No Harm, No Foul: The Fourth Circuit Struggles with the "Injury-in-Fact
Brandon Ferrick, No Harm, No Foul: Th e Fourth Circuit Struggles with the "Injury-in-Fact" Requirement to Article III Standing in Data
Breach Class Actions
No Harm, No Foul: The F ourth Circuit Struggles with the "Injur y-in-Fact" Requirement to Article III Standing in Data Breach Class Actions
Brandon Ferrick 0 1
0 Thi s Comments is brought to you for free and open access by the Law Journals at Digital Commons @ Boston College Law School. It has been accepted for inclusion in Boston College Law Review by an authorized editor of Digital Commons @ Boston College Law School. For more information , please contact
1 Boston College Law School
Follow this and additional works at: http://lawdigitalcommons.bc.edu/bclr Part of the Computer Law Commons, Consumer Protection Law Commons, and the Privacy Law Commons Recommended Citation
1 Robert D. Fram et al.,Standing in Data Breach Cases: A Review of Recent Trends, 16 CLASS
ACTION LITIG. REP. (BNA) 1054, 1055 (Sept. 25, 2017). “A data breach is a confirmed incident in
which sensitive, confidential or otherwise protected data has been accessed and/or disclosed in an
unauthorized fashion.” Margaret RouseD,ata Breach, TECHTARGET (Dec. 2017), http://search
security.techtarget.com/definition/data-breach [https://perma.cc/VC8W-FEVA]; see also William
Roberds & Stacey L. Schreft,Data Breaches and Identity Theft, 56 J. MONETARY ECON. 918, 919–
20 (2009) (describing the prevalence of data breaches). Data breaches may involve the theft
poefrsonal health information, personally identifiable information, trade secrets, or intellectual property.
See Fram et al., supra at 1055 (discussing lawsuits following “hacking, poin-otf-sale attacks, [and]
hardware theft”). Irrespective of how much monye companies spend on cybersecurity defense, data
breaches continue to occur and millions of individuals have their personal information stolen, ees-p
cially in the cybersecurity context.See Selena Larson, Why Hacks Like Equifax Will Keep
Happening, CNN TECH (Sept. 29,
2017),http://money.cnn.com/2017/09/29/technology/business/equifaxhack-2017-cyberattacks/index.html [https://perma.cc/Q3W3-3B9Q] (discussing the recent Equifax
hack and other targeted data breaches, noting that, in the first half of 2017 alo,n“ealmost 2 billion
records were lost or stolen globally”); Michael Riley et al.T,he Equifax Hack Has the Hallmarks of
State-Sponsored Pros, BLOOMBERG BUSINESSWEEK (Sept. 29, 2017), https://www.bloomberg.com/
perma.cc/7TCC-TVRG] (discussing the recent Equifax hack of 143 million customers’ personal
information). Data breaches are particularly frustrating for victims because they often cannot find the
perpetrator who actually stole their information.See Riley et al., supra (commenting on how victims
where a plaintiff alleges actual financial harm or misuseof personal
information.2 Courts struggle to find standing, however, where a plaintiff merely
alleges an increased risk of future harm as a result of a data breac3hT.hat
struggle is disconcerting to victims because an increased risk of future
identity theft is the most commonly alleged injuriyn lawsuits following data
breaches.4 This Comment discussesthe current split among the circuits
don’t know who stole their personal information). Victims of data breaches are left in a constant state
of anxiety that their personal information will be manipulated and fraudulently used against them.Id.
Thus, potential plaintiffs have no recourse but to sue the companies that they trusted with theirr-pe
sonal information. See Nick Beatty, Note, Standing Room Only: Solving the Injury-in-Fact Problem
for Data Breach Plaintiffs, 2016 BYU L. REV. 1289, 1290 (discussing the typical data breach class
action, in which plaintiffs sue their onc-etrusted companies for “negligence in protecting [their]i-f
nancial information”); see, e.g., Beck v. McDonald, 848 F.3d 262, 267 (4th Cir. 2017) (detailing
plaintiffs’ suit against a hospital for failure to take adequate precautions to keep their personal
information secure in wake of data breach).Being forced to sue a once-trusted company is potentially the
most frustrating part ofa data breach for victims because there often was an expectation that the
defendant companies would keep that personal information safe and secureS.ee Pat Regnier &
Suzanne Woolley, Thank You for Calling Equifax. Your Business Is Not Important to Us, BLOOMBERG
BUSINESSWEEK (Sept. 14, 2017),
https://www.bloomberg.com/news/features/2017-09-14/thank-youfor-calling-equifax-your-business-is-not-important-to-us [https://perma.cc/5UZ7-LC7C] (discussing
the inherent anxiety victims of data breaches face, commenting, “you shouldn’t need to do a damn
thing to keep your credit information safe”). Data breaches can also arise even where individuals did
not voluntarily enter into a relationship with the hacked company, thus causing furtherheadaches for
data breach victims. See id. (discussing the frustration surrounding the 2017 Equifax, Inc. hack,
noting “what makes the situation especially awful is that you never had much choice about entering into
a relationship with Equifax”).
2 WHAT’S “NEW” IN CYBERSECURITY (2017): LITIGATION AND ENFORCEMENT ACTIONS,
CU*ANSWERS, 18–20 (May 24, 2017), http://nascus.org/Cyber17/handouts/Sickels%20pt2%20whats
%20new.pdf [https://perma.cc/3C24-Z4VX] [hereinafter WHAT’S “NEW” IN CYBERSECURITY];
Fram et al., supra note 1, at 1055;J. Thomas Richie, Data Breach Class Actions, A.B.A. BUS.
LITIG. COMMITTEE NEWSL., Winter 2015, at 1, 10–11; see, e.g., In re Target Corp. Customer Sec.
Breach Litig., 66 F.Supp. 3d 1154, 1159 (D. Minn. 2014) (finding standing “sufficienat [the]
pleading stage” where customers whose credit card information was stolen alleged unlawful
charges, inability to pay bills, and new, unauthorized credit card fees); Tierney v. Advocate Health
& Hosps. Corp., No. 13 CV 6237,2014 WL 5783333, at *2(N.D. Ill. Sept. 4, 2014) (finding
standing for named plaintiffs who alleged fraudulent account activity, but concluding the majority
of plaintiffs did not have standing where they only alleged an increased risk of identity theft),aff’d
on other grounds, 797 F.3d 449 (7th Cir. 2015).
3 See Megan Dowty, Life Is Short. Go to Court: Establishing Article III Standing in Data
Breach Cases, 90 S. CAL. L. REV. 683, 686, 688 (2017) (noting that “courts’ rulings vary the
most” in the injury-in-fact context for data breach class actions, and that plaintiffs mainly try to
“allege injury through increased risk of identity theft or fraud . . .”); Fram et al., supra note 1, at
1057 (discussing the differences in precedent among federal courts).
4 Fram et al., supra note 1, at 1057; see, e.g., Attias v. Carefirst, Inc., 865 F.3d 620, 623 (D.C.
Cir. 2017) (finding standing where plaintiffs alleged increased risk of injury following cyber
hack); Beck, 848 F.3d at 267–68, 275 (declining to find standing where plaintiffs alleged increased
risk of identity theft following theft of a laptop and pathology reports from hospital); Galaria v.
