I. Introduction
The U.S. Supreme Court denied review in 2012 to thousands of individuals whose data was breached who were alleging increased harm of identity theft and seeking to reversethe U.S. Court of Appeals for the Third Circuit’s decision to deny them standing in Reilly v. Ceridian Corp.
1Reilly v. Ceridian Corp., 132 S. Ct. 2395 (2012) 94 Privacy Law Watch, 5/16/12, 11 PVLR 833, 5/21/12, 17 ECLR 925, 5/23/12. In so doing, the Supreme Court declined a valuable opportunity to address the Third Circuit’s flawed renunciation of the parallels between data breach, medical monitoring and toxic tort cases. 2664 F.3d 38, 44-46 (3d Cir. 2011)240 Privacy Law Watch, 12/14/11, 10 PVLR 1859, 12/19/11, 12 CLASS 1167, 12/23/11, 16 ECLR 2018, 12/14/11, cert denied, 132 S. Ct. 2395 (2012). Such renunciation erred in conspicuously excluding from its calculus two critical injuries present in all three types of cases: heightened “at risk” status and fear of future harm. These injuries, this article argues, ought to have sufficed for Article III standing in Reilly.
This article proceeds in four parts. It first summarizes the injury-in-fact standing requirement. Next, it introduces the circuits’ divergent approaches to analogizing data breach, medical monitoring, and toxic tort cases. An illustration of the critical oversight the Third Circuit made in mistakenly rejecting these analogies follows. It concludes by urging that the present injuries of “at risk” status and fear of future harm be given their due consideration in the standing calculus.
II. Defining ‘Injury-in-Fact’
The Supreme Court has interpreted Article III’s “case-or-controversy requirement” to limit the federal courts’ jurisdiction to cases in which the plaintiff has demonstrated standing. 3See Allen v. Wright, 468 U.S. 737, 751 (1984). This demonstration requires, among other things, a showing of “injury in fact.” 4Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81 (2000). Put simply, an injury-in-fact is an “invasion of a legally protected interest.” 5Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992) (internal quotation marks omitted). This invasion must be “particularized” and “actual or imminent,” 6Friends of the Earth, 528 U.S. at 180-81. “concrete in both a qualitative and temporal sense.” 7Whitmore v. Arkansas, 495 U.S. 149, 155 (1990). Notably, an injury-in-fact need not have already occurred. Rather, even “threatened injury constitutes ‘injury in fact,’” 8Cent. Delta Water Agency v. United States, 306 F.3d 938, 947 (9th Cir. 2002). provided it is “certainly impending” 9Clapper v. Amnesty Int’l USA, 133 S. Ct. 1138, 1143 (2013). and “proceed[s] with a high degree of immediacy, so as to reduce the possibility of deciding a case in which no injury would have occurred at all.” 10Lujan, 504 U.S. at 564 n.2.
III. Drawing (and Rejecting) Analogies
In applying the above definition in data breach cases, courts have historically looked to its application in medical monitoring, toxic tort and environmental injury cases as a guide. 11Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010); Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 n.3 (7th Cir. 2007). This article focuses on the first two of these types of cases: medical monitoring and toxic tort cases. In just the last decade, the U.S. Courts of Appeals for the Seventh 12Pisciotta, 499 F.3d at 634 n.3. and Ninth 13Krottner, 628 F.3d at 1142-43. Circuits have analogized medical monitoring and toxic tort cases with data breach cases in holding that, put simply, “the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm.” 14Pisciotta, 499 F.3d at 634. While the Seventh Circuit relegated these parallels to a footnote, 15Id. at 634 n.3. the Ninth Circuit took the liberty of elucidating them more fully. 16Krottner, 628 F.3d at 1142-43.
In denying standing to data breach victims alleging “an increased risk of identity theft,” the Third Circuit in Reilly v. Ceridian Corp.
17664 F.3d 38 (3d Cir. 2011). dismissed the Seventh and Ninth Circuits’ parallels as “skimpy rationale.” 18Id. at 43-44. Its strikingly robust yet cursory dismissal was predicated on the assertions that medical monitoring and toxic tort cases involve “injury [that] has undoubtedly occurred” and “hinge[] on human health concerns.” 19Id. at 45. Data breach victims alleging no misuse, the court distinguished, have endured “no change in the status quo;” their “credit card statements are exactly the same” as they would have been sans breach. 20Id. Such distinctions led the court to mistakenly conclude that the plaintiffs had “yet to suffer any harm.” 21Id. at 43.
IV. Two Fundamental Injuries The Third Circuit Failed to Consider
In drawing such superficial distinctions, the Reilly court failed to recognize two fundamental injuries that the plaintiffs—like plaintiffs in medical monitoring and toxic tort cases—had suffered: (1) heightened “at risk” status and (2) fear of future injury.
