Cybersecurity Law and Theories of Harm: The Lay of the Land

Almost 2 billion files containing US citizens’ personal data were reported leaked in 2017.[1] And yet, despite data breaches’ frequency, courts have struggled to reach consensus on whether their occurrence give victims standing to sue.

Modern-day confusion traces back to Article III of the Constitution, delimiting federal judicial power to “cases” and “controversies.” To have standing to sue, the Supreme Court set out three requirements: the plaintiff must have “(1) suffered an injury in fact (2) that is fairly traceable to the challenged conduct of the defendant and (3) that is likely to be redressed by a favorable judicial decision.”[2] Data breach victims typically struggle to meet the first prong — an injury in fact.

For an injury in fact, plaintiffs must show either (a) an actual harm (b) that the violation of the statute amounts to injury in itself; or (c) that there will be imminent future harm.[3] Of course, if plaintiffs can prove actual harm through showing real dollars lost, then standing is a slam dunk. However, data breach victims typically struggle to bring evidence of actual harm, since the consequences of stolen data do not necessarily equate to monetary damages. Moreover, harm via data theft is often temporally far-removed and difficult to trace. Thus, plaintiff attorneys are left with statutory claims or a showing of imminent future harm.

In Spokeo, Inc. v. Robins, the Supreme Court said “a bare procedural violation, divorced from any concrete harm” is not enough to establish standing.[4] But just what constitutes a concrete harm is still up for debate. Circuits have split over whether a statutory violation confers de facto standing, or if a more particularized showing of injury is necessary.[5] The Eleventh and Third circuits have found an allegation of a statutory violation sufficiently supports inference of concrete injury.[6] The Eighth circuit and District of Columbia, however, ground their analysis on how the violation allegedly affected the plaintiff.[7]

In lieu of a relevant statute, plaintiffs fall back on the theory of future harm. Circuits’ receptivity to this argument turns on their estimate of whether a data breach’s risk of harm is considered sufficiently injurious to give plaintiffs standing. The Supreme Court has dismissed multiple cases involving potential future injury from data breach because there was insufficient showing of particularized harm.[8] The Third circuit has rejected future harm as a justiciable theory for standing.[9] Most other circuits have operated in shades of gray, neither embracing nor rejecting the theory of future harm.[10] Within this spectrum, there is substantial variability: the Sixth, Seventh, and D.C. circuits have found standing in data breach actions on the risk of future harm;[11] the Second, Fourth, and Eighth have denied standing on the same theory.[12]

With the circuits in conflict and data breaches on the rise, judges and scholars must consider how to reconcile the competing approaches. On the one hand, awarding damages on the basis of per se statutory violation or a theory of future harm recognizes a need to deter sloppy cybersecurity and provide plaintiffs a legal remedy for lost data. On the other hand, we want to ensure that defendants are punished and plaintiffs compensated only when harm is substantial. Moreover, it would seem unfair to “blame the victim” by sanctioning businesses for a data breach in all cases. What if their cybersecurity protections are top-of-the-line, and the breach is only because of a highly sophisticated attack by a well-resourced actor like a nation-state?

In any event, time will tell how this plays out: a new cert petition, Attias v. CareFirst, has already been filed appealing the D.C. Circuit’s decision regarding a data breach case.[13] The question? Whether a plaintiff has Article III standing based on a substantial risk of harm that is not imminent and where the alleged future harm requires speculation about the choices of third-party actors not before the court. If granted, the answer may well determine the future of cybersecurity litigation.

[1] https://www.infosecurity-magazine.com/news/two-billion-files-leaked-in-us-data/

[2] Spokeo, Inc. v. Robins, — — U.S. — -, 136, S. Ct. 1540 (2016)

[3] https://lawfareblog.com/your-voter-records-are-compromised-can-you-sue-theories-harm-data-breach-litigation

[4] Spokeo, Inc. v. Robins, — — U.S. — -, 136, S. Ct. 1540, 1549 (2016)

[5] http://www.klgates.com/files/Upload/WLF_Article.pdf

[6] Church v. Accretive Health, Inc., — — F. Appx — -, 2016 WL 3611543 (11th Cir. 2016) (per curiam); In re Gorizon Healthcare Servs. Inc. Data Breach Litig., №15–2309, silp op. (3d Cir. Jan. 20, 2017) (holding any such data breach is an injury in fact, “whether or not the disclosure… increaded the risk of… future harm.”).

[7] Braitberg v. Charter Communications, Inc.., 836 F.3d 925 (8th Cir. 2016); Hancock v. Urban Outfitters, Inc., 836 F.3d 925 (8th Cir. 2016).

[8] Clapper v. Amnesty Int’l and Spokeo, Inc. v. Robins

[9] Reilly v. Ceridian Corp. : http://www2.ca3.uscourts.gov/opinarch/111738p.pdf

[10] https://www.lawfareblog.com/standing-data-breach-actions-injury-fact

[11] Galaria v. Nationwide Mutual Insurance, Co., (Sixth Cir.); Remijas v. Neiman Marcus Group, LLC, (Seventh Cir. 2015); Attias v. Carefirst, Inc., (D.C. Cir. 2017)

[12] Beck v. McDonald (Fourth Cir. 201_); In re SuperValu, Inc., (Eight Cir., 2017)

[13] http://classifiedclassaction.com/wp-content/uploads/2017/11/CareFirst-Petition.pdf