Nationwide Mut. Ins. Co., 663 F. Apxp’384, 388–89 (6th Cir. 2016) (finding standing where
plaintiffs alleged increased risk of identitytheft following hack on Nationwide’s computer
network); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 965, 967 (7th Cir. 2016) (finding
standing where plaintiffs alleged increased risk of identity theft following hack of credit cardn-i
concerning potential-future-injury theories of standing and further details
the current lack of certainty regarding what constitutes injury-in-fact.5 Part I
of this Comment discusses the background of standing in federal courts, the
reasoning applied to standing considerations by other courts in data breach
class action suits, and the procedural history of the recent Fourth Circuit
case, Beck v. McDonald.6 Part II analyzes the Fourth Circuit’s discussion
and ruling in Beck.7 Part III explains that, in the midst of thecurrent circuit
split, plaintiffs are left uncertain regarding how toadequately plead
injuryin-fact in data breach class actions.8
I. FACTUAL AND LEGAL BACKGROUND OF BECK V. MCDONALD
In federal court, before plaintiffscan proceed to argue the merits of
their cases, they must first prove they havea cognizable stake in the
litigation: this is considered havingstanding.9 To sufficiently prove that a
planitiff has standing, that plaintiff must demonstrate that they have suffered an
injury.10 In the data breach context,there is currently no consensus
regarding whether merely having personal information stolen by a third party and,
as a result, being at an increased risk of identity theft, is sufficient to
establish standing.11 Some courts have ruled that an increased risk of identity
theft, alone, is asufficient injury to conefr standing.12Other courts have
been reluctant to take that position andinstead require some evidence—
beyond the mere occurrence of a data breac—h that financial harm is
certainly impending to recognize a plaintiff’s standing.13 Section A of this Part
provides a brief introduction to federal standing and an overview of circuit
courts’ struggle for homogeneity in data breach class action14s.Section B
discusses the procedural history ofBeck, a recent Fourth Circuit casen-i
volving allegations of violations of the Privacy Act and theAdministrative
Procedure Act (“APA ”) resulting from two data breaches.15
A. Legal Background
Federal courts have the constitutional authority to exercise thejudicial
power of the United State.s16 Courts are limited to hearing only caess and
controversies in the exercise that power in an effort to maintain a balance of
power between the branches of government.17 In order for a matter to meet
the cases or controversies requirement, plaintiffs “must establish that they
have standing to sue.”18
Standing is a threshold requirement that determines whether a court is
entitled to decide the merits of a dispute.19 Standing ensures that the federal
courts do not overstep their proper judicial authority and waset judicial
resources by hearing frivolous claims, but rathefrocus on resolving actual
disputes between adversaries2.0 Relaxing the standing requirement would
inappropriately expand judicial power.21 Thus, a federal court’s inquiry into
standing must be laborious and thoroughin every case in order to keep the
courts within the bounds of its judicial role.22
The Supreme Court has declared three “irreducible constitutional
mniim[a]” that plaintiffs must allege to establish standi:n“g(1) an
injuryi-nfact, (2) that is fairly traceable to the chalelnged conduct of the defendant,
and (3) that is likely to be redressed by a favorable judicial decision2.”3 To
establish injury-in-fact, a plaintiff must demonstrate that he or she suffered
an “actual or imminent” harm that is “concrete and particularized.”24
In 2013, in Clapper v. Amnesty International USA, the Supreme Court
set forth the current understanding of the actua-lor-imminent component of
injury-in-fact.25 In Clapper, the plaintiffs challenged the Foreign Init-ell
gence Surveillance Act (“FISA”) because they were concerned their clien-t
communications were being unlawfully intercepted and surveilled by the
21 Lujan, 504 U.S. at 559–60. The concept of standing is founded on the bedrock principle of
separation of powers. See Spokeo, 136 S. Ct. at 1547 (“[Standing] developed in our case law to
ensure that federal courts do not exceed their authority as it has been traditionally understood.”).
22 Spokeo, Inc., 136 S. Ct. at 1547 (citing Warth, 422 U.S. at 498); see Jerett Yan, Standing as
a Limitation on Judicial Review of Agency Action, 39 ECOLOGY L.Q. 593, 596 (2012) (explaining
that one of the functionsof Article III standing is to maintain a separation of powers, noting that,
by “limiting the power of the judiciary .. . decisions are made by the accountable political
branches rather than the unaccountable judiciary”). A rigorous standing inquiry ensures that the judiciary
does not step into the realm of policymaking and maintains adjudicative authority over violations
of rights. Id. at 596–97.
23 Spokeo, Inc., 136 S. Ct. at 1547 (citingLujan, 504 U.S. at 560); see also Summers v. Earth
Island Inst., 555 U.S. 488, 493 (2009) (stating, plaintiff “bears the burden of showing that [they
have] standing”); Fair Elections Ohio v. Husted, 770 F.3d 456, 459 (6th Cir. 2014) (“Each element
of standing ‘must be supported in the same way as any other matter on whhicthe plaintiff bears
the burden of proof, i.e., with the manner and degree of evidence required at successive stages of
the litigation.’”). The requirements for standing do not change when plaintiffs bring class actions
as opposed to individual action.sIn re Horizon Healthcare Servs. Inc. Data Breach Litig., 846
F.3d 625, 634 (3d Cir. 2017); see Lewis v. Casey, 518 U.S. 343, 357 (1996) (“[N]amed plaintiffs
who represent a class ‘must allege and show that they personally have been injured, not that injury
has been suffered by other, unidentified members of the class to which they belong and which
they purport to represen.t’”); O’Shea v. Littleton, 414 U.S. 488, 494 (1974) (“[I]f none of the
named plaintiffs purporting to represent a class establishes the requisite of a case or controversy
with the defendants, none may seek relief on behalf of himself or any other member of the
class.”); see also Neale v. Volvo Cars of N. Am., LLC, 794 F.3d 353, 362 (3d Cir. 2015) [(“T]he
‘cases or controversies’ requirement is satisfied so long as a class representative has standing,
whether in the context of a settlement or litigation class.”).
24 Spokeo, 136 S. Ct. at 1547 (quoting Lujan, 504 U.S. at 560). This requirement ensures that
a plaintiff has “a personal stake” inthe litigation, and it aims to ensure that the plaintiff bringing
the suit is the proper representative of the grievanceA.ttias, 865 F.3d at 626. Courts consistently
find that actual identity theft amounts to a “concrete and particularized injuryI.d”. at 627. The
issue that courts are split over, at least at the pleading stage, is whether allegations of a future risk
of identity theft can confer standing. See id.
25 Clapper, 568 U.S. at 409.
government.26 The Supreme Court decided that theplaintiffs did not have
standing to challenge FISA because they could not establish that their
communications with their clients were intercepted or that interception by
the government was imminent.27
The Court acknowledged that the threat of injuries can satisfy Article
III’s standing requirement so long as the threat is imminent, not
merelypossible, or objectively reasonable.28 The Court maintained that a threatened or
future injury satisfied the imminence requirement if it is “certainly
impedning.”29 The Court was careful to point out that “certainly”would not require
absolute certainty, and that standing could also be established by showing that
a plaintiff reasonably incurred costs to mitigate or avoid a substantial risk of
harm.30 Consequently, speculative injurie—sinjuries that require courts to
connect chains of events together to reac—hare insufficient to confer
stand26 Id. at 406–07. FISA is a United States federal law that provides the guidelines and preo-c
dures for the surveillance of foreign intelligence. 50 U.S.C.A. §§ 1881, 1881(a)–(g) (West 2018).
27 Clapper, 568 U.S. at 410–11. The plaintiffs only alleged that they suspected that suchn-i
terceptions might have occurred but could not establish that they had in fact happened or were
sufficiently likely to happen in the future.Id. The Supreme Court found that plaintiffs could not
prove that they had any actual knowledge of the government’susrveillance practices. Id. Rather,
the plaintiffs merely surmised about the intentions and plans of the governmentot intercept their
clients’ communications. Id.
28 Id. at 409. Indeed, the Court recently reaffirmed that “the real risk of harm [can] sayti”sf
Article III’s standing requirement.s Spokeo, 136 S. Ct. at 1549(citing Clapper, 568 U.S. 398).
Scholars have also pointed out that the Court has not been clear as to whether imminence refers to
a time-based concept, a “probabilistic concept,” or both.See Evan Tsen Lee & Josephine Mason
Ellis, The Standing Doctrine’s Dirty Little Secre,t 107 NW. U. L. REV. 169, 179–80 (2012)
(discussing the Supreme Court’s lack of clarity in applying the imminence element of injur-yin-fact);
see also, e.g., Lujan, 504 U.S. at 563, 564 (finding lack of imminence where the Court’s concern
appeared to be that the injury was not precipitating immediately); Los Angeles v. Lyons, 461 U.S.
95, 102 (1983) (finding lack of imminence where injury was too “conjectural,” implying that the
probability of the occurrence of harm was insufficient).
