The nature of any injury suffered by individuals from a cyber incident continues to be a major issue in data breach litigation. As we have previously discussed, the Supreme Court has thus far declined to address the issue of Article III standing in the data breach context, resulting in an ongoing circuit split on whether data theft is by itself sufficient to satisfy Article III’s injury requirements.[1] Two federal Courts of Appeals recently grappled with injury requirements in the data breach context.
The Fourth Circuit’s Decision in NBEO
On June 12, 2018, the Fourth Circuit vacated a district court’s dismissal and held that plaintiffs possessed Article III standing because they suffered actual harm when credit card accounts were opened using their personal information.[2] In that case, a putative class of optometrists sued the National Board of Examiners in Optometry, Inc. (“NBEO”) for its failure to adequately safeguard their personal information after the NBEO suffered a data breach. The district court had dismissed the complaints based on lack of Article III standing, but the Fourth Circuit vacated the judgment, finding plaintiffs had adequately plead injury-in-fact that was sufficiently traceable to the NBEO.
Specifically, the Fourth Circuit held that while a “mere compromise of personal information, without more, fails to satisfy the injury-in-fact element,” plaintiffs had sufficiently alleged actual harm because their data had been accessed and used to open credit card accounts without their knowledge or approval. In addition, plaintiffs incurred out-of-pocket costs when purchasing credit monitoring services and lost the value of their time in seeking to notify credit reporting agencies and the IRS of the data breach. The Fourth Circuit observed that, although costs for mitigating measures to safeguard against future identity theft do not normally constitute injury-in-fact, the Supreme Court has recognized an injury from such costs when a substantial risk of harm actually exists.[3] The Fourth Circuit further held that the injury was traceable to NBEO because amongst the group of optometrists, NBEO was the only common source that collected and continued to store social security numbers that were required to open credit card accounts and it had also stored outdated personal information during the relevant time periods.
The Eighth Circuit’s Decision in Target
On June 13, 2018, the Eighth Circuit affirmed certification of a settlement class in the Target data breach litigation, finding that there was no intraclass conflict between class members who suffered verifiable losses from the breach and those who did not.[4] The district court had certified a class for settlement purposes of persons whose credit or debit card information and/or whose personal information was compromised as a result of the data breach that was first disclosed by Target on December 19, 2013. Under the agreement, Target agreed to pay $10 million to settle the claims of all class members. For class members with documented proof of loss, the agreement called for full compensation of their actual losses up to $10,000 per claimant. For class members with undocumented losses (i.e., who did not submit claims for reimbursement), the agreement directed a pro rata distribution of the amounts remaining after payments to documented-loss claimants. In addition, Target agreed to implement a number of data-security measures and to pay all class notice and administrative expenses. Two class members objected to the settlement, relying on the Supreme Court’s decisions in Ortiz and Amchem to argue that there was an intraclass conflict between class members who suffered verifiable losses from the data breach and those who did not, and that each subgroup necessitated separate legal
counsel.[5]
The Eighth Circuit rejected the objection and affirmed certification of the settlement class, holding that that there was no fundamental conflict requiring separate representation. The court held that, unlike Ortiz and Amchem where the asbestos-related injuries were extraordinarily various, here all class members suffered the same injury, i.e., compromise of their personal and financial information from the data breach. Class representatives included plaintiffs who submitted claims for monetary damages and identified losses incurred in the data breach and plaintiffs who did not submit such claims but faced future risk of harm. Moreover, both groups faced the same possibility of unknown future harm; for example, it was equally likely that a line of credit would be opened using personal information from a class member with documented losses as it would from a class member with no documented losses. The court also emphasized that the value of the injunctive relief was offered to both groups under the settlement so that no class member released claims without consideration.
Conclusion
The recent decisions by the Fourth and Eighth Circuits were in line with prior precedent in the data breach context, given that at least some, if not all, plaintiffs in both cases suffered verifiable losses that were more than mere allegations of data theft. However, the cases highlight the fact that the injury suffered by individuals following data breach—or lack thereof—continues to be perhaps the most prominent issue in such litigation. This makes it all the more important that companies that suffer cyber incidents consider the steps that they can take to investigate (in a privileged manner) whether any injury has occurred and appropriately document any findings, including in anticipation of any resulting litigation.
[1] See Beck v. McDonald, 848 F.3d 262, 268 (4th Cir. 2017), cert. denied sub nom. Beck v. Shulkin, No. 16-1328, 2017 WL 1740442 (U.S. June 26, 2017); In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017).
[2] Hutton v. Nat’l Bd. of Exam’rs in Optometry, Inc.,—F.3d—, 2018 WL 2927626 (4th Cir. June 12, 2018).
[3] See Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013).
[4] In re Target Corp. Customer Data Sec. Breach Litig.,—F.3d—, 2018 WL 2945973 (8th Cir. June 13, 2018).
[5] See Ortiz v. Fibreboard Corp., 527 U.S. 815 (1999); Amchem v. Windsor, 521 U.S. 591 (1997).