth Circuits, however, require actual misuse of personal information in order for a plaintiff to establish standing. Hutton reinforces the Fourth Circuit stance that misuse must accompany the compromise of personal data, but departs from other circuits requiring misuse in that there need not be any pecuniary loss for the misuse to confer standing. The inconvenience of having to rectify fraudulent credit card accounts was deemed sufficient injury to trigger standing. This signals further development of the standing issue in the lower courts which could, over time, influence the Supreme Court to agree to weigh in on this question.
Thanks to San Diego summer associate Kyle Hess for his contributions to this post.