29 Clapper, 568 U.S. at 409.
30 Id. at 414 n.5 (“Our cases do not uniformly require plaintiffs to demonstrate that it is
literally certain that the harms they identify will come about. In someinstances, we have found standing
based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably
incur costs to mitigate or avoid that harm.”) (citing Monsanto Co. v. Geertson Seed Farms, 561
U.S. 139, 152–54 (2010)). There is debate amongst scholars as to whether there truly exists a
“substantial harm” test, or whether it was merely included inClapper as a way to secureJustice
Kennedy’s vote for the majority. Nicholas Green, Standing in the Future: The Case for a
Substantial Risk Theory of “Injury in Fact” in Consumer Data Breach Class Actions, B58.C. L. REV.
287, 302 (2017). The Supreme Court inSpokeo acknowledged that Clapper permits a substantial
risk theory of injury, but some circuit courts are still reluctant to apply anything other than the
certainly impending standard. Compare Spokeo, 136 S. Ct. at 1549 (acknowledging the viability
of a substantial risk theory of injuryni fact), with Blum v. Holder, 744 F.3d 790, 797 (1st Cir.
2014) (applying Clapper’s certainly impending standard, discussing the ambiguity in Clapper). To
the extent the standard exists, theBeck court decided to apply it and determined that the plaintiffs
could not establish standing to sue. See Beck, 848 F.3d at 275. The Supreme Court has since
clarified, in Susan B. Anthony List v. Driehau,s that a plaintiff can establish standing by satisfying
either the “certainly impending” test or the “substantial risk” test. 134 S. Ct. 2334, 2341 (2014).
ing.31 The Court refused to find standing based on speculation about the
decisions of third parties, and found the plaintiffs’ alleged injury too abstract to be
In data breach cases, the injury-in-fact element is often the most
contentious.33 In that context, courts struggle to answer whether identity theft is
certainly impending following a data breac3h4 . Most district courts have
held that identity theft is not certainly impendingafter a data breach absent
facts beyond the mere occurrence otfhe breach.35 Several circuit courts
have held the same.36 Recently, however, a few circuit courts have found
31 See Whitmore v. Arkansas, 495 U.S. 149, 158 (1990) (finding that “allegations of possible
future injury do not satisfy the requirements of Art. II”I and that only “certainly impending”
injuries “constitute injury-in-fact”); see also Clapper, 568 U.S. at 410 (finding plaintiffs theory of
future injury too speculative to confer standing).
32 Clapper, 568 U.S. at 414.
33 See Beatty, supra note 1, at 1296 (noting the problems data breach plaintiffs face in trying
to plead injury-in-fact, describing courts’ hesitations to find injur-yin-fact where plaintiffs fail to
allege any economic loss);see also Spokeo, 136 S. Ct. at 1547 (citing, Steel Co. v. Citizens for
Better Env’t, 523 U.S. 83, 103 (1998) (noting that the injur-yin-fact component is the “[f]irst and
foremost” element of standing).
34 Green, supra note 30, at 315 (noting a diverging view onClapper’s standing requirements
in the federal circuits); Richie,supra note 2, at 10 (examiningClapper’s effect on data rbeach
litigation, noting that both before and afterClapper, courts split on finding standing for increased
risk of future identity theft). In the class action context, the standing requirements are the same as
they are for individual plaintiffs.See In re Horizon 846 F.3d at 634 (‘“[N]amed plaintiffs who
represent a class must allege and show that theypersonally have been injured, not that injury has
been suffered by other, unidentified members of the class to which they belong and which they
purport to represent.’”) (citing Lewis, 518 U.S. at 357).
35 Fram et al., supra note 1, at 1057;see, e.g., In re Zappos.com, Inc., 108 F. Supp. 3d 949,
958 (D. Nev. 2015) (holding plaintiffs’ alleged risk of identity theft not sufficiently impending
where plaintiffs failed to allege any “irregularity whatsoever” concerning their personal
information); Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 366 (M.D. Pa. 2015) (finding lack of
cognizable injury where class action plaintiffs failed to allege actual identity thneoft,ing “[t]heir
credit information and bank accounts [looked] the sam. e. a.s they did prior to [the] data
breach”); In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig,.45 F. Supp.
3d 14, 26 (D.D.C 2014) (holding that only plaintiffs who alleged actual or attempted misuse of
personal data had standing).
36 See, e.g., In re Horizon, 846 F.3d at 639 & n.19 (finding that the plaintiffs alleged a
“material risk of harm” where two unencrypted laptops were stolen containing “highly personal”
information, where it appeared the laptops were targeted for the personal information contained on
them, and at least one named plaintiff alleged he had already been a victim of identity theft as a
result of the breach); Resnick v. AvMed, Inc., 693 F.3d 1317, 1323& n.1 (11th Cir. 2012)
(finding that the plaintiff health care members’ increased risk of future identity thefwtas sufficient to
confer standing in case of first impression where plaintiffhsad alleged actual identity theft, but
court refusing to address whether “speculative identity theft” would be sufficient to confer
standing); Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir. 2012) (refusing to find standing where
plaintiff failed to identify “any incident in which her data has everbeen accessed by an
unauthorized person,” noting that, in cases where circuits that have found standing, plaintiffs all alleged
standing based solely on the increased risk of identity theft, without
allegations of actual or attempted misuse of information.37
The First and Third Circuits have declined to find standing based onan
increased risk of identity theftabsent corresponding allegations of actual or
attempted access or misuse of personal informatio3n8.The Sixth, Seventh,
Ninth, and D.C. Circuits, however, have recognizedstanding based solely on
an increased risk of future identity theft.39 Most of the cases where the Sixth,
Seventh, Ninth, and D.C. Circuits found standing involvedconduct
deliberately targeting personal information or attempts to use thaintformation for
nefarious purposes.40 Moreover, at least one casein both the Seventh and
37 See, e.g., Attias, 865 F.3d at 620, 629 (finding standing based on the increased risk of
identity theft following a data breach, holding, “[a] substantial risk of harm exists already, simply by
virtue of the hack and the nature of the data that the plaintiffs allege was taken”).
38 See In re Horizon, 846 F.3d at 639& n.19 (finding that the plaintiffs alleged a m“ aterial
risk of harm” where two unencrypted laptops were stolen containing “highly personal”
information, where it appeared the laptops were targeted for the personal information contained on
them, and at least one named plaintiff alleged he had already been a victim of identity theft as a
result of the breach); Katz, 672 F.3d at 80 (refusing to find standing where plaintiff failed to
identify “any incident in which her data has ever been accessed by an unauthorized person,” noting
that, in cases where circuits that have found standing, plaintiffs all alleged actual misuse); Reilly
v. Ceridian Corp., 664 F.3d 38, 44 (3d Cir. 2011) (finding a failure to allege inju-riyn-fact where
“appellants have alleged no misuse, and therefore, no injury,” noting that “niodentifiable taking
occurred; all that is known is that a firewall was penetrate[d,]” and that there was “no evidence”
that the hack was “intentional or malicious”)s;ee also Beatty, supra note 1 (discussing that, in
order to find standing, courts require that plaintiffs show more than merely that their data had been
stolen, and must bring forth allegations and evidence of misuse, and economic damages).
39 See Attias, 865 F.3d at 629 (recognizing and applying the substantia-lrisk standard to find
that the plaintiffs met their burden, noting “a substantial risk of harm exists already, simply by
virtue of the hack and the nature of the data that the plaintiffs allege was takenP”).;F. Chang’s
China Bistro, Inc,. 819 F.3d at 967 (recognizing the imminence of future identity theft where
customers’ credit card data was stolen from restaurant in a hackG); alaria, 663 F. App’x at 388
(“Where a data breach targets personal information, a reasonable inference can be drawn that the
hackers will use the victims’ data for the fraudulent purposes alleged in[the p]laintiffs’ complaint
. . . . Thus, although it might not be ‘literally certain’ that [p]laintiffs data will be misused, there is
a sufficiently substantial risk of harm that incurring mitigation costs is reasonable.”); Remijas, 794
F.3d at 692, 693–94 (recognizing and applying both the certain-liympending standard and the
substantial-risk standard to find plaintiffs met their burden where hackers attacked Neiman Mr-a
cus with malware to steal credit card numbers, because “[p]resumably, the purpose of the hack is,
sooner or later, to make fraudulent charges or assume those customers’ identities”K);rottner v.
Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010)(noting that the plaintiff
employees’nicreased risk of future identity theft theory was a “credible threat of harm” for Article III purposes
after the theft of a laptop containing unencrypted names, addresses, and social security numbers of
97,000 employees); Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 632, 634 (7th Cir. 2007)
(banking services applicants’ increased risk of harm theory satisfied standing requirements aftero-“s
phisticated, intentional and malicious” security breach of bank website compromised their
40 See Galaria, 663 F.App’x at 388 (finding implicitly that the data breach was targeted at
personal information); Remijas, 794 F.3d at 693–94 (finding that hackers targeted Neiman Marcus
with malicious software); Krottner, 628 F.3d at 1142 (finding it sufficient to confer standing that a
Ninth Circuits involved at least one allegation of misuse or access of personal
information by the thief.41
B. Factual Background
In Beck v. McDonald, two data breaches at the William Jennings Bryan
Dorn Veterans Affairs Medical Center (“Dorn VAMC”) in Columbia, South
Carolina compromised the personal information of approximately 9,400
veterans.42 Following the breaches, two classes of plaintiffs brought suits
against Dorn VAMC officials, and the Secretary of Veteran Affairs for
violations of the Privacy Act and the APA, and various common law claims4.3 In
both cases, the plaintiffs sought to establish standingby contending that
they suffered harm from the increased risk of, and cost required to prevent,
future identity theft.44 The United States District Court for the District of
South Carolina dismissed both actions for lack of subje-mctatter
jurisdiction, holding that the plaintiffs had failed to allege a non-speculative,
imminent injury-in-fact for purposes of Article III standing.45
The first breach involved the misplacement or theft of a laptop in
February 2013.46 The laptop held the unprotected private information
ofroughly 7,400 patients.47 Following the loss of the laptop, Dorn VAMC offered all
the potential victims one year of free credit monitoring.48 At the time of the
court’s decision in Beck, the laptop had not been recovered.49
thief targeted a laptop containing encrypted personal informationP)i;sciotta, 499 F.3d at 632
(finding hackers acted “intentional[ly]” and “malicious[ly]”).
41 See Remijas, 794 F.3d at 693–94 (noting that the plaintiffs are “careful to say that only
9.200 [credit] cards have experiences fraudulent charges so far”); Krottner, 628 F.3d at 1142
(noting that one plaintiffs alleged actual misuse of personal information). The court, in support of its
reasoning, distinguished Remijas and other data breach cases from Clapper, finding that, unlike
the plaintiffs in Clapper, the data breach victims did not have to “speculate as to whether [their]
information ha[d] been stolen and what information was taken,” the plaintiffs were already
experiencing fraudulent charges on their credit cards and subsequently alleged that more were yet to
come. Remijas, 794 F.3d at 693. In contrast, thCelapper plaintiffs could only speculate as to
whether their communications would be acquired. Clapper, 568 U.S. at 411; Remijas, 794 F.3d at
42 Beck, 848 F.3d at 266. The breaches affected approximately 7,400 veterans in the first
breach and approximately 2,000 in the second. Id.
43 Id. at 266–67. This Comment does not discuss the APA or common law claimsS. ee infra
notes 44–110 and accompanying text.
44 Beck, 848 F.3d at 267, 268.
45 Id. at 268–69.
46 Id. at 267. Although an internal investigation by Dorn VAMC determined the laptop was
likely stolen, the court declined to make a finding on that issue. Id. at 275.
47 Id. at 275.
48 Id. In addition, Dorn VAMC conducted an internal investigation of the theft, concluding
that the laptop was likely to have been stolen and that the Dorn VAMC failed to follow its own
policies for securing patient information on laptops. Id.
The second breach was uncovered in July, 2014 whenDorn VAMC
discovered that four boxes of pathology reportshad been misplaced or
taken.50 The boxes contained the information of roughly 2,000 patients,
including their names, social security numbers, and medical histoires.51 Just as it
had after the first breach, Dorn VAMC offered one year of free credit
monitoring to all potential victims.52 Similarly, at the time of theBeck decision,
the boxes had not been found.53
Following the first breach, named plaintiffs Richard Beck
Lakreshia Jeffrey (the “Beckplaintiffs”) sued on behalf of a putative class
of roughly 7,400 victims whose information was contained on the laptop5.4
The Beck plaintiffs sought declaratory relief and monetary damages under
the Privacy Act, alleging that the defendants’ failures wasted their time and
money, embarrassed them, and increased their risk of identity the5f5t.The
Beck plaintiffs also sought an injunction under the APA ordering the VA to
secure, and thne destroy, the poorly kept records remainingn iDorn
After the defendants moved for summary judgment,het United States
District Court for the District of South Carolina dismissed the case for lack of
subject-matter jurisdiction, holding that theBeck plaintiffs lacked standing
under the Privacy Act because they failed to show that identity theft wasmi
minent.57 Citing Clapper, the district court foundthat the risk of harm from
future identity theft was theoretical, not imminent, because it would
onlyoccur if the court made assumptiosn about the actions of third parties.58 The
district court further determined that the plaintiffs lacked standing because
they failed to establish a substantial risk of har.m59 Additionally, the district
50 Id. at 268.
54 Id. at 267.
55 Id. (alleging that “the ‘Defendants’ failures’ and ‘violations’ of the Privacy Act‘caused
Plaintiffs . . . embarrassment, inconvenience, unfairness, mental distress, and the threat of current
and future substantial harm from identity theft and other misuse of their Personal Information’”)
56 Id. The Beck plaintiffs also brought separate common-law negligence claims. Id. The
district court granted the Dorn VAMC’s motion to dismiss for lack of subjet-cmatter jurisdiction or,
in the alternative, for failure to state a claim as to the commlaown- negligence claims, and
declined to dismiss the Privacy Act and APA claims at the pleadings stage. Id.
57 Id. at 267–68 (finding that the plaintiffs had “not submitted evidence sufficient to create a
genuine issue of material fact as to whether they face a ‘certainly impending’ risk of identity
58 Id. at 268 (noting that plaintiffs alleged harm was “contingent on a chain of attenuated
hypothetical events and actions by third parties independent of the defendants”).
59 Id. (“The plaintiffs’ calculations that 33% of those affected by the laptoptheft would have
their identities stolen and that all affected would be 9.5 times more likely to experience ideyntit
theft ‘di[d] not suffice to show a substantial risk of identity theft.’”).
court rejected the Beck plaintiffs’ theory that payingto monitor their credit
scores amounted to an injury because the underlying risk of harm was too
While the Beck class action was proceeding, Beverly Watson brought
another putative class-action on behalf of the roughly 2,000 individuals
fafected by the disappearance of the pathology reports.61 That suit alleged the
same harm as theBeck plaintiffs.62 The district courtalso dismissed the
Watson case for lack of subje-cmtatter jurisdiction, holding that Watson
lacked Article III standing under hte Privacy Act because she failed to
allege an actual or attempted misuse of the stolen information, thus her ael-l
gation that her information would be misused was speculative.63 Both cases
were consolidated on appeal by the Fourth Circuit.64 The Fourth Circuit was
asked to review whether the increased risk of identity thetfhtat the Beck
and Watson plaintiffs alleged constituted an actual or imminent injury under
Article III of the Constitution.65
II. BECK SURVEYED THE CIRCUIT SPLIT AND AVOIDED PICKING A SIDE BY
DRAWING FACTUAL DISTINCTIONS
This Part examines how the Fourth Circuit reached its conclusion that
the occurrence of a data breach, alone, is insufficient to confer standing and
that, in order to successfully plead an inju-riyn-fact, plaintiffs must show
that thieves actually misused or attempted to misuse their stolen personal
In February 2017, inBeck v. McDonald, the United States Court of
Appeals for the Fourth Circuit examinedwhether a plaintiff could establish
Article III standing by alleging that harm was impending following two
da60 Id. (rejecting the plaintiffs’ attempt to “create standing by choosing to purchase credit
monitoring services or taking any other steps designed to mitigate the speculative harm of future
identity theft”). The district court also denied the Beck plaintiffs’ request for injunctive relief under the
APA, relaying on its previous analysis and holding that the injury was too speculative for the
plaintiffs to assert that their information would again be compromised and that they would be
injured as a result. Id.
