While data breach lawyers wait for the U.S. Supreme Court to more clearly define when a hack confers standing on the individual whose personally identifying information (PII) is stolen, the Circuit Courts of Appeals continue to choose sides over a useful standard. On June 12, 2018, the Fourth Circuit weighed in to hold that the individual has standing when the data is actually misused, such as when the hackers open fraudulent credit cards with the stolen PII, and the individual spends time and resources on mitigating harm from the breach.
In Hutton v. National Board of Examiners in Optometry, the plaintiffs (a class of optometrists) alleged that hackers stole their personally identifying information (PII) — consisting of names, social security numbers, birthdates, addresses, and credit card information — from the National Board of Examiners in Optometry (NBEO), and used the information to fraudulently open credit card accounts in their names. The plaintiffs alleged as harm that they faced an increased risk of identity theft, and that they spent time and money putting credit freezes in place with the credit reporting agencies, and on filing reports with regulators and law enforcement. The district court held that these plaintiffs lacked standing because the plaintiffs incurred no fraudulent charges on the fraudulent credit cards, and had not been denied credit or incurred higher interest rates or fees. The Fourth Circuit reversed.
The court held that the misuse of the PII alone can confer standing, even without the plaintiffs incurring economic harm in the form of responsibility for fraudulent charges. The court cited the Supreme Court’s 2013 decision in Clapper v. Amnesty Int’l USA, 568, 398 (213), which held that standing exists based on risk mitigation costs incurred when a substantial risk of harm exists. The Fourth Circuit acknowledged that incurring costs to mitigate against future identity theft may be too speculative to confer standing in instances where no misuse of the PII has occurred. But if identify theft has already occurred, then “substantial risk of harm actually exists” and the costs of risk mitigation are an injury-in-fact that confers standing.
The Hutton decision is neither unexpected nor groundbreaking, but is an important data point nonetheless. The Fourth Circuit held last year in Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), in which the court held that harm from stolen data alone, without evidence of misuse, was too speculative to confer standing. The Hutton decision merely fills in the logical next step, one in which evidence of misuse removes the speculation and does confer standing. The decisions of the other Circuit Courts of Appeals that have opined on the issue show that the standing analysis is fact dependent, and Hutton provides an additional fact scenario for comparison. The Third, Sixth, Seventh, and D.C. Circuits have all recognized standing can be conferred without evidence of misuse if the PII includes enough information to make identity theft substantially likely. The Second and Eighth Circuit have held that evidence of misuse is required, but in cases where the stolen data consisted of credit card information rather than PII, thereby carrying little risk of future harm once the stolen card number is cancelled.
Ultimately, most of the Courts of Appeals appear to be converging on a standard for standing that requires the theft of PII that makes identity theft likely, and the incurring of some costs, whether in the form of risk mitigation or to remedy actual identify theft. While the Hutton case involved actual misuse of the stolen data, the decision leaves open the possibility for finding standing exists without misuse but where PII is stolen under circumstances that carry a heightened risk of misuse.