A. “At Risk” Status as Injury-in-Fact
A number of courts have granted standing to toxic exposure and medical monitoring victims after reframing their heightened risk of disease as a present, rather than future, injury. 22See Id. at 45; Jeremy Gaston, Note, Standing on its Head: The Problem of Future Claimants in Mass Tort Class Actions, 77 Tex. L. Rev. 215, 229-30 (1998). Indeed, some “circuits have had no trouble understanding the injurious nature of risk itself.” 23Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 160 (4th Cir. 2000). The court in In re “Agent Orange” Prod. Liab. Litig., 24996 F.2d 1425 (2d Cir. 1993), overruled in part on other grounds by Syngenta Crop Prot., Inc. v. Henson, 537 U.S. 28 (2002). for example, allowed standing based not on the plaintiffs’ increased risk of future disease after their exposure to Agent Orange, but rather on their present status of being “at risk” for developing such disease. 25Id. at 1434. Similarly, in Sutton v. St. Jude Med. S.C., Inc., 26419 F.3d 568 (6th Cir. 2005). it was sufficient for a plaintiff who had a defective valve implanted in his heart to show an “increased risk of harm when comparing those individuals implanted with the device to those undergoing traditional surgery.” 27Id. at 575 (noting that, though plaintiff was able to show a seven hundred percent increase in risk, such a precise showing was unnecessary).
There is a “well-established principle that harm need not have already occurred or be ‘literally certain’” to required to establish injury-in-fact.
U.S. Supreme Court in Clapper v. Amnesty Int’l
Protective measures an individual takes to protect herself from such risk, however, would be insufficient to establish standing. The Court recently clarified in Clapper v. Amnesty Int’l
28133 S. Ct. 1138 (2013). that “costly and burdensome measures” taken to protect oneself from “the risk of surveillance” are insufficient to establish standing. 29Id. at 1151. These measures, the Court reasoned, are simply not impending. 30See supra note 9 and accompanying sources. Allowing plaintiffs to “manufacture standing” based on this sort of “reasonable reaction to a risk of harm,” the Court reasoned, “improperly waters down the fundamental requirements of Article III.” 31Id.
The logic of harm by “at risk” status also applies in data breach cases. As a result of a hack, its victims endure an exacerbation of their “at risk” status for identity theft. 32See Miles L. Galbraith, Comment, Identity Crisis: Seeking a Unified Approach to Plaintiff Standing for Data Security Breaches of Sensitive Personal Information, 62 Am. U. L. Rev. 1365, 1387 (2013). While such exacerbation may not immediately manifest itself in the victims’ credit card statements, it is nonetheless actual and imminent. Indeed, as one court noted, “the risk that Plaintiffs’ personal data will be misused by the hackers who breached [the] network is immediate and very real.” 33In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014). Prior to a hack, the risk of identity theft is null. Afterwards, it is necessarily greater. As the Seventh Circuit aptly noted, once plaintiffs have established heightened “at-risk” status, “the fact that [they] anticipate that some greater potential harm might follow … does not affect the standing inquiry.” 34Pisciotta v. Old Nat’l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007).
Protective measures taken as a result of the heightened risk of imminent identity theft or fraud could also, despite Clapper, contribute to data breach victims’ injury-in fact. The court in Remijas v. Neiman Marcus Group
35794 F.3d 688 (7th Cir. 2015)84 U.S.L.W. 117, 8/4/15, See previous story, 07/21/15, 139 Privacy Law Watch, 7/21/15, 16 CLASS 797, 7/24/15, 14 PVLR 1351, 7/27/15, 20 ECLR 1053, 7/29/15, 24 HLR 998, 7/30/15. noted that mitigation expenses taken as a result of “speculative harm based on something that may not even have happened” are distinct from those taken to protect from the very real and imminent risk of harm many data breaches present. 36Id. at 694 (finding standing on the basis of a “substantial risk of harm” and accompanying “mitigation expenses”); To not recognize this distinction, the court maintained, would be “to overread Clapper.” 37Id. Other courts, meanwhile, read Clapper to preclude standing on the basis of preventive costs. 38See, e.g., Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871, 876 n.9 (N.D. Ill. 2014) 55 Privacy Law Watch, 3/21/14, 13 PVLR 513, 3/24/14. In In re Sci. Applications Int’l Corp. (SAIC) Backup Tape Data Theft Litig., 3945 F. Supp. 3d 14 (D.D.C. 2014) 13 PVLR 884, 5/19/14, 06 HITR 10, 5/19/14, 92 DER A-8, 5/13/14, 101 FCR 562, 5/13/14, 92 Privacy Law Watch, 5/13/14. for instance, the court reasoned that, although there is “nothing unreasonable about monitoring your credit after a data breach,” Clapper simply means that the “cost of credit monitoring and other preventive measures” is not enough to establish Article III standing. 40Id. at 26.
