A (very) quick look at standing in data-breach cases

I got curious and pulled up a bunch of cases to look at when plaintiffs have Article III standing to sue based on a data breach that has exposed personal information. Note: this was not an exhaustive search, and this is not an extensive analysis. But here’s what I found.

In 2007, the Seventh Circuit held that “a threat of future harm” was enough to confer standing to sue, for customers whose data had been accessed through a data breach—even if there was not yet any evidence that the data had been misused to cause actual harm. Pisciotta v. Old Nat. Bancorp., 499 F.3d 629, 634 (7th Cir. 2007). The First and Ninth Circuits eventually agreed. See Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (finding standing from increased risk of harm following theft of laptop containing plaintiffs’ personal data); Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011) (finding standing from data breach that exposed plaintffs’ payment data). And in 2012, the First Circuit distinguished between (a) cases where plaintiffs alleged an increased risk of harm because their data had actually been accessed by a third party and (b) cases where plaintiffs alleged only an “increased risk that someone might access [their] data.” According to the First Circuit, plaintiffs might have standing to sue in the former cases, but not in the latter. Katz v. Pershing LLC, 672 F.3d 64, 80 (1st Cir. 2012).

In short, these cases developed a rule that plaintiffs could sue over a data breach if there were sufficient allegations or evidence that a third party had accessed (or acquired) the plaintiffs’ personal data—even if there was not yet evidence of any misuse of that data. But the Third Circuit complicated this rule when it held that the increased risk of identity theft, alone, was not enough to confer standing—even if there was evidence that a third party had accessed (or acquired) personal data. Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011) (rejecting the “skimpy rationale” of Pisciotta and Krottner).

Since then, standing has continued to be a central—and controversial—issue in data-breach cases. See, e.g., Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012) (finding standing); Kerin v. Titeflex Corp., 770 F.3d 978 (1st Cir. 2014) (finding no standing); Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (finding standing); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016) (finding standing); Galaria v. Nationwide Mut. Ins. Co., 663 F.App’x 384 (6th Cir. 2016) (finding standing); In re Horizon Healthcare Servs. Inc. v. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017) (finding standing). From the cases cited here, it would appear the circuit courts have found standing more often than not.

But this could be changing. The Pisciotta-Krottner rule—which provided standing based on the “threat of future harm” that arises from third-party access to personal data—was called into question by Reilly, and has now been called further into question by the Supreme Court’s decision in Spokeo, Inc. v. Robins, — U.S. —, 136 S.Ct. 1540 (2016). Spokeo was not a data-breach case, but arguably it raised the bar for standing, in part by emphasizing the requirement that a plaintiff must have suffered “an injury in fact” to have standing to sue. Id. at 1547. In the wake of Spokeo, it’s possible that the “threat of future harm” that arises from third-party access to (or acquisition of) personal data is no longer enough to confer standing in data-breach cases. See Beck v. McDonald, 848 F.3d 262, 271–278 (4th Cir. 2017) (citing Spokeo, then examining possibility of standing based on risk of future harm and finding no standing).

On the other hand, maybe the threat of future harm is still enough. See Attias v. Carefirst, Inc., — F.3d —, 2017 WL 3254941, at *3–7 (D.C. Cir. Aug. 1, 2017) (citing Spokeo, then examining possibility of standing based on risk of future harm and finding standing).

Obviously, this remains a complicated issue. And because the standing inquiry focuses on the precise allegations and evidence of injury in the case at hand, Beck and Attias do not necessarily represent a post-Spokeo circuit split. (I need to look at these two decisions more closely before I can say more about them.)

A few quick, rudimentary takeaways: (1) defendants wishing to challenge standing in data-breach cases might start by looking at Reilly, Spokeo, and Beck; (2) before Spokeo, the Seventh Circuit seems to have been the most willing to find standing for plaintiffs in data-breach cases, so plaintiffs might be safest in that circuit; and (3) because the precise requirements for standing in data-breach cases remain unclear, both sides should always be prepared to address the issue.

UPDATE: Apparently there’s at least one party in at least one case that agrees with me that there is not necessarily a circuit split over standing in data-breach cases. In essence, the party (trying to avoid cert at SCOTUS) argues that any perceived split is illusory because every prior decision is fact-specific. See here.