61 Id. at 268–69.
62 Id. at 268.
63 Id. at 269. The district court also dismissed the claim for injunctive relief under the APA,
concluding that Watson’s allegations based on Dorn VAMC’s prior conduct were insufficient to
show that she would be at the mercy of future data breaches and thefts in the absence of an
64 Id. at 266.
65 See id. at 269.
66 See infra notes 67–85 and accompanying text.
ta breaches.67 In reviewing the consolidated appeal, the Fourth Circuit
framed the issue as whether the plaintiffs metClapper v. Amnesty
International USA’s injury-in-fact requirement for Article III standing.68
Specifically, the court addressed whether the plaintiffs established that the threatened
injury of identity theft was certainly impending or posed a substantial risk
that harm would occur under the Privacy Act.69
The court began its analysis by discussing the legal frameworkr-su
rounding the future-injury theory of Article III standing7.0 Accordingly, the
court concluded, without explanation, that Clapper controlled.71 The Fourth
Circuit then addrsesed the plaintiffs’ contentions for Article III standing
based on the increased risk of future identity theft and the cost of protecting
against those risks.72
The Fourth Circuit surveyed a fivec-ircuit split to determine whether
the increased risk of future identity theft could confer standing7.3 Although
acknowledging that it was possible to establish standing based on such risk,
the court did not declare whether it is necessary to allege actual or
attemtp67 848 F.3d 262, 263 (4th Cir. 2017). The court had to evaluate standing at both the pleading
stage and the motion to dismiss stage, but narrowed the inquiry to the motion to dismiss stage as
the bar was lower and would encapsulate the summary judgment dispute. Id.
68 Id. at 270–71; 568 U.S. 398 (2013). The court affirmed the district court’s dismissals for
lack of subject matter jurisdiction, agreeing with the district court’s finding that the plaintiffs
failed to establish injury-in-fact. Beck, 848 F.3d at 267.
69 Beck, 848 F.3d at 270–72, 275.
70 Id. at 270–72.
71 See id. at 272 (discussing the appropriate standard to apply when plaintiffs allege amn-i
pending injury). The court mentioned that it would explain why it found Clapper to be controlling,
but it does not appear like the court explicitly did.See id. (“Clapper . . . is controlling here.
Before explaining why, we address the Plaintiffs’ contention that the district court misreaCdlapper
to require a new, heightened burden.)”. To the extent that the discussion was ipmlicit, the court
noted that the “certainly impending” standard articulated inClapper was “hardly novel.” Id.
(citing DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 345 (2006); Lujan v. Defs. of Wildlife, 504
U.S. 555, 564–65 & n.2 (1992); Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)). Interestingly,
the court found that plaintiffs’ “emotional upset” and “fear [of] identity theft and financial fraud”
were insufficient to confer Article III standing—the court proceeded to limit its inquiry to as-di
cussion of whether the increased risk of identity theft, alone, was sufficient to confer standing. Id.
72 Id. at 273. In discussing the cost of mitigative measures, the court piggybacked on its ar-e
soning concerning the increased risk of identity theft to deny standingS.ee id. at 276–77 (citing
Clapper, 568 U.S. at 416) (finding the plaintiffs’ arguments about the cost mitigative measures to
be “a repackaged version” oftheir prior standing argument). The court found that, because the
threat of future harm was speculative, the measures taken to mitigate that harm we-re “self
imposed” and could confer standing. Id. (citing Clapper, 568 U.S. at 409). For example, in support
of its reasoning, the court citedRemijas for the proposition that mitigation costs do not satisfy the
injury-in-fact requirement where the harm is not imminent.Id. (citing Remijas v. Neiman Marcus
Grp., LLC, 794 F.3d 688, 694 (7th Cir. 2015)).
73 See id. at 273 (noting that the Sixth, Seventh, and Ninth Circuits have all recognized that
plaintiffs can establish an injury-in-fact based on the increased risk of future identity theft and that
the First and Third Circuits have rejected such contentions).
ed misuse at the motion to dismiss stage.74 The Fourth Circuit observed that
other circuits have found standingwhen the plaintiffs alleged that data
thieves intentionally targeted personal information.75Those circuits relied on
allegations of hacking specifically into data bases that held credit cardn-i
formation or misuse of that personal informationsoon after the breach.76
These factors were absent in the Beck case.77 Accordingly, the court found
that the plaintiffs’ claims were too speculative to confer Article III standing
and failed to meet the certainly-impending standard.78 The court drew
similarities to Clapper, namely, that in order for plaintiffs to suffer thaermh
they fear, the court would have to participate in the same game of connec-t
the-dots that the Supreme Court previously rejected.79
74 See id. at 273–74 (discussing the reasoning of the circuit courts but omitting to address the
75 See id. (discussing the reasoning of the circuit courts but omitting to address the question).
76 See id. at 275 (noting that threatened injuries become increasingly more speculative over
time in the absence of actual misuse). For example, in support of its reasoning, the court cited
Galaria, where the United States Court of Appeals for the Sixth Circuit in 2016 concluded that
plaintiffs’ increased risk of future identity theft theory established in-jiunr-yfact after hackers
targeted Nationwide Mutual Insurance Company’s network and stole personal informationI.d. at
274 (citing Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 386 (6th Cir. 2016)); Galaria,
663 F. App’x at 388(“Where a data breach targets personal information, a reasonable inference
can be drawn that the hackers will use the victims’ data for the fraudulent purposes alleged in
Plaintiffs’ complaints.”). Similarly, in support of its reasoning, the Fourth Circuit citedKrottner,
where the United States Court of Appeals for the Ninth Circuit in 2010 concluded, as a matter of
first impression, that the plaintiffs’ increased risk of future identity theft theory was sufficient to
confer Article III standing following the theft of an unencrypted laptop from Starbucks that
contained the personal information and social security numbers of approximately 97,000 Starbucks
employees, where at least one named plaintiff was the victim of someone attempting to open an
account in her name using her social security number two months after the laptop theftB.eck, 848
F.3d at 273–74 (citing Krottner v. Starbucks Corp., 628 F.3d 1139, 1141 (9th Cir. 2010)).
77 Beck, 848 F.3d at 274. For example, the Fourth Circuit pointed out that, even after
approximately four years, theBeck plaintiffs had produced no evidence of unauthorized access, misuse,
or identity theft, nor that the thief stole the laptop with the intteontmisuse their private
information. Id. The court found that the Watson plaintiffs failed in the same manner. Id. at 274–75.
78 Id. at 274-75. The court dismissed the plaintiffs’ counterargument—that there was “no need
to speculate” because the plaintiffs had alleged actual theft of the laptop and pathology repor—ts
finding that the “mere theft,” alone, was not grounds for Article III standiIndg.. at 275 (citing
Randolph v. ING Life Ins. & Annuity Co., 486 F. Supp. 2d 1, 78– (D.D.C. 2007)). In support, the
court cited Randolph for the proposition that plaintiffs must allege intent to misuse, target, or
access their personal information and that a mere theft is insufficient. Id.
79 See id. at 275 (finding that, in both cases, the thieves must first target the personal
information, then select—amongst thousands of people—the personal information of the named
planitiffs and then successfully use that information maliciously). InClapper, the Supreme Court
denied standing because it found that the plaintiffs’ alleged harm would only manifest if the Court
made assumptions about the potential actions of third partiesC.lapper, 568 U.S. at 414. For
example, the Court would have had to assume that (1) the government would decide to target the
specific individuals relevant to the action; (2) the government would use the specific method
complained about for surveillance of those individuals; (3) the Article III judges on the Federal
Intelilgence Surveillance Court would authorize those surveillances; and so on.Id. at 410. Similarly, the
Fourth Circuit, in Beck, found that it was too speculative to imagine what the hackers wanted with
The court also concluded that the plaintiffs failed to allege that there was
a substantial risk of harm8.0 The plaintiffs claimed that 33% of data breach
victims will eventually become victims of identity thef8t1. The court found,
without explicit explanation, that this statistic fellshort of establishing a
substantial risk of harm.82 The plaintiffs also alleged that, by offering free credit
monitoring, the defendants effectively conceded the existence of a substantial
risk of harm8.3 The court declined to follow its sister circuits’ decisions to
infer such harm from the offer, noting that such a decision would
disincentivize businesses from offering those services again for fear of lawsui8t4.
