On April 1, 2018, Lord and Taylor’s parent company announced that five million payment cards used in their stores had been compromised.1 A few days earlier, Under Armour had announced that roughly 150 million users of its fitness app had their accounts hacked.2 These incidents serve as a grim reminder that our personal information is everywhere and vulnerable.
The ubiquity of e-commerce forces consumers to share their sensitive data with an array of companies. According to John T. Chambers, former CEO of Cisco, these companies can be broken down into two types, “those who have been hacked, and those who don’t yet know they have been hacked.”3 The problem is worsening. In 2017, nearly 179 million personal records were exposed through 1,579 distinct breaches. This number of breaches represents a 44.7 percent increase in the number of attacks from 2016, which had previously been the record high.4 More than half involve a stolen Social Security number and roughly 20 percent involve a payment card.5
Yet when there is a data breach, tangible harm is not guaranteed. According to one 2016 report, only 31.7 percent of data breach victims experienced attempted identity fraud.6 While there are other ways for criminals to profit from a data breach (e.g. extortion stemming from a hack of affair website Ashley Madison)7 skepticism on the ramifications of a breach is summed up by business mogul Kevin O’Leary: “Nobody really cares anymore, there’s no cause and effect. You get the breach and nothing happens.”8 Not all hacked accounts are treated equal. This asymmetry in outcome demonstrates that particularized resolution of data breach litigation is of the upmost importance to both businesses and consumers.
People want retribution from the company that exposed their information. Litigation is often the avenue to achieve that end. Currently, federal courts disagree as to when a plaintiff has experienced sufficient harm to established Article III standing under the Constitution. Is it adequate, for example, for one to have their information merely exposed to a nefarious third party? Should a victim be compensated for the time spent on increased vigilance over their account? Must a third party attempt fraudulent activity? What if the company offers up front to cover these costs? These are vital procedural questions. As this type of suit increases, it is important that courts articulate a uniform scope of liability so that parties can set reasonable expectations for their conduct.
Article III of the Constitution only permits Courts to hear ‘cases’ and ‘controversies.’9 This is a preliminary matter in every case that the plaintiff has a burden of proving. The Supreme Court has announced that standing is achieved when an injury is (1) concrete, particularized, and actual or imminent (injury in fact); (2) fairly traceable to the challenged action and (3) redressable by a favorable ruling.10 The current Supreme Court decision on standing comes from Clapper v. Amnesty International.
In Clapper, the Court gave a narrow interpretation of “imminence,” saying that while it is not easy to define, it must be that the injury is “certainly impending.”11 In Clapper, Plaintiffs’ (a group of lawyers, journalists, human rights advocates, et al.) argued that the Foreign Intelligence Surveillance Act (which permitted the surveillance of non-U.S. citizens who weren’t on U.S. soil) was not constitutional because it was “objectively reasonable” that the government would inevitably be spying on plaintiffs.12 The Court held that “objectively reasonable” is not “certainly impending” and that Plaintiffs’ arguments were built on a series of attenuated speculations.13 In addition, the Court held that standing cannot be manufactured by incurring costs in anticipation of injury.14 Therefore, the Court held that Plaintiffs did not have standing and dismissed the suit. This ruling has a direct impact on plaintiffs in data breach litigation. Uniform results, however, remain elusive.
Injury in Fact & Increased Risk of Future Identity Theft
Plaintiffs argue a variety of legal claims when attempting to satisfy the requirement that they sustained a cognizable injury. The most fragile theory pleaded in data breach cases is that a negligent company increased a plaintiff’s risk of identity theft. Here, the plaintiff does not have to have experienced any realized harm to file suit; it is enough that the information was exposed to a malicious third party. Contrary to the expectations of at least one court, Clapper has not resolved the circuit split.15
Courts that still recognize increased risk of identity theft as an actionable claim rely in part on footnote 5 of Clapper:16 “Our cases do not uniformly require plaintiffs to demonstrate that it is literally certain that the harms they identify will come about. In some instances, we have found standing based on a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.”17 These courts reason that the intentional theft of personal information is adequate to establish a substantial risk.18 After all, what is the purpose of stealing information if not to use the stolen goods for criminal ends? Both courts also posit that the fact that the companies offered to monitor their customers’ credit information and provide identity-theft protection for a year is a concession by defendants that there is a substantial risk of harm.
