In the data breach case, Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), the U.S. Court of Appeals for the Fourth Circuit joined at least five other circuits in analyzing whether mere allegations of future identity theft can establish injury-in-fact as required to confer Article III standing.  There, the Court found that allegations of future harm were too speculative, particularly where there was no allegation or evidence that the confidential information was targeted or had been used fraudulently. The analysis aligns with distinctions made by other circuits between misplaced or stolen physical property cases, where the loss of confidential information is incidental, and cyberattack and hacking cases, where the thief’s intent to wrongfully use the information can be inferred.

The data breach incidents

In Beck, the named Plaintiffs (including Richard Beck and Beverly Watson) were veterans who had received medical treatment and health care services from the William Jennings Bryan Dorn Veterans Affairs Medical Center (“Dorn VAMC”). Two data breaches involving lost or stolen property occurred at the Center: (1) a laptop that contained unencrypted personal information of approximately 7,400 patients was misplaced or stolen; and (2) four boxes of pathology reports for approximately 2,000 patients were misplaced or stolen. These consolidated cases were brought against the Secretary of Veterans Affairs and Dorn VAMC officials. In both cases, Plaintiffs alleged injury due to a purported risk of future identity theft and their purchase of credit monitoring services designed to protect against this possible future harm.  The District Court found that neither set of Plaintiffs had established injury-in-fact.

Fourth Circuit upholds dismissal/grant of summary judgment

The Fourth Circuit upheld the District Court’s dismissal of the Beck Plaintiffs’ claims and grant of summary judgment on the Watson Plaintiffs’ claims, finding that each had “failed to establish a non-speculative, imminent injury-in-fact for purposes of Article III standing.” Addressing Plaintiffs’ first argument, that they were at risk of future identity theft, the Court recognized that its sister Circuits have analyzed whether an increased risk of future harm could satisfy the Article III injury-in-fact question in different ways.  The First and Third Circuits have squarely rejected that a risk of future harm can ever create standing, whether in a misplaced or stolen property case, or a cyberattack or phishing case.  The Sixth, Seventh, and Ninth Circuits, on the other hand, have found that such a risk can – under certain circumstances – constitute injury-in-fact.

The Court held that even under the Sixth, Seventh and Ninth Circuit precedent relied on by Plaintiffs, an alleged risk of future harm did not automatically satisfy the Article III injury-in-fact requirement in data breach cases.  Rather, in each of the four cases advanced by Plaintiffs, there were allegations that a cyberattack had been perpetrated by hackers seeking personal information for fraudulent purposes, stolen information had already been used fraudulently, or both. The Fourth Circuit reasoned that the cyberattack cases pushed the threatened injury “beyond the speculative to the sufficiently imminent” and were therefore not analogous, and Plaintiffs had not alleged (and there was no evidence that) information on the misplaced or stolen physical property at issue had been used fraudulently.  As such, Plaintiffs’ contention of “an enhanced risk of future identity theft” was “too speculative.”

Regarding Plaintiffs’ second argument, that the purchase of credit monitoring services created standing, the Fourth Circuit found that this was simply a repackaged version of the first failed theory of injury.  The mere fact that the Plaintiffs purchased credit monitoring services did not increase the otherwise speculative risk of future identity theft.

Our take on data breach cases

Certainly it will be more difficult for plaintiffs in the Fourth Circuit to establish standing in data breach cases where there is no indication that the personal information in question was targeted, accessed, or misused. But more generally, it shows that district and circuit courts are looking at the allegations in data breach cases with care, and not simply assuming an injury just because plaintiffs’ confidential information has been compromised.  Rather, the courts are looking at the particulars of the breach itself – physical property vs. data hack, allegations of actual fraudulent use or access vs. conclusory allegation of prospective harm – in determining whether plaintiffs have suffered injury-in-fact sufficient to confer Article III standing.

To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.