Whether it’s news of Adidas, Ticketmaster or Typeform, the headlines have been littered with stories of yet another company hacked, which is why the United States Court of Appeals for the Fourth Circuit has weighed in on the issue of standing and the definition of the threat of future injury in data breach litigation.
Article III, Section 2, Clause 1 of the U.S. Constitution requires that that plaintiffs suffered an injury and that the injury is fairly traceable to the challenged conduct. The injuries, according to the American Bar Association, must be actual or certainly impending.
In the case of Hutton v. National Board of Examiners in Optometry (NBEO), filed 12 June 2018, “The court held that the plaintiffs satisfied the Article III standing requirement by alleging hackers stole and misused their personally identifiable information (PII), even though no financial loss was incurred.”
Several cases have come before the court, and Beck v. McDonald from 2017 is one of particular importance to the Fourth Circuit's upholding of the Hutton ruling. In Beck, the court ruled that the plaintiffs did not have standing in the alleged “threat of future injury." The court’s position on the 2017 ruling was guided by the fact that laptops that contained personal information were stolen, but the information was not misused.
The difference found by the Fourth Circuit in Hutton is that the plaintiffs “noticed that credit card accounts were fraudulently opened in their names, which required knowledge of their Social Security numbers and dates of birth.” The NBEO never acknowledged a security breach, but the plaintiffs – who had fraudulent credit card accounts opened using their stolen information – made the case that the company was the only commonality among them; thus, their information had not been adequately protected by the NBEO.
While the NBEO filed to dismiss the case, arguing that no actual harm had been inflicted, “The court emphasized, unlike in Beck, plaintiffs were 'concretely injured' as credit card accounts were open without their knowledge or approval, qualifying as misuse, even if fraudulent charges were yet to occur.”
The floodgates for lawsuits have been opened, and it doesn’t appear that the river will dry up any time soon. With more plaintiffs filing claims that they were harmed after their personal information was compromised, the courts are trying to understand and define the actual and potential future harm that can result from unauthorized exposure.
Because of the ambiguity in determining the risk of future harm or the likelihood of misuse of stolen information versus actual harm, the circuit courts have disagreed on the issue of standing with Article III when ruling on data breach cases.
“Federal circuits across the United States are grappling with the issue of what satisfies the Article III standing requirement in data breach litigation, when often only a 'risk of future harm' exists,” wrote the National Law Review.