Notably, neither of these cases include the last sentence of the footnote, which states that in order to establish the “substantial risk of harm” parties “cannot rely on speculation about the unfettered choices made by independent actors not before the court.”19 This directly suggests that potential future actions by hackers cannot be used to confer standing. When combined with Clapper’s “certainly impending” language, it appears that increased risk of harm by itself should fail to achieve Article III standing. By ignoring the entirety of footnote 5, however, courts continue to allow these cases to proceed.
The 9th Circuit goes even further. In Krottner, a case decided before Clapper, the Circuit held that so long as the plaintiffs faced “a credible threat of harm” they satisfied the first prong of the standing requirement.20 In that case, a Starbucks laptop with the private information of 97,000 employees was stolen. Starbucks ensured the employees that the corporation would pay for all credit monitoring expenses. The plaintiffs took advantage of the Starbucks program, and did not experience any financial harm.21 Nevertheless, the Court held that the taking of the laptop with personal information was sufficient to satisfy Article III because the plaintiffs’ personal information was wrongly disseminated.22 This standard does not appear to be compatible with Clapper. One post-Clapper court (in a different jurisdiction) went so far as to say that “an increased risk or credible threat of impending harm is plainly different from certainly impending harm, and certainly impending harm is what the Constitution and Clapper require.” 23 Yet Krottner is still good law in the 9th Circuit. The court in Re Sony Gaming Network rejected the notion that Clapper had increased the Article III burden, and held that the wrongful disclosure of private information by defendant was a credible threat of impending harm.24 In at least these three jurisdictions, the increased risk of identity theft permits the plaintiffs to establish Article III standing despite Supreme Court language to the contrary.
Other circuits have interpreted the “certainly impending” standard differently and rejected claims that simply plead the increased risk of identity theft. In Peters from the 5th Circuit, a hospital computer was hacked, causing sensitive information from 405,000 patients to be stolen.25 The plaintiff in the case contended that after the breach there was a fraudulent attempt to use her card, that her email sent out spam messages, and that she received unsolicited marketing materials that pertained to her medical condition.26 Nonetheless, the Court held that the plaintiff’s claim was akin to the attenuated circumstances in Clapper that the Supreme Court prohibited. The Court noted that the plaintiff could not articulate a single harm without using the word ‘if.’27 Unlike the courts cited above, the Peters courtrefused to see the possession of plaintiffs’ data as per se certain imminence. Rather, the harm was still merely speculative and hypothetical; there has to be concrete action.28
In Storm from the 3rd Circuit, defendant was a payroll processor company who had the personal information of 233,000 customers stolen from their computer systems.29 Without doubting that the hackers took the information for malevolent purposes, the court stated that “[plaintiffs] have not alleged that their bank accounts have been accessed, that credit cards have been opened in their names, or that unknown third parties have used their Social Security numbers to impersonate them and gain access to their accounts.”30 The Court also noted that it had been over a year since the breach, and the plaintiffs could not point to one example of fraudulent activity. The Judge mused that this was proof that waiting for actual harm to emerge for standing was wise.31 These latter two cases have substantially similar fact patterns to the circuit cases above. The federal system is in a fundamental disagreement over whether an increased risk of identity theft should get a potential plaintiff over the Article III hurdle. Clapper has not decided this issue.
Injury in Fact & Monitoring / Mitigation / Sorting it Out Costs
Another common claim brought by litigants in data breach situations is the desire to be compensated for all of the costs associated with reacting to being put on notice to a potential breach. These are referred to as “sorting it out” or “mitigation” costs. This makes sense. We want those who believe they are at risk of identity theft to take precautionary measures. Increased monitoring of accounts, alerting banks and ordering new payment cards are all rational methods to prevent harm. Under what circumstances these costs should be considered an injury-in-fact, however, is another matter. Once again, Clapper provides some insight, but has not reconciled the circuits.
The plaintiffs in Clapper argued that they were suffering ongoing injuries by spending significant sums of money to avoid government surveillance. The 2nd Circuit found that because these costs were ‘fairly traceable’ to the alleged unconstitutional conduct, and that the fear was not fanciful or paranoid, the plaintiffs had demonstrated an injury in fact.32 The Supreme Court disagreed. Rather, the Court held that because the plaintiffs’ harm was not certainly impending, they “cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm.”33 As a result, if a Court makes a determination that a given plaintiff’s alleged harm is not certainly impending, then she is precluded from claiming injury based on the money she spent to mitigate her harm. In the data breach context, this means that if an individual (or class) is alerted about a potential breach, and takes advisable steps to mitigate potential harm, standing is predicated upon injury in fact being established elsewhere.