Accordingly, the court found that the plaintiffs failed to show a substantial risk
of harm posed by the data breaches.85
III. THE FOURTH CIRCUIT CORRECTLY DECIDED THE CASE, BUT THE LEGAL
LANDSCAPE STILL LEAVES PLAINTIFFS UNCERTAIN HOW TO PLEAD
To say the least, standing has not been applied consistently, and
standing in data breach cases is no exception.86 On one hand, it makes sense that
people who target and steal personal information are likely to use it for
enthe stolen laptop or stolen pathology reports, whether they knew howto access the information, or
whether they would even try to access the information. Beck, 848 F.3d at 274.
80 Beck, 848 F.3d at 275 (citing Clapper, 568 U.S. at 409 n.5).
82 See id. at 275–76 (finding that the statistic “falls far short” of establishing a substantial risk
of harm). In support of its reasoning, the court citeKdhan and In re Science Applications. Id. at
276 (citing Khan v. Children’s Nat’l Health Sys., 188 F. Supp. 3d 524, 533 (D. Md. 201;6I)n re
Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 45 F. Supp. 3d 14, 26 (D.D.C
2014)). Both courts found a lack of standing where plaintiffs produced statistics that showed that
approximately 20% of data breach victims are sure to become the victims of identity theftK.han,
188 F. Supp. 3d at 533; In re Sci. Applications, 45 F. Supp. 3d at 26.
83 Beck, 848 F.3d at 276.
84 Id. The court determined that, to use a business’s altruistic offers against it would provide a
disincentive for those businesses to be altruistic in the future, thus opting not to use the offer of
free credit monitoring against the defendants here.Id. But see Galaria, 663 F. App’x at 388
(“Indeed, Nationwide seems to recognize the severity of the risk, given its offer to provide c-redit
monitoring and identity-theft protection for a full year”);Remijas, 794 F.3d at 694 (“It is telling
. . . that Neiman Marcusoffered one year of credit monitoring and identit-ytheft protection to all
[potentially harmed] customers . . . . It is unlikely that it did so because the risk is so ephemeral
that it can safely be disregarded.”).
85 Beck, 848 F.3d at 276. The court, in dicta, noted thaCtlapper elucidated that a threatened
event can be “reasonably likely” to occur but nonetheless fail to meet the “imminence” reqeu-ir
ment for injury-in-fact. Id. (citing Clapper, 568 U.S. at 406–07).
86 See Valley Forge Christian Coll. v. Ams. United for Separation of Churc&h State, Inc.,
454 U.S. 464, 475 (1982) (discussing Article III standing generally, noting that Article III standing
has not been defined consistently).Compare Katz v. Pershing, LLC, 672 F.3d 64, 80 (1st Cir.
2012) (declining to find standing in the absence of allegations of actual misuse or hawrmit)h,
Attias v. Carefirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017) (finding standing where plaintiffs
allege breach of data).
farious purposes. 87 On the other hand,as time passes and no attempts to
misuse the information have occurred, it becomes harder to claim that
identity theft is imminent.88
The Fourth Circuit in Beck correctly arrived at this conclusion.89 The
unfortunate reality, however, is that data breach victims are now left asking how
and when should they bring a lawsuit: what facts must be pleaded for their
case to proceed; and should they wait until they have evidence of hackers
trying to use their stolen information, or sue as soon as they hear that a breach
has occurred?90 This Part argues that victims are left asking themselves those
questions with no answer in sigh91t. Specifically, this Part argues that the
Fourth Circuit properly determined that the plaintiffs lacked standing and also
identifies that, where data breaches occur from physical theft, like that of a
laptop, plaintiffs seem to struggle the most to establish standing.92
The Fourth Circuit correctly determined that tBheck and Watson
plaintiffs failed to allege facts to make it plausible that their injuries were
imminent.93 While evaluating whether identity theft was certainly
impedn87 See Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir. 2015) (commenting
on the imminence of future identity theft as seeming to be the purpose for stealing information);
WHAT’S “NEW” IN CYBERSECURITY, supra note 2, at 20 (noting the inconsistencies amongst courts
where plaintiffs allege increased risk of identity theft without actual or attempted misuse).
88 In re Zappos.com, Inc., 108 F. Supp. 3d 949, 9586–0 (D. Nev. 2015) (finding that the
plaintiffs lacked standing where years had passed without the plaintiffs making any allegations of
misuse); Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 366–67 (M.D. Pa. 2015) (noting that a lapse
of time undermines the concept of “imminent”).
89 See Beck v. McDonald, 848 F.3d 262, 275 (4th Cir. 2017) (discussing that plaintiffs have
failed to show any indication their stolen personal information would be used in a way that would
cause them harm just because a laptop and pathology reports were stolen).
90 See Remijas, 794 F.3d at 694 (noting the inherent difficulty in requiring data breach
planitiffs to wait for harm to manifest before bringing a lawsuit);see also WHAT’S “NEW” IN
CYBERSECURITY, supra note 2, at 20 (noting the difficult choices data breach victims have to make when
deciding whether to bring a lawsuit and what to plead;)Dowty, supra note 3, at 686–87 (noting a
circuit split concerning the sufficiency of allegations required to confer standing); L&ee Ellis,
supra note 28, at 180 (discussing the complexity of the relationship between proving an
impedning injury and proving that your case has been properly incubated such that it is “ripe” for trial).
91 See infra notes 93–110 and accompanying text.
92 See infra notes 93–110 and accompanying text.
93 Beck, 848 F.3d at 267 (denying plaintiffs standing where they suffered no economic harm
as a result of having their personal information stolen by a laptop thief). This argument is made on
the assumption that Clapper was correctly decided and applies in data breach class actionsS.ee
Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5 (2013) (permitting a substantial risk theory).
See generally Green, supra note 30 (discussing the possibility that the substantial risk test is a
fiction created to secure Justice Kennedy’s vote).One might argue that Clapper’s effect does not
quite reach private collection of private information, asClapper was a case about apublic
collection of private information by the government through FISA.See, e.g., John L. Jacobus &
Benjamin B. Watson, Clapper v. Amnesty International and Data Privacy Litigation: Is a Change to the
Law “Certainly Impending”?, 21 RICH. J. L. & TECH. 3, 15, 50 (2014), https://scholarship.richmond.
edu/cgi/viewcontent.cgi?article=1405&context=jolt [ http://perma.cc/9H8B-KSWW] (discussing
the ensuing split between courts in the datbareach sphere before and after Clapper, assuming,
ing, the court compared the plaintiffs’ allegations to cases whereincreased
risks of identity theft were sufficient to confer standing.94 Accordingly, the
court identified three failures within the plaintiffs’ case: (1) a lack of intent
by the thieves to target the personal information of the victims; (2) a lack of
attempt at misuse; and (3) a lack of actual misuse.95 Virtually no courts have
granted standing in the absence of all three of the above allegations, and all
three were missing in this case9.6 Irrespective of whether allegations of
actual misuse are required to confer standing, no court has been iwngill to
label an identity theft “imminent” unless a thief, at the very least, targeted
or attempted to misuse personal informationwithin a reasonable amount of
without explanation, that Clapper properly applies in data breach cases). Courts are even torn as to
the effect of Clapper in data breach cases. Compare In re Zappos, 108 F. Supp. 3dat 956 (citing
In re Sony Gaming Networks & Consumer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 961
(S.D. Cal. 2014)) (discussing Article III standing requirement, noting that, althoughClapper did
not use the Ninth Circuit’s “real and immediate” lnaguage, it “did not set forth a new Article III
framework, nor did the Supreme Court’s decision overrule previous precedent requiring thtahte
harm be ‘real and immediate’”),with Strautins v. Trustwave Holdings, Inc,. 27 F. Supp. 3d 871,
878 (N.D. Ill. 2014) (discussingClapper’s effect on future injur-yin-fact, noting “Clapper
expressly rejected the .. . ‘objectively reasonable likelihood standard’ as ‘inconsistent with oure-r
quirement that threatened injury must be certainly impending to constitute injury-in-fact’”).
