December 3, 2021

Volume XI, Number 337

Advertisement
Advertisement

December 02, 2021

Subscribe to Latest Legal News and Analysis

December 01, 2021

Subscribe to Latest Legal News and Analysis

November 30, 2021

Subscribe to Latest Legal News and Analysis

Fourth Circuit Weighs in on Standing in Data Breach Litigation

Cybersecurity incidents are on the rise, and so too is data breach litigation brought by plaintiffs who allege they were harmed by the unauthorized exposure of their personal information. Federal circuits across the United States are grappling with the issue of what satisfies the Article III standing requirement in data breach litigation, when often only a “risk of future harm” exists.

The United States Court of Appeals for the Fourth Circuit (“the Fourth Circuit”) is the latest circuit court to weigh in on standing in data breach litigation. In Hutton v. National Board of Examiners in Optometrythe court held that the plaintiffs satisfied the Article III standing requirement by alleging hackers stole and misused their personally identifiable information (PII), even though no financial loss was incurred. Circuit courts have been split on the issue of standing in the data breach context, with some courts finding standing where only a heightened “risk of future harm” exists, i.e. the likelihood that stolen data may be misused (Sixth, Seventh, and Ninth Circuits), while other circuit courts require actual harm such as financial loss (Second, Third, and Eighth Circuits). The Fourth Circuit in Hutton has reached a middle ground finding that actual theft and misuse of the PII satisfied the standing threshold, even though no pecuniary damages resulted.

In Hutton, the plaintiffs, members of the National Board of Examiners in Optometry (NBEO), noticed that credit card accounts were fraudulently opened in their names, which required knowledge of their social security numbers and dates of birth. Although the NBEO never admitted to a security breach, plaintiffs concluded that the NBEO was the only common source to which they had provided their personal information. As a result, plaintiffs filed a lawsuit alleging the NBEO failed to adequately safeguard their personal information.

The NBEO filed a motion to dismiss arguing that although fraudulent credit card accounts were opened, no actual harm had occurred, and thus the plaintiffs lacked Article III standing to sue. The U.S. District Court for the District of Maryland granted the NBEO’s motion, finding, inter alia, that plaintiffs failed to sufficiently allege they had suffered an “injury-in-fact” because they had incurred no fraudulent charges and had not been denied credit or required to pay a higher credit rate as a result of the fraudulent credit card accounts.

The Fourth Circuit, however, reversed the district court’s holding, concluding that credit card fraud and identity theft alone were sufficient to establish Article III standing. The court distinguished Hutton, from their ruling in Beck v. McDonald, in which the court concluded that the plaintiffs lacked standing because they only alleged a “threat of future injury” – laptops and boxes were stolen containing personal information, but that information was not misused. In Hutton, the court emphasized, unlike in Beck, plaintiffs were “concretely injured” as credit card accounts were open without their knowledge or approval, qualifying as misuse, even if fraudulent charges were yet to occur.

The circuit court split on the issue of Article III standing has made it difficult for businesses to assess the likelihood of litigation and its associated costs in the wake of a data breach. Until the Supreme Court weighs in on this issue, it is crucial for businesses to assess their breach readiness and develop an incident or breach response plan that takes into consideration the possibility of litigation.

Jackson Lewis P.C. © 2021National Law Review, Volume VIII, Number 183
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Principal

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm's Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and...

973- 538-6890
Jason C. Gavejian, Employment Attorney, Jackson Lewis, Principal, Restrictive Covenants Lawyer
Principal

Jason C. Gavejian is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. and a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

Mr. Gavejian represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination and wage and hour claims in both federal and state courts. Additionally, Mr. Gavejian regularly appears before administrative agencies,...

(973) 538-6890
Attorney

Maya Atrakchi is the Knowledge Management (“KM”) Attorney for Jackson Lewis P.C.’s Privacy, e-Communication and Data Security and International Employment Issues Practice Groups, and is based in the New York City, New York, office of Jackson Lewis P.C.

212-545-4000
Advertisement
Advertisement
Advertisement