zucker_tFeatured Expert Contributor—Civil Justice/Class Actions

Talia M. Zucker, a Partner with Shook, Hardy & Bacon L.L.P. in its Miami, FL office, with Rachel Forman, an Associate with the firm.

Ed. Note: Ms. Zucker is pinch hitting in this Featured Expert Contributor column for our regular blogger, her partner Frank Cruz-Alvarez.

The U.S. Court of Appeals for the Fourth Circuit, in the consolidated appeal of Hutton v. National Board of Examiners in Optometry, No. 17-1506 (4th Cir. June 12, 2018), recently issued another opinion on Article III standing in a data breach case.  This time, however, the court found that the putative class members had Article III standing unlike the plaintiffs in Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), a case previously discussed in this column here.  In Hutton, the Fourth Circuit vacated and remanded the district court’s dismissal of the plaintiffs’ complaints against the National Board of Examiners in Optometry (“NBEO”) for lack of subject-matter jurisdiction and held that the plaintiffs sufficiently alleged the necessary injury in fact for Article III standing and that the injuries suffered were fairly traceable to the NBEO’s conduct.

The Hutton putative class members are optometrists who in mid-2016 discovered that credit card accounts were fraudulently opened in their names.  Through discussions on social media, the optometrists ascertained that their social security numbers were likely stolen from a common source—the NBEO.  As a prerequisite to sit for the board-certifying exam, individuals had to share with the NBEO the type of personally identifying information needed to open a credit card, i.e. social security numbers.

When the NBEO heard of the optometrists’ concerns, they immediately released a statement that their information systems were not compromised; later, this statement was in part retracted to say that the NBEO was investigating whether their database was breached.

Despite the NBEO’s statements, plaintiffs filed two lawsuits alleging negligence, breach of contract, breach of implied contract, and in one lawsuit an additional claim for unjust enrichment.  All three plaintiffs submitted personal information to the NBEO when they registered to take the optometry licensure exam.  Plaintiff Hutton, who registered to take the exam in 1998, alleged that eighteen years later she received a Chase Amazon Visa credit card for which she had not applied.  Because her personal information was compromised, Plaintiff Hutton alleged that she “faces an increased risk of identity theft and fraud” and has spent “time and money putting credit freezes in place with . . . credit reporting agencies.”  Id. at *6.  Hutton’s co-plaintiff, Kaeochinda, suffered a similar fate.

Plaintiff Mizrahi learned of the NBEO data breach, began monitoring her credit score, and alerted a credit-reporting agency.  As a result, she learned that her credit score had dropped eleven points and a Chase Amazon Visa credit card application was submitted in her name.  Plaintiff Mizrahi was then forced to send “certified letters to Chase, the major credit reporting companies, and others to inform them of this unauthorized event” which was a “laborious process.”  Id. at *8.

The NBEO moved to dismiss both complaints arguing that the plaintiffs failed to (1) establish Article III standing to sue, and (2) state a claim upon which relief can be granted.  Relying on the Fourth Circuit’s decision in Beck, the district court dismissed the complaints, “emphasiz[ing] that the Plaintiffs had ‘failed to establish standing either upon their asserted increased risk of identity theft or upon their expenses to negate identity theft,” and that the alleged injuries were not traceable to the NBEO since the NBEO never admitted to the data breach.  Id. at *9-10.

On appeal, the NBEO challenged two Article III standing elements:  (1) injury in fact—that the plaintiffs “suffered ‘an invasion of a legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent, not conjectural or hypothetical’”; and (2) traceability—that “[t]he injury must be fairly traceable to the challenged action, and relief from the injury must be likely to follow from a favorable decision.”

The court first assessed injury in fact under the standard articulated in Beck—that Article III standing can neither be established based on “the harm from the increased risk of future identity theft and the cost of measures to protect against it” nor “the mere compromise of personal information, without more.”  Contrary to the district court’s findings, the Fourth Circuit distinguished this case from the facts of Beck.

In Beck, the plaintiff veterans were only able to allege a “threat of future injury”—that the stealing of a laptop and boxes containing personal information of patients might lead to data misuse or an intent to steal private information.  Here, however, the Fourth Circuit found that the Hutton plaintiffs not only alleged theft of their personal information, but also that their information was “accessed and used in a fraudulent manner.”  It was this misuse of information together with the fact that the plaintiffs’ incurred actual costs for “mitigating measures to safeguard against future identity theft” that “readily show[ed] sufficient injury-in-fact.”  Id. at *16.

The Court next addressed “the traceability of the NBEO’s conduct to the injuries and harms alleged in the Complaints.”  Id. at *16.  The Court found that several allegations made it “plausible and likely that a breach of the NBEO’s database resulted in the fraudulent use of the Plaintiffs’ personal information” specifically:

  1. a group of optometrists around the country, including plaintiffs, noticed that fraudulent credit card accounts were opened in their names during the same time period;
  2. the cards were opened using personal information the plaintiffs had given the NBEO;
  3. the NBEO was the only common source that collected and stored social security numbers and outdated personal information; and
  4. other national optometry organizations do not store the same type of personal information or were able to investigate and confirm their databases were not breached.

These allegations were “plausible on their face with respect to traceability.”  Id. at *18.  The court did not address the third element of standing—redressability—because it was not contested by the NBEO.

Despite different conclusions, the Fourth Circuit’s decisions in Hutton and Beck are consistent.  Indeed, the Hutton decision reinforces the court’s holding in Beck:  that to establish Article III standing, plaintiffs cannot rely on bare allegations of possible future identity theft or personally incurred mitigation costs to protect against the threat of a possible future identity theft.  Plaintiffs must go further in their allegations, like was done in Hutton.

A split between the circuits on what constitutes an injury in fact in data breach cases remains—with the D.C., Sixth, Seventh, and Ninth Circuits recognizing that plaintiffs can establish an injury in fact at the pleading stage based on mere allegations of substantial risk of future identity theft, but the First and Third Circuits rejecting such an approach.