Obviously, if it turns out that Clapper precludes increased risk theories for future identity theft, then the
holding that the plaintiffs’ allegations of harm were too speculative was accurateS.ee Beck, 848
F.3d at 274 (finding that the plaintiffs did not adequately plead an increased risk of identity theft).
Compare Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1549(2016) (acknowledging the viability of a
substantial risk theory of injury in fact,)with Blum v. Holder, 744 F.3d 790, 797 (1st Cir. 2014)
(applying Clapper’s certainly impending standard, discussing the ambiguity iCnlapper).
Likewise, if Clapper is to be understood as allowing increased risk of injury theories to confer standing
in the data breach context, then the Fourth Circuit was also correct to undtaerke the analysis and
affirm the decision to dismiss the case.See Beck, 848 F.3d at 274 (finding that plaintiffs failed to
allege they were at an increased risk of identity theft following a data breac.h)Compare Spokeo,
136 S. Ct. at 1549 (acknowledging the viability of a substantial risk theory of injury in fac,t)with
Blum, 744 F.3d at 797 (applying Clapper’s certainly impending standard, discussing the
ambiguity in Clapper).
94 Beck, 848 F.3d at 274.
95 Id. (discussing the facts and rationale sister circuits employed when finding standing,
noting that “plaintiffs ma[d]e no such [similar] claims”); WHAT’S “NEW” IN CYBERSECURITY, supra
note 2, at 19 (listing a compilation of factors by which courts have found standing, and noting
factors where the absences have been fatal to plaintiffs’ cases).
96 See WHAT’S “NEW” IN CYBERSECURITY, supra note 2, at 18 (noting that, to even have a
chance at a court finding standing, plaintiffs need to allege a minimum of data brecaocuhpled
with a statutory violation); Dowty, supra note 3, at 689–93 (surveying the circuit split and
discussing the factors courts have discerned confer standing).Assuming that the pathology reports were
stolen and not merely misplaced, one can argue thathe thieves in Beck “targeted” the pathology
reports for the social security numbers and medical history contained thereinS.ee Beck, 848 F.3d
at 268. Targeting the information notwithstanding, the passage of four years without a single
inicdence of attempted misuse severely dampens a claim that future identity theft is imminentS. ee In
re Zappos, 108 F. Supp. 3d at 958–60 (finding that the plaintiffs lacked standing where years had
passed without the plaintiffs making any allegations of misuse);Storm, 90 F. Supp. 3d at 366–67
(noting that a lapse of time undermines the concept of “imminent”).
time following the breach9.7 If there hasn’t been at least one unauthorized
attempt at a person’s identity over four years since the data exposure, it is
indefensible to claim that identity theft isstill certainly impending.98
Moreover, the plaintiffs had not alleged that their medical insurance, credit cards,
bank accounts, or other personal accountshad been subject to attempts at
The Fourth Circuit was also correct that the plaintiffs’ argument
cnocerning the “substantial risk” of harm posed by the compromised laptop and
97 See, e.g., Krottner v. Starbucks Corp., 628 F.3d 1139, 1142 (9th Cir. 2010) (finding
standing where a thief stole a laptop containing unencrypted personal information of over 97,000
Srtabucks employees, where at least one plaintiff alleged misuse in the form of a fraudulent attempt to
open a bank account); Attias, 865 F.3d at 623, 629 (finding standing where a thief stole two
platops and subsequent misuse was alleged). Indeed, scholars have insinuated that the mere theft of
information, by itself, poses no harm to the owner of the information without subsequent use; the
use of personal information is what deprives the original owner of the information’s value, thus
making it fair to say the victim had been harmedS. ee STUART P. GREEN, 13 WAYS TO STEAL A
BICYCLE: THEFT LAW IN THE INFORMATION AGE 244 (2012) (proposing that unless one’s stolen
personal information is misused, it is hard to claim that the victim had beenharmed). One scholar
drew a useful analogy to the Takings Clause of the Fifth Amendment: in instances of
governmental takings, plaintiffs are compensated only when the takings “go too farI.”d. Similarly, identity
theft won’t confer an injury unless the thief has gone “too far” and took steps towards depriving
someone of property value. Id. For an example of when the government went “too far,” consider
Pennsylvania Coal Co. v. Mahon, where the plaintiffs sought an injunction to prevent a coal
company from mining below their home to prevent the ground from collapsing beneath their feet. 260
U.S. 393, 414–15 (1922). There, the issue was whether the coal company could be prevented from
digging out the valuable coal support pillars that kept the ground from collapsing, or whether the
preventative statute would amount to an impermissible regulatory taking by the governmenItd..
The court, finding for the coal company, decided that a statute that prevented the coal company
from mining the remaining foundational coal would deprive the company of the subterranean
property value, thus going “too far” and requiring compensation to the company for the loss as if it
were a taking. Id. In Beck, the Fourth Circuit’s decision makes sense in light of this
analogy:cacepting the plaintiffs’ allegations as true, although thieves stole pathology reports containing, inter
alia, names and social security numbers, there is something to be said for nearly four years psa-s
ing without an instance of attempted misuse or actual misuse.See Beck, 848 F.3d at 275 (noting a
connection between the passing of time and the speculative nature of an allegedly impending
harm); see also In re Zappos, 108 F. Supp. 3d at 958 (noting that the passage of time is a factor to
weigh when considering how “impending” an alleged injury is, and that the more time passes, the
more plaintiffs’ arguments are “undermined”). Because there was no harm, or an action that looks
like an attempt to cause harm, plaintiffs should not be compensatedS.ee Beck, 848 F.3d at274
(denying standing where the plaintiffs failed to allege that there had been any attempts by thieves
to misuse their stolen information).
98 See Beck, 848 F.3d at 275 (noting that plaintiffs “uncovered no evidence that the
information contained on the stolen laptop has been accessed or misused”);In re Zappos, 108 F. Supp.
3d at 958–60 (finding that the plaintiffs lacked standing where years had passed without the
planitiffs making any allegations of misuse);Storm, 90 F. Supp. 3d at 366–67 (noting that a lapse of
time undermines the concept of “imminent”).
99 Beck, 848 F.3d at 274. The court pointed out that thBeeck plaintiffs could not have been
the victims of credit or bank fraud because the stolen laptop did not contain any credit card or
bank account information. Id. at 274 n.6. But see Attias, 865 F.3d at 628 (finding that the theft of
merely a combination of names, birthdays, email addresses, and subscriber identification numbers
could confer standing because the risk of medical insurance fraud was sufficiently high).
pathology reports carried little weight.100 The plaintiffs offered generalized
statistics concerning identity theft following data breaches in the abstract.101
As the court noted, these statistics provided no insight into the particular
facts of the case.102 Absent particular assessments of the risks posed to these
plaintiffs under the type of theft, it cannot be said thatthese victims face a
“substantial risk” of harm.103 Moreover, the court properly chose not to
niterpret Dorn VAMC’s offer to monitor the victims’ credit scores as proof of
a “substantial risk.”104 As the court noted, it would be poor policy to slap an
altruistic wrist as it might deter future benevolent attempts to mitigate
100 See Beck, 848 F.3d at 275–76 (denying plaintiffs standing where they failed to allege that
identity theft would follow from the theft of a laptopand pathology reports); Clapper, 568 U.S. at
410 (noting that “allegations of possible future injury are not sufficient” to confer standing
(internal citations omitted)). Increased risk of identity theft, alone, may be sufficient to confer standing
in certain circumstances. See Attias, 865 F.3d at 629 (finding that plaintiffs adequatelyeapdled
injury-in-fact based on an increased risk of identity theft theory). For example, Ainttias, an
unknown hacker breached twenty-two computers and accessed a database that contained customers’
credit card numbers and full social security numbers (as opposed to only the last four digits). Id. at
623. The court, finding standing, reasoned that when a company collects personal information in
the form of credit card and social security numbers, and that information is targeted and accessed,
plaintiffs are at a high risk of financial fraud.Id. at 629. Of course, the court would have to make
assumptions that the hacker who took that information would then use it for nefarious purposes.
