Given the growing frequency and scale of data breaches, most security analysts say it’s likely we all have had our personal information stolen or otherwise compromised at some point. The ability to seek redress for any damages caused by a data breach is far from clear-cut, however.
To date, most data breach litigation has turned on the question of standing—whether victims can demonstrate that they’ve suffered an actual injury, rather than merely being exposed to the possibility of an injury. Federal circuit courts have struggled with this issue, resulting in a circuit split with different courts delivering conflicting rulings.
Personal Data of Millions of Americans Exposed
There is good reason for a sense of urgency about settling the law, given the staggering number of data breaches. According to one report from Risk Based Security, 6,515 publicly disclosed data breaches in 2018 exposed more than 5 billion records. It appears as though nearly that many records have been exposed already this year in a number of breaches involving health care organizations, state agencies, the Fortnite video game, Facebook, the Federal Emergency Management Agency, Dow Jones, and many others.
In April, a team of Israeli security researchers discovered an unprotected database on a Microsoft cloud server that exposed the personal information of roughly 65% of U.S. households. The 2017 Equifax breach is reported to have exposed the Social Security numbers, credit card numbers, addresses, phone numbers, and tax ID numbers of nearly 55% of adults in the U.S.
The number of laws and regulations designed to protect consumers against such threats has steadily increased. All 50 states as well as the District of Columbia, Puerto Rico, the Virgin Islands, and Guam have passed such legislation. These laws typically define what constitutes personally identifiable information along with data breach reporting requirements and penalties. Although no comparable legislation exists at the federal level, the Fair Credit Reporting Act (FCRA) establishes the obligation of certain financial institutions and creditors to detect, prevent, and mitigate identity theft.
Is There an ‘Injury’?
Nevertheless, the law remains unsettled about whether data breach victims have legal standing to sue companies that fail to protect their data. In Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992), the Supreme Court established the three elements required for constitutional standing:
- The plaintiff must plead a “concrete and particularized” injury in fact that is “actual or imminent” and not merely “conjectural or hypothetical.”
- The injury must be directly traceable to the action of the defendant and not the result of actions by a third party.
- It must be likely, not merely speculative, that the injury will be redressed by a decision in favor of the plaintiff.
The Third, Sixth, Seventh, Ninth, and D.C. circuits have concluded that a data breach increases the risk of future harm from identity theft, and that risk is tangible enough to confer standing. In Dieffenbach v. Barnes & Noble, No. 17-2408 (7th Cir. 2018), the Seventh Circuit also found that allegations sufficient to confer standing also support claims of damages.
The First, Second, Fifth, and Eighth circuits have found that plaintiffs must allege actual harm in order to meet standing requirements. The Third and Fourth circuits have also held that the possibility of future injury is not sufficient to confer standing, but have allowed cases to proceed when plaintiffs pled actual harm.
A circuit split such as this is one of the main factors the Supreme Court considers when deciding whether to review a case. To date, however, the Court has declined to do so.
Supreme Court’s Failure to Resolve the Circuit Split
In Spokeo, Inc. v. Robins, 578 U.S. ___, 136 S. Ct. 1540 (2016), the Supreme Court found that the Ninth Circuit Court of Appeals had failed to fully analyze the requirements for standing in a data breach case. The Court “[took] no position as to whether the Ninth Circuit's ultimate conclusion—that Robins adequately alleged an injury in fact—was correct.” On remand, the Ninth Circuit found that the plaintiff’s allegations that Spokeo had violated the FCRA, 16 C.F.R. 681, constituted sufficient injury to satisfy standing requirements (Robins v. Spokeo, Inc., No. 11-56843 (9th Cir. 2017)).
The Supreme Court had an opportunity to clarify the matter when the defendant in Attias v. CareFirst, 865 F. 3d 620 (D.C. Cir. 2017), another data breach case, filed a petition for a writ of certiorari. The Court denied the petition in November 2017, leaving in place the D.C. Circuit’s finding that the plaintiffs had established constitutional standing. The D.C. Circuit remanded the case to the district court for further proceedings.
However, the findings by the D.C. district court on remand in Attias create new uncertainty for plaintiffs. CareFirst filed a motion to dismiss on the grounds that “plaintiffs’ alleged damages remain entirely speculative.” The judge found that while the mere risk of identity theft was sufficient to establish standing, the complaint did not support allegations of damages under state law. The plaintiffs have appealed this decision to the D.C. Circuit.
Learn More About the Cybersecurity Legal Field
Given the lack of clarity and the increasing economic and societal impact of data breaches, cybersecurity law looks to be a field that will grow for some time to come. Concord Law School at Purdue University Global offers an online Executive Juris Doctor program with a law and technology track that provides advanced legal training on cybersecurity issues. Single courses in technology and the law are also available.
If you're interested in gaining a better understanding of cybersecurity law or working in the field of law and technology, explore Concord Law School’s online Executive Juris Doctor degree and our single law and technology courses. You may also request more information today.