Cybersecurity and consumer data breaches pose a real and continuing concern, as theft of sensitive information leaves its victims vulnerable to incidents of identity fraud. However, court precedent has shown a reluctance to hear any cases that cannot prove “certainly impending” harm from such theft. The Supreme Court’s decision in Clapper v. Amnesty has guided later court decisions on these issues. In Clapper, plaintiffs sued to have the Foreign Intelligence Surveillance Act (FISA) of 1978 declared unconstitutional. The plaintiffs claimed that the U.S. government was likely to use FISA to seize their communications with third parties overseas, who would have shared sensitive information with the plaintiffs’ attorneys. The Court found that the plaintiffs failed to meet Article III standing requirements to bring their lawsuit in court, as the court was not certain that the government would intercept any of the plaintiffs’ communications, and any risk of future harm was too speculative.
For these cases to move forward, plaintiffs must establish Article III standing, which consists of three minimum requirements: an injury-in-fact, which is a concrete and particularized invasion of a legally protected interest; causation, which requires a fairly traceable connection between the alleged injury in fact and the alleged conduct of the defendant; and redressability, which requires that it is likely and not merely speculative that the plaintiff’s injury will be remedied by the relief plaintiff seeks in bringing suit.”
The Fourth Circuit is now the latest of federal courts to make a decision on whether individuals have standing to sue an organization or firm for negligence in cases of consumer data and cybersecurity breaches. The Beck v. McDonald lawsuit stems from two unrelated incidents that occurred at the William Jennings Bryan Dorn Veterans Affairs Medical Center in Columbia, South Carolina. The Beck case arises from an incident in February of 2013, when a laptop was stolen from the facility. The laptop contained unencrypted personal information of approximately 7,400 patients, including names, birth dates, the last four digits of Social Security numbers, and physical descriptors. Results of an internal investigation showed that this use of an unencrypted laptop to store patient information was against protocol. The Dorn VAMC notified Richard Beck and the other patients of the theft and offered to pay for one year of credit monitoring. The plaintiffs sued then-VA secretary Robert McDonald and other officials for violations of the Privacy Act of 1974, 5 U.S.C.A. § 552(a), the Administrative Procedure Act, 5 U.S.C.A. § 701, and common law negligence. The district court dismissed the suit. They found that, pursuant to Clapper, the Beck plaintiffs lacked Article III standing because they had not shown sufficient evidence of “certainly impending” identity theft.
The other incident of the Beck lawsuit, the Watson case, arises from an incident in July 2014, when the Dorn VAMC discovered that four boxes containing pathology reports had disappeared. The reports contained personal information of over 2,000 patients, including names, Social Security numbers, and medical diagnoses. As they had done following the laptop incident, the Dorn VAMC notified the patients of the stolen documents and offered each of them one year of free credit monitoring. The plaintiffs sued along similar lines as the Beck plaintiffs.
The district court also dismissed this suit for a lack of standing. They held that the plaintiffs lacked standing because it was speculative that information from the documents would eventually be misused.
Beck and Watson both appealed to the Fourth Circuit, which joined the two cases and affirmed the district court’s rulings. The Fourth Circuit also applied the “certainly impending” test from Clapper, and they ruled that the risk the plaintiffs’ information could be misused was not sufficient to meet the standard of “certainly impending” harms. However, the Plaintiffs argued that the district court’s ruling essentially forces plaintiffs to show concrete evidence that their personal information had been misused, which would cause someone in their position to have to wait until they were actually harmed before being able to sue. The circuit court rejected this claim while recognizing that other circuits had allowed similar suits to proceed. But they differentiated these cases on factual background information, as the cases that were allowed to proceed had shown that the thieves had intentionally targeted the personal information of the plaintiffs, implying a higher probability of impending harm.
However, it seems that there may be a better approach for plaintiffs to establish Article III standing to sue for cybersecurity breaches. In one of the footnotes, the Fourth Circuit also addressed a data breach suit against Horizon Healthcare Services that was allowed to move forwar. The plaintiffs successfully established standing by alleging that Horizon Healthcare Services violated a privacy statute, and that in and of itself was a de facto injury, satisfying the concreteness requirement for Article III standing. The Fourth Circuit noted that the Beck plaintiffs did not argue for standing on a statutory violation alone. They also noted that the tactic has had varying levels of success, citing the decision on Gubala v. Time Warner Cable, Inc. However, despite an imperfect track record of success, it seems that an attempt to establish Article III standing via statutory violation as an injury-in-fact may be the more promising route for a plaintiff without an abundance of evidence to show inflicted or “certainly impending” harm.
Haley Amster is a junior from Los Angeles, California studying Philosophy.