Consumer data breaches are a big problem. Sophisticated thieves hack into systems we thought were secure, pilfering reams of sensitive information: names matched with social security numbers, dates of birth, bank account numbers, and more. Fraudulent credit cards are opened in the names of the innocent. Real harm ensues.
But what about more mundane cybersecurity mishaps? A stolen laptop or phone that just happens to have sensitive data on it? A cable company that keeps your data long after you have switched to internet-based TV? Sure, it is possible that a bad actor could use this data to hurt someone. But is it all that likely?
The federal courts have been wrestling with these “risk of future harm” fact patterns for years. Since 2013, they have been guided by a key Supreme Court decision on point: Clapper v. Amnesty International USA, 133 S. Ct. 1138 (2013). In Clapper, the Court considered plaintiffs’ claim that the government was likely to use the Foreign Intelligence Surveillance Act of 1978 to capture the communications of third parties overseas—persons who, in turn, were likely to have exchanged sensitive or privileged information with plaintiffs-attorneys. Plaintiffs sued to have the law declared unconstitutional.
The Supreme Court found that the plaintiffs lacked standing to sue. After all, it was not certain that the government would intercept any communications from the particular persons with connections to the plaintiffs, let alone privileged communications. In short, the alleged future injury was just too speculative to support federal jurisdiction.
Clapper reiterated the longstanding test for the increased risk of incurring such future injuries: they do not support standing unless the harm is “certainly impending.”
This week, the Fourth Circuit analyzed Clapper in depth for the first time, applying the “certainly impending” test to dismiss a data breach case for lack of standing. Beck v. McDonald, — F.3d —-, 2017 WL 477781 (4th Cir. 2017). In Beck, the plaintiffs were veterans who received treatment at a VA medical center. A laptop containing protected health information was stolen from the VA. Plaintiffs instituted a putative class action against the VA and its officials, who sought dismissal on the ground that the plaintiffs lacked standing.
The Fourth Circuit agreed with the district court’s dismissal of the case. The mere possibility that plaintiffs’ information could be misused was insufficient to show some “certainly impending” harm. Nor could those plaintiffs leverage the prophylactic measure of credit monitoring to show that the future harm was real.
The Fourth Circuit recognized that some other circuits have held otherwise in the cybersecurity context and allowed similar suits to proceed. But in those cases, the Fourth Circuit reasoned, there was something more to the factual background than just anxiety about an uncertain future. Where a data thief intentionally targeted the stolen information, there is more reason to suspect that the victims will suffer real harm. It may make sense for those data breach cases to proceed, the Fourth Circuit concluded, but not for cases involving incidental access to sensitive information to move forward.