Privacy_1200x600_GettyImages-2219338309

Key point: Courts are concluding that not all data breaches should result in a lawsuit. Businesses need to consider causation and damages when responding to an incident and take steps to determine if there is no evidence of harm or traceability including on a class wide basis.

Since the first data breach lawsuits filed in 2005, Article III standing has been a central issue. The U.S. Court of Appeals for the Fourth Circuit recently addressed the ongoing issue of Article III standing for claimed injuries in a data breach lawsuit. This decision is the latest in a long string of recent decisions that grapple with what harm must a plaintiff allege to satisfy the Constitution’s threshold requirement of “concrete injury” in the context of unauthorized access of data.

In providing its latest guidance on this issue, the Fourth Circuit found standing for certain plaintiffs and dismissed others. Those plaintiffs who lacked standing simply alleged unauthorized data access, along with several derivative forms of “injury” typically seen in the flood of complaints being filed. Those plaintiffs who sufficiently alleged standing pled active public disclosure of highly sensitive breached information data on the “dark web,” alleging that such dark web publication was specifically traceable to the breach at issue.

In reaching this decision, the Fourth Circuit continued to affirm its prior holdings that mere unauthorized access is not enough for standing, while charting a narrow path for certain plaintiffs in limited circumstances. This decision is consistent with other recent decisions identifying what must be alleged and proven to bring data breach cases in federal courts.

Background

An insurance company, along with its affiliates, faced a data breach between March 26 and April 1, 2022, compromising the driver’s license numbers of nearly 3 million customers. The breach allegedly occurred through the exploitation of the company’s online quoting platform, which auto-populated certain information. Following the breach, the insurance company offered a year of free credit monitoring to the customers affected. The plaintiffs filed a consolidated class action, claiming various injuries, including time spent monitoring credit and increased risk of identity theft. The district court dismissed the complaint, finding that none of the alleged injuries were sufficient to confer standing. The Fourth Circuit disagreed as to two named plaintiffs who alleged their driver’s license information appeared on the dark web, but it affirmed the dismissal as to the other two plaintiffs.

Holding

The court’s decision hinged on the constitutional requirement of standing, as most recently explained by the Supreme Court in TransUnion LLC v. Ramirez, which demands a concrete and particularized injury that is “actual” or “imminent.” To determine whether intangible harm like personal data loss is sufficiently concrete and particularized, the court emphasized that an injury must bear a close relationship to harms traditionally recognized in American courts. The plaintiffs argued that their harms were akin to the tort of public disclosure of private information.

Judge Richardson, writing for the panel, noted that the harm suffered by two of the plaintiffs was sufficiently concrete because they alleged they found their driver’s license numbers on the dark web in a publication traceable to the breach, making “information they justifiably prefer to tightly control” publicly accessible to many. The situation was analogous to the tort of public disclosure of private information, which protects against the widespread dissemination of sensitive personal data. The court stated, “having one’s information compromised by a data breach is a harm that is both particularized, by affecting each individual personally, and actual, by occurring in reality.” Thus, for these two plaintiffs whose information was allegedly found on the dark web, their public disclosure theory of harm was sufficiently concrete. By contrast, the court found that the other two named plaintiffs did not demonstrate a concrete injury because there was no allegation the hackers had shared their stolen information with any members of the public or on the dark web.

The court dismissed all four plaintiffs’ claims of other harm typically seen in data breach complaints, including risk of future harm, alleged expended time and resources, and claimed emotional distress. Citing the Supreme Court’s decision in Clapper v. Amnesty International USA, the court emphasized that plaintiffs “cannot manufacture standing by choosing to make expenditures based on hypothetical future harm that is not imminent.”

Conclusion

The law of standing continues to develop, but Justice Kavanaugh’s clear admonition in Ramirez – “no concrete harm, no standing” – has led many courts to recognize that most of the harms commonly alleged by plaintiffs in data breach cases based on self-imposed mitigation costs or fear of speculative future injuries are not sufficiently concrete to satisfy Article III. The Fourth Circuit’s decision highlights the necessity for plaintiffs to demonstrate more than speculative injuries from “mere data access.” It provides clear guidance for lower courts that allegations of actual harm are required, such as specific allegations of public disclosure of highly sensitive data specifically traceable to the incident at issue. The ruling clarifies that the mere risk of future harm, without evidence of actual public disclosure or imminent misuse, is insufficient to meet the stringent requirements of Article III standing. Despite allowing certain plaintiffs to proceed past the pleading stage, however, there will surely be factual discovery on whether the surviving plaintiffs will be able to prove at the summary judgment stage – with actual evidence – that the information available on the dark web can be attributable to this specific data breach, as alleged.

In light of this decision and similar recent rulings, businesses facing cybersecurity incidents need to be prepared for these arguments. The litigation trend is alarming. Once an incident is announced, there is a race to be the first to file. And then a race to file the most complaints with the greatest number of plaintiffs. All with the goal of becoming lead plaintiffs’ counsel and often without any diligence to determine if any of those plaintiffs have concrete injury.

Businesses need to be aware of this trend and prepare accordingly. The proper forensic data can be critical. While many focus on how the threat actor got into the environment, it is just as critical to know not only what data was accessed (as required by many breach notification statutes) but also what information was exfiltrated. Likewise, dark web and deep monitoring are not only important when negotiating with a ransomware threat actor, but also to defend against the inevitable complaint.  It is critical to apply these lessons to develop creative strategies for navigating the incident response gauntlet, including implementing important early steps to investigate and document a lack of concrete harm that could be pivotal in future lawsuits.  

In light of this decision and similar recent rulings, businesses facing cybersecurity incidents should be aware that a well-documented record of no real, concrete harm caused by the breach may prevent or reduce future litigation. Troutman Pepper Locke’s attorneys are ready and able to provide a wealth of experience and creative strategies for navigating the incident response gauntlet, including implementing important early steps to investigate and document a lack of concrete harm that could be pivotal in future lawsuits.