4th Circuit Severely Limits Data Breach Lawsuits

Written by: Sean Cox, Esq.

A recent decision from the Federal 4th Circuit Court of Appeals is likely to make it much harder for plaintiffs within its borders bringing lawsuits following a data breach. In Beck v. McDonald¹⁾, the 4th Circuit Court of Appeals held that allegations of enhanced risk of future identity theft following a data breach and allegations that affected persons incurred costs to guard against identity theft and monitor their credit information were insufficient to establish standing to bring suit.

In two separate instances, a Veteran’s Administration hospital in South Carolina had a laptop containing the unencrypted personal information of approximately 7,400 patients stolen and four boxes of medical records lost. The affected patients were notified and subsequently two affected patients filed putative class actions. The plaintiffs brought claims alleging violations of Privacy Act of 1974, the Administrative Procedure Act, and common-law negligence claims. Specifically, they alleged that the breach “caused Plaintiffs embarrassment, inconvenience, unfairness, mental distress, and the threat of current and future substantial harm from identity theft and other misuse of their Personal Information” and that the “threat of identity theft” required them to frequently monitor their “credit reports, bank statements, health insurance reports, and other similar information, purchase credit watch services, and shift financial accounts.” The trial court in both cases dismissed the plaintiffs’ claims finding that they had failed to allege an injury in fact sufficient to confer standing to bring suit.

Article III of the United States Constitution requires that a plaintiff have “standing” to sue, which ordinarily requires the following 3 elements: “(1) an injury-in-fact (i.e., a concrete and particularized invasion of a legally protected interest); (2) causation (i.e., a fairly traceable connection between the alleged injury in fact and the alleged conduct of the defendant); and (3) redressability (i.e., it is likely and not merely speculative that the plaintiff’s injury will be remedied by the relief plaintiff seeks in bringing suit).” Without those 3 elements, a federal court is without jurisdiction to hear the case.

In Beck, the 4th Circuit focused on the first element, “injury-in-fact.” “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical.” “[T]hreatened rather than actual injury can satisfy Article III standing requirements,” but “an injury-in-fact “must be concrete in both a qualitative and temporal sense.” “The complainant must allege an injury to himself that is distinct and palpable, as opposed to merely abstract.” The Court held that increased risk of future identity theft was too speculative of an injury to support standing, and held that self-imposed harms in response to speculative injuries, such as credit and account monitoring costs, likewise could not confer standing.

Extending the landmark United States Supreme Court decision in Spokeo²⁾, the Beck decision places the 4th Circuit within a distinct camp of jurisdictions, including the 1st and 3rd Circuit Courts of Appeal, that sets a high bar for plaintiffs attempting to file suit related to data breaches when there is no actual or attempted misuse of the personal information. In contrast, the 6th, 7th, and 9th Circuit Courts of Appeal have held that simply the heightened risk of identity theft following a data breach is sufficient to provide standing. However, somewhat straddling the divide, in its decision the 4th Circuit compromised, and potentially left the door cracked for plaintiffs of data breaches caused by hackers. In dicta, the 4th Circuit suggested that when data is specifically targeted by hackers, the risk of potential, future misuse is far less speculative. This suggests that in the proper case, standing may be available even without actual misuse. However, for now, it appears that following Beck, plaintiffs in federal courts located in Maryland, Virginia, West Virginia, North Carolina, and South Carolina must show actual or attempted misuse of their personal information to open the courtroom doors.