See, e.g., Remijas, 794 F.3d at 693 (“Why else would hackers break into a store’s database and
steal customers’ private information? Presumably, the purpose of the hack is, sooner or later, to
make fraudulent charges or assume those customers’ identities.”). Nevertheless, that assumption is
much more sensible when the facts reveal that a hacker aimed their hack at that personal
information, rather than, for example, stole a laptop.Compare Beck, 848 F.3d at 275 (noting that the
mere theft of an item, alone, is insufficient to confer Article III standing, requiring that plaintiffs
show allegations of attempted or actual misuse of the stolen personal information)w,ith Remijas,
794 F.3d at 693 (finding standing where hackers deliberately aimed their attack at personal credit
card information and fraudulent credit card charges appeared on customers’ credit card statements
101 Beck, 848 F.3d at 275–76.
102 See id. at 275 n.7 (noting that plaintiffs’ “general statistic [said] nothing about the risk
arising out of any particular incident, nor does it address the particular facts of this case”).
103 Id.; see Khan v. Children’s Nat’l Health Sys., 188 FS.upp. 3d 524, 533 (D. Md. 2016)
(noting that statistics, which are often cited in other cases of a similar sort, do not establtihshat
identity theft is “certainly impending” in the instant case). It is simply too conjectural to apply
generalized statistics to the facts of a case. Khan, 188 F. Supp. 3d at 533.
104 Beck, 848 F.3d at 276. But see Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 388
(6th Cir. 2016) (“Indeed, Nationwide seems to recognize the severity of the risk, given its offer to
provide credit-monitoring and identity-theft protection for a full year.”); Remijas, 794 F.3d at 694
(“It is telling . . that Neiman Marcus offered one year of credit monitoring and iden-tthiteyft
protection to all [potentially harmed] customers . . . . It is unlikely that it did so because the risk is
so ephemeral that it can safely be disregarded”. ). Offering free credit monitoring following a data
breach is not an uncommon occurrence. See Regnier & Woolley, supra note 1 (noting that Equifax
offered free credit-monitoring services following a breach).
105 Beck, 848 F.3d at 276; In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d
625, 634 & n.12 (3d Cir. 2017) (commenting that an offer by a company to monitor credit
The fallout from the Beck decision and the current circuit split is
dsiconcerting: victims either have to wait for harm to materialize or allege—at
the very least—that thieves specifically targeted their personal information
to even have a shot at establishing standing1.06 In instances of laptop thefts,
it is difficult to imagine these cases proceeding past the standinpghase on
increased-risk theories without some allegations of actual harm or
attemtped misuse, forcing victims to wait before they can bring a lawsu10it7. The
issue is particularly salient in laptop theft cases because the mere theft of a
laptop does not necessitate that the thief wanted the information contained
within.108 Even if victims can allege that the laptop was targeted for
personal information, courts are inconsistent as to whether the merteargeting of
personal information is sufficient to confer stadning.109 This, in turn, will
force victims to sit and wait for at least anattempt by a thief to access their
personal information before filing a suit.110
In February 2017, in Beck v. McDonald, the Fourth Circuit held that
allegations that a laptopand pathology reports were stolen did not mean that
identity theft was imminent. The court further held that, even though personal
information was contained within the stolen items, there was no evidence that
the thief intended to use that personal information for nefarious purposes.
This decision deepened a circuit split surrounding what allegations are sufi-f
cient to show that identity theft is imminent following a data breach. Victims
are now stuck between a rock and a hard place: they live in fear ththaetir
identities may be compromised at any minute, yet lack the standing to obviate
their anxieties through judicial remedy. In a society that is ev-eirncreasingly
ing a breach should not be seen as a “concession or recognition” that plaintiffs suffered an injury,
or else companies may be disincentivized in future instances).
106 See Remijas, 794 F.3d at 693 (noting the traceability problem created by plaintiffs having
to wait for harm to materialize before bringing a lawsuitW); HAT’S “NEW” IN CYBERSECURITY,
supra note 2, at 20 (same).
107 See, e.g., Attias, 865 F.3d at 629 (finding standing following the theft of two laptops where
subsequent misuse was alleged); Resnick v. AvMed, Inc., 693 F.3d 1317, 13221–(11th Cir.
2012) (finding plaintiffs met the requirements of Article III standing where two unencrypted
platops were stolen and sold to someone who had a history of dealing in stolen property, and where
actual identity theft and misuse were alleged)K;rottner, 628 F.3d at 1142 (noting that a named
plaintiff had someone try to open up a bank account in his name following the laptop theft).
108 See Beck, 848 F.3d at 274 (noting that the plaintiffs failed to allege that the laptop thief
deliberately targeted their personal information).
109 Beatty, supra note 1, at 1290 (discussing that, in order to find standing, courts require that
plaintiffs show more than merely that their data had been stolen, and must bring forth allegations
and evidence of misuse, and economic damages).
110 See Remijas, 794 F.3d at 693 (noting the traceability problem created by plaintiffs having
to wait for harm to materialize before bringing a lawsuitW); HAT’S “NEW” IN CYBERSECURITY,
supra note 2, at 20 (same).
dependent on trusting businesses with our personal information, instances of
data breach litigation are only bound to rise. Until the Supreme Court clarifies
the requirements for injury-in-fact within the data breach context, plaintiffs
will be continuously rolling the dice on whether they actually are harmed
before they ever approach the merits of their claims.
13 See, e.g., Beck , 848 F. 3d at 274 (noting that plaintiffs “uncovered no evidence that the information contained on the stolen laptop has been accessed or misused or that they have suffered identity theft, nor . . that the thief stole the laptop with the intent to steal their private information”).
14 See infra notes 16-41 and accompanying text.
15 See infra notes 42-65 and accompanying text. This Comment only discusses the Fourth Circuit's analysis of plaintiffs' claims under the Privacy Act, not under the APA . Id.
16 U.S. CONST. art. III, §§ 1 - 2
17 See Warth v. Seldin , 422 U.S. 490 , 4985 - 01 ( 1975 ) (discussing the purpose of standing, noting that standing is concerned with properly limiting the role of courts in a democracyH); ayburn's Case, 2 U.S. (2 Dall .) 409 , 419 n†. (1792) (“[B]y the Constitution of the United States, the government thereof is divided into threedistinct and independent branches, and .. . it is the duty of each to abstain from, and to oppose, encroachments on either.”);see also Scalia, supra note 9, at 882 (discussing the importance of Article III standing as a check on judicial power).
18 Clapper v. Amnesty Int'l USA , 568 U.S. 398 , 408 ( 2013 ) (citing Lujan v . Defs. of Wildlife , 504 U.S. 555 , 560 , ( 1992 )).
19 Lujan, 504 U.S. at 560.
20 Id. at 598 n.4 (noting the purpose of standing is to resolve “genuine controversies between adverse parties”); see Marbury v . Madison , 5 U.S. (1 Cranch) 137 , 170 ( 1803 ) (“Theprovince of the court is, solely, to decide on the rights of individuals.”). In the words of the late Justice Aon-t nin Scalia, the purpose of standing is to have federal courts adjudicate cases where the parties can adequately answer the question, “What's it to you?” Scalias,upra note 9, at 882 (discussing the importance of Article III standing as a check on judicial power) . Standing also serves other goals such as ensuring adverse litigants and promoting democracy . See Heather Elliot, The Functions of Standing , 61 STAN. L. REV. 459 , 465 - 501 ( 2008 ) (discussing other justifications for standing) . Preferred Cite: Brandon Ferrick , Comment, No Harm, No Foul: The Fourth Circuit Struggles with the “Injury-in-Fact” Requirement to Article III Standing in DataBreach Class Actions , 59 B.C. L. REV . E. SUPP. 462 ( 2018 ), http://lawdigitalcommons.bc.edu/bclr/vol59/iss6/462.