Unsurprisingly then, in the Storm case cited above, the Court held that the plaintiffs could not earn standing by showing that they had incurred expenses as a direct result of the admitted breach.34 The Court, after admitting this appeared to be a harsh result for consumers, elaborated:
Despite many companies’ best efforts and tremendous expense to secure and protect their data systems, an industrious hacker every so often may find a way to access their data. Millions of people, out of reasonable fear and prudence, may decide to incur credit monitoring costs and take other preventive steps, which the hacked companies often freely provide. However, for a court to require companies to pay damages to thousands of customers, when there is yet to be a single case of identity theft proven, strikes us as overzealous and unduly burdensome to businesses. There is simply no compensable injury yet, and courts cannot be in the business of prognosticating whether a particular hacker was sophisticated or malicious enough to both be able to successfully read and manipulate the data and engage in identity theft.35
This passage is a logical articulation behind the portion of the federal court system that applies the Clapper test more stringently. Conversely, for the courts that found an increased risk of identity theft to suffice for standing, the question of whether monitoring costs were also valid “easily qualifies as a concrete injury.”36
Standard Going Forward
These differences in application of Article III standing should be corrected by the Supreme Court. Data breaches reflect the modern, cloud-based world. Often, massive companies are the target of hackers.37 Consumers who are impacted nationwide should not be able to survive an Article III standing challenge based on fortuitous circumstances such as the companies’ principal place of business. Rather, a uniform rule should be promulgated by the Supreme Court that properly allocates risk between consumers and companies. In her recently published law review note, Megan Dowty argues that standing should only be recognized when a plaintiff has alleged actual and unremedied harm.38 Here, neither increased risk of identity theft, nor reimbursed monitoring costs would pass Article III muster. This standard would be in line with Clapper and would encourage companies to offer their consumers identity theft protection.
As Dowty points out, if a court like Krottner were to award the plaintiffs damages based upon the increased risk of identity theft (an immediate question of how these would be calculated comes to mind) what would stop the hackers from later using the stolen data to commit identity fraud?39 Could the plaintiffs come back to court and sue the company again? The wiser course of action would be for plaintiffs to wait for an actual uncompensated injury to occur to bring suit so that damages can be accurately calculated. The Supreme Court should make explicitly clear what they had appeared to hold in Clapper; mere increased risk of identity theft is not a sufficiently pled injury-in-fact to survive Article III standing requirements.
Furthermore, consumers should be able to establish standing by alleging reasonable unremedied monitoring costs. This will incentivize consumers to act prudently when faced with a potential breach, and will encourage companies to provide immediate protective services to their clients. The latter is true because if companies know that they can get lawsuits dismissed at the pleading stage by offering credit monitoring and fraud protection, it will be cost-effective to do so. Most companies already do this. In Remijas, Krottner, Sony, St. Josephs, and Galaria, all of the defendant companies gave the victims a free year of services. Instead of holding these programs against the company like in Galaria and Remijas,40 41 the company should be rewarded. Liability aside, data breaches are a public relations nightmare for companies42 and encouraging cooperation between the sides may help restore goodwill. Finally, by forcing companies to pay for their customers’ reasonable mitigation expenses, the harsh result in Storm can be avoided. It is reasonably foreseeable, after all, that if companies allow a nefarious third party to access private information, the victims will incur costs to mitigate that harm. The company should be responsible for those costs.
From retail stores, to hospitals, to the presidential election, data breaches are an intractable part of modern life. The repercussions from a breach can be serious and millions of consumers are affected every year. The legal system is a key player in defining how society approaches a data breach. Currently, the system is not operating as efficiently or uniformly as it could. Circuit courts are split on crucial Article III standing issues, such as whether increased risk of identity theft and reasonable mitigation expenses are sufficient injuries-in-fact to confer standing. This causes arbitrary forum shopping and frustrates the ability of both parties to set reasonable expectations. Supreme Court intervention is therefore necessary. By ruling that increased risk of injury is too speculative, but that reasonable mitigation expenses are recoverable, the Court will properly allocate risk amongst the parties and create proper incentives for both sides.
