Standing In Data Breach Class Actions: The Fourth Circuit Weighs In, Affirming Dismissal For Lack Of Subject Matter Jurisdiction – The U.S. Court of Appeals for the Fourth Circuit issued a unanimous opinion in Beck v. McDonaldon February 6, 2017, clarifying the standard for Article III standing and what constitutes sufficient injury-in-fact in putative data breach class actions. Plaintiffs’ claims were based on the Dorn VA Medical Center’s (“VAMC”) loss of a laptop computer containing the unencrypted, confidential patient information of 7,400 patients and the loss of file boxes containing the confidential information of 2,000 hospital patients. The laptop computer and files, which have still not been found, contained patient names, social security numbers, medical diagnoses, and other identifiable patient information such as gender, race, and treating physician’s name. After the loss was discovered, VAMC officials notified affected patients of the incident and provided each with one year of free credit monitoring.
The case involves the consolidated appeal of two putative class actions filed by military veterans who received medical treatment at VAMC in Columbia, South Carolina. Plaintiffs sought both monetary damages and injunctive relief, asserting claims under the Privacy Act of 1974, 5 U.S.C. § 552(a) et seq. and the Administrative Procedures Act (“APA”), 5 U.S.C. § 701 et seq.
In both cases, the plaintiffs attempted to establish Article III standing — and in particular injury-in-fact — based on a long list of potential damages that could arise as a result of VAMC’s loss of patient information, including “embarrassment, inconvenience, unfairness, mental distress, and threat of current and future substantial harm from identity theft or misuse of their personal information.” Plaintiffs further contended that the increased risk of identity theft or healthcare fraud required them to take costly and time-consuming affirmative actions in order to protect themselves, such as frequently reviewing bank statements and credit reports, and that these reciprocal actions also constituted injury-in-fact.
In Beck, filed first, the district court denied the defendants’ first motion to dismiss, permitting discovery to allow the plaintiffs an opportunity and more time to establish sufficient injury-in-fact. After extensive discovery, the district court granted the defendants’ renewed motion to dismiss for lack of subject matter jurisdiction, holding that the Beck plaintiffs lacked standing because they had “not submitted evidence sufficient to create a genuine issue of material fact as to whether they face a ‘certainly impending’ risk of identity theft.” The district court then dismissed Watson v. McDonald, a case filed after Beck, applying the same line of reasoning but without permitting discovery. Plaintiffs in both cases appealed the district court’s findings of no injury-in-fact to the Fourth Circuit.
The Fourth Circuit affirmed the dismissal of both cases for lack of subject matter jurisdiction, holding that the plaintiffs’ alleged harm was too speculative and hypothetical to establish the required “certainly impending” injury-in-fact for standing. The court affirmed the determination that the plaintiffs’ fear of harm based on higher risk of future identity theft was too speculative to confer standing because it was “contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendants.”
The case offers some insight for those facing potential data breach litigation, particularly in the putative class action context. Although not all federal circuit decisions are in perfect harmony with regard to what constitutes sufficient injury-in-fact for Article III standing, an apparent consensus has emerged requiring plaintiffs to demonstrate something more than harm based on a fear of future, uncertain, or speculative injury. And while courts have recognized the possibility that risk of future harm could establish sufficiently concrete harm for standing purposes, the risk must be substantial and the harm “certainly impending.” According to the Fourth Circuit, “common allegations that suffice to push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent” underlie cases finding concrete harm based on risk of future harm.
In addition, the Fourth Circuit’s opinion is a reminder that defendants should not give up on motions to dismiss for lack of subject matter jurisdiction — here, the Fourth Circuit noted approvingly the district court’s decision in Beck to deny the defendants’ first motion to dismiss, giving the plaintiffs more time and opportunity to demonstrate harm sufficient for standing. But, the plaintiffs could not make such a showing. The Fourth Circuit considered the passage of time since the loss of information as significant to its decision: “[A]s the breaches fade further into the past, the plaintiffs’ threatened injuries become more and more speculative.” Lack of subject matter jurisdiction is non-waivable and, as such, is an issue that can be raised at any time in federal court proceedings — even for the first time on appeal. If plaintiffs have not established Article III standing with concrete injury-in-fact, defendants may at any time move for dismissal on that basis.
