(Reuters) - On Tuesday, U.S. District Judge Amy Berman Jackson of Washington, D.C., dismissed two consolidated class actions by more than 21 million federal employees whose most sensitive personal information was exposed in four breaches of Office of Personnel Management databases. Judge Jackson concluded the federal employees could not establish their threshold right to sue in federal court because they had not shown they faced imminent risk of identity theft, even though nearly two dozen of those named in the class actions claimed their confidential information has already been misused.
Constitutional standing for data breach victims has divided courts in the past several years, as Judge Jackson acknowledged in her thoughtful, 74-page opinion. The U.S. Supreme Court, she predicted, will ultimately have to decide whether the increased risk of identity theft is enough to give data breach victims a right to sue. The law may be headed in that direction, Judge Jackson said, but it’s not there yet.
The judge distinguished the OPM case from a data breach class action against the health insurer CareFirst. In August, the District of Columbia U.S. Circuit Court of Appeals held that CareFirst policyholders have a right to sue based simply on the theft of their social security and credit card numbers because the theft alone puts them at “a substantial risk of harm.” D.C. Circuit rulings bind Judge Jackson, but she found the OPM plaintiffs aren’t facing the same risk of identity theft as those in the CareFirst case, even though arguably more of their personal data was exposed.
The motives of the OPM hackers, the judge said, are not as clear as the D.C. Circuit assumed in the CareFirst case. If, as some investigators have concluded, the Chinese government was responsible for the OPM breaches, identity theft may not have been the goal of the hack.
Reasonable minds can differ about Judge Jackson’s analysis of how the D.C. Circuit’s CareFirst precedent applies to the OPM cases. (And, as Law.com was the first to report, plaintiffs in one of the OPM class actions the judge dismissed took no more than an hour to file a notice of appeal.) More broadly, data breach victims and defendants can bicker endlessly about the prongs of a universal test for standing in these class actions. Is the most important factor the kind of data that was stolen? The motive of the thief? Allegations that the stolen information has already been misused? Claims that victims have laid out their own money to avert identity theft?
Appellate courts have reached a variety of conclusions about which factor matters most. And as Judge Jackson said, it will almost certainly fall to the Supreme Court to fashion a nationwide test for standing for data breach victims. I’ve reported that CareFirst has already told the D.C. Circuit it intends to file a petition for Supreme Court review of the August decision. I don’t know, of course, if this will be the case the justices take, but it seems clear that without Supreme Court help, lower court judges are going to continue to struggle to figure out when data breach victims can sue.
With the litigation rights of scores of millions of consumers and employees at stake, I’d ordinarily be pushing for the Supreme Court to grant review and define those rights. And I do believe the justices are obliged to provide guidance, whether it’s in the CareFirst case or a subsequent class action. They’ll have no shortage of opportunities, given the steady flow of corporate hacks.
But I’m beginning to think the judicial system isn’t the ultimate solution for the problem of redress for data breach victims. The problem is too big – and that creates ways for defendants to avoid liability in the courts. Nearly 22 million federal employees were left vulnerable in the OPM breaches. Nearly 80 million people saw confidential health and financial records exposed in a cyberattack on the health insurer Anthem. More than 40 million credit cards were put at risk in a breach at Target, and more than 50 million at Home Depot. The recently announced Equifax breach put personal data from 143 million consumers in the hands of hackers. And cyberattacks on Yahoo gave hackers access to identifying information from as many as 500 million accounts.
We’ve already seen defendants in data breach class actions argue that victims cannot trace alleged identity or credit card fraud to any particular hack. Those causation arguments, which defendants have asserted not only to challenge standing but in subsequent dismissal and class certification motions, are only going to become more powerful as breaches proliferate.
Arguing against any single defendant’s liability by claiming widespread security lapses is an exercise only a class action defense lawyer could love. But the arguments are legitimate. Even in class actions, defendants are only supposed to be on the hook for injuries resulting from their own wrongdoing. Equifax isn’t liable for identity fraud stemming from the OPM breach. As personal information is exposed in overlapping hacks, it will be more difficult for plaintiffs to attribute injuries to a single defendant’s negligence.
What about the vast majority of victims whose information has not yet been misused? They are often offered credit monitoring and, in data breach class action settlements, a small amount of money for the time and expense they’ve devoted to safeguarding their accounts. But again, overlapping breaches could benefit defendants. Is Equifax, for instance, obliged to compensate consumers whose accounts are already being monitored under the Anthem settlement? And is a class action claims process the most efficient way to assure that people are protected from identity theft?
I haven’t thought of an alternative that will deliver more efficient identity theft protection with great fairness and efficiency than data breach class actions. In a conversation last week, a plaintiffs’ lawyer floated the idea of a federally-administered claims program. I don’t know if more government is the answer for data breach victims. But I’m pretty sure that, in the long run, class actions are not.
Our Standards: The Thomson Reuters Trust Principles.