The U.S. Court of Appeals for the Fourth Circuit issued a unanimous opinion in Beck v. McDonaldon February 6, 2017, clarifying the standard for Article III standing and what constitutes sufficient injury-in-fact in putative data breach class actions. Plaintiffs’ claims were based on the Dorn VA Medical Center’s (“VAMC”) loss of a laptop computer containing the unencrypted, confidential patient information of 7,400 patients and the loss of file boxes containing the confidential information of 2,000 hospital patients. The laptop computer and files, which have still not been found, contained patient names, social security numbers, medical diagnoses, and other identifiable patient information such as gender, race, and treating physician’s name. After the loss was discovered, VAMC officials notified affected patients of the incident and provided each with one year of free credit monitoring.
The case involves the consolidated appeal of two putative class actions filed by military veterans who received medical treatment at VAMC in Columbia, South Carolina. Plaintiffs sought both monetary damages and injunctive relief, asserting claims under the Privacy Act of 1974, 5 U.S.C. § 552(a) et seq. and the Administrative Procedures Act (“APA”), 5 U.S.C. § 701 et seq.
In both cases, the plaintiffs attempted to establish Article III standing — and in particular injury-in-fact — based on a long list of potential damages that could arise as a result of VAMC’s loss of patient information, including “embarrassment, inconvenience, unfairness, mental distress, and threat of current and future substantial harm from identity theft or misuse of their personal information.” Plaintiffs further contended that the increased risk of identity theft or healthcare fraud required them to take costly and time-consuming affirmative actions in order to protect themselves, such as frequently reviewing bank statements and credit reports, and that these reciprocal actions also constituted injury-in-fact.
In Beck, filed first, the district court denied the defendants’ first motion to dismiss, permitting discovery to allow the plaintiffs an opportunity and more time to establish sufficient injury-in-fact. After extensive discovery, the district court granted the defendants’ renewed motion to dismiss for lack of subject matter jurisdiction, holding that the Beck plaintiffs lacked standing because they had “not submitted evidence sufficient to create a genuine issue of material fact as to whether they face a ‘certainly impending’ risk of identity theft.” The district court then dismissed Watson v. McDonald, a case filed after Beck, applying the same line of reasoning but without permitting discovery. Plaintiffs in both cases appealed the district court’s findings of no injury-in-fact to the Fourth Circuit.
The Fourth Circuit affirmed the dismissal of both cases for lack of subject matter jurisdiction, holding that the plaintiffs’ alleged harm was too speculative and hypothetical to establish the required “certainly impending” injury-in-fact for standing. The court affirmed the determination that the plaintiffs’ fear of harm based on higher risk of future identity theft was too speculative to confer standing because it was “contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendants.”
The case offers some insight for those facing potential data breach litigation, particularly in the putative class action context. Although not all federal circuit decisions are in perfect harmony with regard to what constitutes sufficient injury-in-fact for Article III standing, an apparent consensus has emerged requiring plaintiffs to demonstrate something more than harm based on a fear of future, uncertain, or speculative injury. And while courts have recognized the possibility that risk of future harm could establish sufficiently concrete harm for standing purposes, the risk must be substantial and the harm “certainly impending.” According to the Fourth Circuit, “common allegations that suffice to push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent” underlie cases finding concrete harm based on risk of future harm.
In addition, the Fourth Circuit’s opinion is a reminder that defendants should not give up on motions to dismiss for lack of subject matter jurisdiction — here, the Fourth Circuit noted approvingly the district court’s decision in Beck to deny the defendants’ first motion to dismiss, giving the plaintiffs more time and opportunity to demonstrate harm sufficient for standing. But, the plaintiffs could not make such a showing. The Fourth Circuit considered the passage of time since the loss of information as significant to its decision: “[A]s the breaches fade further into the past, the plaintiffs’ threatened injuries become more and more speculative.” Lack of subject matter jurisdiction is non-waivable and, as such, is an issue that can be raised at any time in federal court proceedings — even for the first time on appeal. If plaintiffs have not established Article III standing with concrete injury-in-fact, defendants may at any time move for dismissal on that basis.