The U.S. Court of Appeals for the Fourth Circuit has found that allegations that fraudsters used the personal information of data breach victims are sufficient to establish standing even without any fraudulent charges actually being incurred. The June 12 ruling in Hutton v. National Board of Examiners in Optometry does not require that plaintiffs allege actual economic loss to establish Article III standing, making it much more likely for data breach plaintiffs to survive a motion to dismiss for lack of subject matter jurisdiction.
In 2016, optometrists around the country discovered that Chase Amazon Visa credit card accounts, which required the use of an applicant’s correct social security number and date of birth, were being fraudulently opened in their names. Based on discussions in online chat groups, the victims determined that the only common source to which they had provided their personal information was the National Board of Examiners in Optometry. All the affected optometrists had provided their personal information to the NBEO in order to sit for board-certifying examinations.
In response to their concerns, the NBEO initially released a statement that its information systems had not been compromised. The NBEO later revised its earlier statement with a cryptic message that its internal review was still ongoing but that the victims should remain vigilant in checking their credit.
Three optometrists filed two class action complaints asserting claims for negligence, breach of contract, breach of implied contract, unjust enrichment and other state claims against the NBEO for its alleged failure to safeguard their personal information. Chase Amazon Visa credit card applications had been fraudulently submitted on behalf of all three plaintiffs. Two of the applications were in names that two of the plaintiffs no longer used (i.e., a maiden name and an earlier married name) but had submitted to the NBEO years earlier. All three plaintiffs alleged that they had spent time and money putting credit freezes in place or monitoring their credit.
Relying on Beck v. McDonald, the district court dismissed both complaints for lack of subject matter jurisdiction, holding that plaintiffs had failed to establish Article III standing. The district court found that plaintiffs had not adequately alleged an injury-in-fact because they had not incurred fraudulent charges, been denied credit or been required to pay a higher interest rate for the credit they had received. In addition, the district court found that any alleged injury that plaintiffs possessed was not traceable to the NBEO because the NBEO had not acknowledged, nor had plaintiffs established, that a data breach occurred. The plaintiffs appealed the judgements of dismissal and the appeals were consolidated.
The Fourth Circuit vacated the district court’s judgments and remanded the case, concluding that the “standing elements of injury-in-fact and traceability are both sufficiently alleged in the complaints.”
The Fourth Circuit began its analysis by observing that, to establish standing a plaintiff must allege that they have “(1) suffered an injury-in-fact; (2) that is fairly traceable to the challenged conduct of the defendant; and (3) that is likely to be redressed by a favorable judicial decision.”
To establish an injury-in-fact, plaintiffs must show that they have suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.” In Beck, the Fourth Circuit affirmed the dismissal of a data breach complaint based on a lack of standing, holding that the plaintiffs had not alleged an injury-in-fact because even though a laptop and boxes containing their personal information had been stolen, none of that information was ever misused. The Fourth Circuit distinguished Beck, observing that the Beck plaintiffs alleged only a speculative threat of future injury, whereas the plaintiffs in the present case alleged that they had already suffered actual harm as “the fraudsters used – and attempted to use – the plaintiffs’ personal information to open Chase Amazon Visa credit card accounts without their knowledge or approval.”
The court distinguished Beck in another way. Noting that “incurring costs for mitigating measures to safeguard against future identity theft may not constitute an injury-in-fact when that injury is speculative,” the Fourth Circuit held that, in the present case, “[b]ecause the injuries alleged by the plaintiffs are not speculative, the costs of mitigating measures to safeguard against future identity theft support the other allegations and together readily show sufficient injury-in-fact[.]”
Addressing the issue of whether the plaintiffs’ injuries were traceable to the NBEO’s conduct, the Fourth Circuit found that “[t]he complaints contain allegations demonstrating that it is both plausible and likely that a breach of the NBEO’s database resulted in the fraudulent use of the plaintiffs’ personal information, resulting in their receipt of unsolicited Chase Amazon Visa credit cards.” The court noted that “the plaintiffs allege that, amongst the group of optometrists, the NBEO is the only common source that collected and continued to store social security numbers that were required to open a credit card account, and also stored outdated personal information (such as maiden names and former married names), during the relevant time period,” thereby “render[ing] the plaintiffs’ allegations plausible on their face with respect to traceability.”
The NBEO decision has significant implications for data breach cases, lowering the pleading requirements for two of the three requirements for standing. By holding that data breach plaintiffs do not have to plead actual economic loss to establish standing but instead need only allege that fraudsters used or attempted to use their stolen personal information, the Fourth Circuit has narrowed the scope of Beck and made it easier for such plaintiffs to establish standing and withstand a motion to dismiss. Moreover, by finding that the alleged use or attempted use of stolen personal information constituted actual or imminent harm, the NBEO decision enables data breach plaintiffs to use mitigation costs, such as those incurred in obtaining a credit freeze or credit monitoring services, to establish an actual injury-in-fact.
In addition, the NBEO decision also establishes that the traceability requirement for standing can be satisfied even if the company or organization which is allegedly the victim of the data breach does not acknowledge, or even denies, the existence of a breach. Under the NBEO decision, data breach plaintiffs need only plead facts that make it facially plausible that a breach occurred and plaintiffs’ injuries are “fairly traceable” to that breach.