The Third Circuit nonetheless neglected to employ this analysis in Reilly. 41The Third Circuit does not stand alone in this rejection. See In re Zappos.com, Inc., Customer Data Sec. Breach Litig., 108 F. Supp. 3d 949, 955 (D. Nev. 2015) (“The majority of courts dealing with data-breach cases post-Clapper have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing.”) 108 Privacy Law Watch, 6/5/15, 14 PVLR 1035, 6/8/15, 16 CLASS 636, 6/12/15. It isn’t true, as the Reilly court purported, that data breaches cause “no change in the status quo.” 42Reilly v. Ceridian Corp., 664 F.3d 38, 45 (3d Cir. 2011). As explained above, the victims of data breaches necessarily endure an increase in the risk of identity theft. This increase cannot fairly be called “entirely speculative.” 43Id. Indeed, as in Neiman Marcus, it is “telling” 44Neiman Marcus, 794 F.3d at 694 (noting that an offer of a year’s credit monitoring and identity-theft protection indicates that the risk is more than “ephemeral”). that “Ceridian arranged to provide the potentially affected individuals with one year of free credit monitoring and identity theft protection.” 45Reilly v. Ceridian Corp., 664 F.3d 38, 40 (3d Cir. 2011). There is a “well-established principle that harm need not have already occurred or be ‘literally certain’” to required to establish injury-in-fact. 46In re Adobe, 66 F. Supp. 3d at 1215 (quoting Clapper v. Amnesty Int’l, 133 S. Ct. 1138, 1150 n.5 (2013)). The court erred in forcing the Reilly plaintiffs’ to do precisely this—to wait, in the face of actual and increased risk of harm, until they have already suffered identity theft or fraud to seek protection and redress in court.
B. Fear of Identity Theft as Injury-in-Fact
Courts have additionally acknowledged a second present injury that toxic tort and medical monitoring claimants suffer: the fear of future injury. This present fear, courts reason, is itself an injury “theoretically distinct from [any] future injury.” 47Gaston, supra note 22, at 245; see also Denney v. Deutsche Bank AG, 443 F.3d 253, 264 (2d Cir. 2006) (“An injury-in-fact may simply be the fear or anxiety of future harm.”). In Duke Power Co. v. Carolina Envtl. Study Group, Inc., 48438 U.S. 59, 73 (1978). for instance, the plaintiffs’ “present fear and apprehension” of the exposure that would result from the planned construction of a nuclear power plant in close proximity to their homes was injury-in-fact enough to establish standing. 49Duke Power, 438 U.S. at 73. The court in Friends of the Earth, Inc. v. Gaston Copper Recycling Corp.
50204 F.3d 149 (4th Cir. 2000). likewise recognized that “reasonable fear and concern about the effects of [toxic] discharge, supported by objective evidence, directly affect [the plaintiff’s] recreational and economic interests” and thus amounts to an injury-in-fact. 51Id. at 161.
The very real fear associated with the risk of this sort of loss cannot be “easily and precisely compensa[ted] with a monetary award.”
U.S. Court of Appeals for the Third Circuit in Reilly v. Ceridian Corp.
Data breach victims similarly suffer fear and apprehension of identity theft. They know that, should their identities be stolen, they may endure, among other problems, damaged credit, difficulty obtaining loans, harassment by debt collectors, and insecure financial accounts. 52Joshua R. Levenson, Strength in Numbers: An Examination into the Liability of Corporate Entities for Consumer and Employee Data Breaches, 19 U. Fla. J.L. & Pub. Pol’y 95, 112–13 (2008). Even more troubling, however, is the prospect that they may lose control over their own identities, the very essence of who they are. In light of these fears, courts have acknowledged standing for data breach victims on the basis of their fear and apprehension. In a case involving data theft, for instance, the Western District of Washington maintained that “claims of emotional distress and anxiety arising from the laptop theft are enough to satisfy Article III.” 53Krottner v. Starbucks Corp., No. C09-0216-RAJ, 2009 BL 293725, at *6 (W.D. Wash. Aug. 14, 2009) (citing Doe v. Chao, 540 U.S. 614, 624 (2004) 3 PVLR 235, 3/1/04, 72 U.S.L.W. 1514, 3/2/04, 9 ECLR 198, 3/3/04, 5 CTLR 103, 3/5/04), affirmed 628 F.3d 1139, 1140 (9th Cir. 2010).
Given the courts’ logic in both toxic tort and medical monitoring cases, the Reilly court erred in conspicuously neglecting to consider fear of identity theft and fraud as an injury-in-fact for Article III purposes. As detailed above, it simply missed the mark when it stated that “the thing feared lost here is simple cash.” 54Reilly v. Ceridian Corp., 664 F.3d 38, 45-46 (3d Cir. 2011). The Reilly plaintiffs feared a far worse outcome; they feared that pieces of information associated with their unique identities would fall subject to control and abuse of others. The very real fear associated with the risk of this sort of loss, unlike the loss of “simple cash,” frankly, cannot be “easily and precisely compensa[ted] with a monetary award.” 55Id. at 46. It is—as the Reilly court failed to recognize—an actual and concrete injury.
V. Conclusion
As the incidence of data breaches continues to rise, 56Galbraith, supra note 32, at 1368. we can expect the incidence of cases like Reilly to rise in tandem. The courts charged with resolving these cases should take heed to avoid making the same oversight the Third Circuit made; they ought to give the present injuries of “at risk” status and fear of future harm their due consideration in the Article III standing calculus.