Jared Finkle & David Henry, Saks, Lord & Taylor Hit by Payment Card Data breach, Reuters (Apr. 3, 2018, 12:38PM), https://www.reuters.com/article/legal-us-hudson-s-bay-databreach/saks-lord-taylor-hit-by-payment-card-data-breach-idUSKCN1H91W7. ↩
Chloe Aiello, Under Armour Says Data Breach Affected About 150 Million MyFitnessPal Accounts, CNBC (Mar. 29, 2018, 4:38 PM), https://www.cnbc.com/2018/03/29/under-armour-stock-falls-after-company-admits-data-breach.html. ↩
Joseph Muniz, Responding to Real-World Cyber Threats, Cisco Press (Feb. 16, 2016), http://www.ciscopress.com/articles/article.asp?p=2481826. ↩
Identity Theft Res. Cenr., 2017 Annual Data Breach Year-End Review, 3 (2018), https://www.idtheftcenter.org/images/breach/2017Breaches/2017AnnualDataBreachYearEndReview.pdf. ↩
Id. at 5. ↩
Matt Tatham, Identity Theft Statistics, Experian (Mar. 15, 2018), https://www.experian.com/blogs/ask-experian/identity-theft-statistics/. ↩
Brian Krebs, AshleyMadison: 500K Bounty for Hackers, (Aug. 24, 2015), https://krebsonsecurity.com/tag/ashley-madison-extortion/. ↩
Lorie Konish, Here’s What You Should Do After the Lord & Taylor, Saks Fifth Avenue Data Breach, CNBC (Apr. 2, 2018, 2:59 PM), https://www.cnbc.com/2018/04/02/what-to-do-after-the-lord-taylor-saks-fifth-avenue-data-breach.html (see video). ↩
U.S. Const. art. III, § 2. ↩
Clapper v. Amnesty Int’l USA, 568 U.S. 398, 409 (2013). ↩
Id. at 401. ↩
Id. at 402. ↩
Peters v. St. Joseph Services Corp., 74 F. Supp. 3d 847, 856 (S.D. Tex. 2015). ↩
See Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384, 388 (6th Cir. 2016);Remijas v. Neiman Marcus Grp. LLC, 794 F.3d 688, 693 (7th Cir. 2015). ↩
Clapper,568 U.S. at 414 n.5. ↩
Galaria, 663 Fed. Appx. at 389-90; Remijas, 794 F.3d at 693. ↩
Clapper, 568 U.S. at 414 n.5. ↩
Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010). ↩
Id. at 1141. ↩
Id. at 1143. ↩
In re SIAC Backup Tape Data Theft Litig., 45 F.Supp.3d 14, 28 (D.D.C. 2014). ↩
In re Sony Gaming Networks, 996 F. Supp. 2d 942, 962 (S.D. Cal. 2014). ↩
Peters, 74 F. Supp. 3d at 850. ↩
Id. at 850-51. ↩
Id. at 854. ↩
Storm v. Paytime, Inc., 90 F. Supp. 3d 359, 361 (M.D. Pa. 2015). ↩
Id. at 366. ↩
Id. at 366-67. ↩
Clapper,568 U.S. at 1141. ↩
Id. at 416. ↩
Storm, 90 F. Supp. 3d at 367; see also Peters, 74 F. Supp. 3d atn.11. ↩
Id. at 368. ↩
Remijas, 794 F.3dat 694. ↩
Kevin McCoy, Target to Pay $18.5M for 2013 Data Breach that Affected 41 Million Consumers, Usa Today (May 23, 2017, 4:10 PM), https://www.usatoday.com/story/money/2017/05/23/target-pay-185m-2013-data-breach-affected-consumers/102063932/. ↩
Megan Dowty, Note, Life is Short. Go to Court: Establishing Article III Standing in Data Breach Cases, 90 S. Cal. L. Rev. 683, 701-702 (2017). ↩
Id. at 702. ↩
Galaria, 663 Fed. Appx. at 388 ↩
Remijas, 794 F.3d at 694. ↩
Elizabeth A. Harris, Data Breach Hurts Profit at Target, N.Y. Times (Feb. 26, 2014), https://www.nytimes.com/2014/02/27/business/target-reports-on-fourth-quarter-earnings.html. ↩