(Reuters) - U.S. appellate courts cannot seem to make up their minds about whether data breach victims have the right to sue in federal court. Some, as I’ll explain, have ruled that the risk of identity theft is sufficiently concrete to meet constitutional standing requirements. Others have held that risk to be too speculative to give breach victims a right to sue. This week, the 8th U.S. Circuit Court of Appeals weighed in, reviving a class action against SuperValu Inc, with a whole new appellate interpretation of standing in data breach litigation.
The 8th Circuit opinion doesn’t simply deepen the split amongst the circuits but digs a new trench. The decision adds to ongoing appellate uncertainty about standing in data breach litigation, just as the defendant in a recently decided data breach case in the District of Columbia moved for a stay so it can bring the issue to the U.S. Supreme Court.
Until this week’s 8th Circuit ruling, federal appeals courts have focused on data breach victims’ risk of identity theft or credit card fraud. In a landmark decision in 2015, the 7th Circuit upended conventional wisdom when it ruled in Remijas v. Neiman Marcus that the risk alone is substantial enough to grant constitutional standing to people whose information has been hacked. As Kevin LaCroix recently detailed at the D&O Diary, the 3rd and 6th Circuits subsequently reached the same conclusion.
Most recently, the D.C. Circuit held on Aug. 1 that CareFirst policyholders have standing to sue over a 2014 breach of the insurer’s computers. Hackers allegedly stole data including not just identifying information about CareFirst subscribers, such as birthdates and email addresses, but also credit card and social security numbers. The appeals court said the theft gave rise to a substantial risk for breach victims, “simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”
The 2nd and 4th Circuits, however, have both ruled this year that the risk is not sufficiently imminent or concrete to meet the tests the Supreme Court laid out in 2013’s Clapper v. Amnesty International and 2016’s Spokeo v. Robins. The 2nd Circuit’s decision in Whalen v. Michaels Stores is just a summary order, but the 4th Circuit’s published opinion in Beck v. McDonald concluded that the link between data theft and potential harm to people whose information was stolen is too attenuated to establish standing.
The 8th Circuit actually agreed with that reasoning in this week’s SuperValu decision, written by Judge Jane Kelly for a panel that also included Judges Lavenski Smith and Steven Colloton. The SuperValu breach did not expose social security numbers, birthdates or driver’s license numbers, the court said. Without that information, the court concluded, it’s unlikely that hackers could steal victims’ identities, so plaintiffs in the class action could not rely on the risk of imminent harm to establish their right to sue.
But one of the named plaintiffs in the case claimed that after the data breach, someone used his credit card to make an unauthorized purchase – and the 8th Circuit said his allegation of misuse was a concrete injury that met constitutional standing requirements for the class action. SuperValu’s lawyers at Ropes & Gray argued there was no evidence the supposedly unauthorized purchase was the result of the SuperValu hack, but the 8th Circuit said the allegation is enough to establish standing. Causation arguments, the opinion said, are more appropriate for a dismissal motion.
By holding that a supposedly unauthorized use of a data breach victim’s information establishes standing regardless of whether that use was actually the result to the breach, the 8th Circuit seems to me to have opened a new door for data breach class actions. (SuperValu lawyer Harvey Wolkoff of Ropes & Gray declined to comment.)
So far, according to Westlaw records, the Supreme Court has considered only one data breach petition, from the 4th Circuit case I mentioned above. The justices denied review last June. But based on a motion in the CareFirst case at the D.C. Circuit, the court will have another chance to consider standing in data breach class actions in the upcoming terms.
CareFirst’s lawyers at Eversheds Sutherland asked the appeals court to stay its mandate reviving the policyholders’ class action for 90 days so the insurer can file a petition for Supreme Court review. Its motion argued there’s a good likelihood the Supreme Court will take the case “to guide courts in sorting out the claims of truly injured victims of data breaches from those who file class actions without being able to allege that any harm is real or immediate.”
The stakes are going up in cyber breach cases. Anthem agreed in June to pay a record $115 million to settle a class action in federal court in San Jose. The judge who presided over the Anthem case, U.S. District Judge Lucy Koh, just this week refused to dismiss gargantuan consolidated data breach class actions against Yahoo. As cyber attacks proliferate, the threshold issue of standing becomes ever more important – and sooner than later, the Supreme Court is going to have to get involved.