Reporter, Brittany N. Clark, Washington, D.C., +1 202 626 5528, email@example.com
Chairman McCaul Warns The United States Is Falling Behind In Cyber War – At the 2017 RSA Conference held last week in San Francisco, California, House Homeland Security Committee Chairman Michael McCaul (R-TX) was ominous in his assessment of the country’s efforts to deter cyber-attacks. In a keynote speech entitled, “The War in Cyberspace: Why We Are Losing—and How to Fight Back,” Chairman McCaul outlined several reasons why he believes the United States is falling behind and what needs to be done to reverse that trend.
Chairman McCaul noted that as the Chairman of the Homeland Security Committee, he receives briefings on cyber threats every week, and it is clear to him that “our adversaries are turning digital breakthroughs into digital bombs.”
He suggests five reasons why the United States is not winning the cyber war: (i) there are too many cyber outlaws, and law enforcement agencies are struggling to keep up with the volume and complexity of network intrusions; (ii) the speed of high tech gives cybercriminals an advantage – offensive weapons outpace defensive ones; (iii) information-sharing between government agencies, private companies and U.S. allies is too weak; (iv) deterrence is difficult; and (v) there is a paradox between national security and digital security.
Chairman McCaul says the keys to prevailing against our cyber enemies are (i) redoubling our efforts to defend private sector networks and the public, including by doing a better job recruiting cyber talent and creating a Digital Security Commission made up of the nation’s top experts to find real solutions that balance digital security with national security; (ii) defending our government institutions, critical infrastructure and our democracy, including by breaking down bureaucratic barriers that prevent companies working more closely with government, addressing critical infrastructure vulnerabilities more seriously, and striking back – with sanctions or other real-world penalties – when appropriate; and (iii) working more closely with America’s allies, including by developing clear “rules of the road” when it comes to cyber warfare and conferring with allies on major incidents and working to build mutual defenses.
While Chairman McCaul called the cyber landscape “bleak,” he also noted the United States has the “world’s greatest minds working to defend our networks.” He called 2016 a watershed year in cyberspace that made us more realistic about the danger we face and clear-eyed about what needs to be done.
The full text of Chairman McCaul’s speech can be found here.
Reporter, Lauren M. Donoghue, Washington, D.C., +1 202 626 8999, firstname.lastname@example.org
UK Government Launches National Cyber Security Centre – On Tuesday, February 14, 2017, the United Kingdom officially opened its National Cyber Security Centre (“NCSC”). The NCSC, which got off the ground starting last October, will be part of the Government Communications Headquarters (“GCHQ”), the UK’s intelligence and security arm akin to the National Security Agency in the United States.
The NCSC is designed to be the UK’s single, central body to manage cybersecurity incidents in the country and will be the UK’s hub for interagency cooperation. The NCSC expects to take the lead in responding to the most serious cybersecurity incidents, especially on critical national infrastructure, but also plans to help raise the security capability in the UK against day-to-day malicious activity.
A key aspect of the NCSC’s operation is partnership with the business community. In addition to offering guidance and training to businesses, the NCSC plans to take up to 100 seconded employees from industry. The NCSC hopes that it will take lessons from industry by bringing in these employees, and they in turn will drive change in the private sector when they return to their jobs.
As part of the NCSC’s operation, the UK government plans to invest £1.9 billion ($2.4 billion) in cybersecurity over the next five years. This spending is part of the UK’s commitment to NATO to spend 2% of its GDP on defense. The UK also signed the NATO Cyber Defense Memorandum of Understanding at the start of February, allowing it to share information and cooperate with other NATO members on cybersecurity issues and response capabilities.
Reporter, Alex Yacoub, Atlanta, +1 404 572 2758, email@example.com
ALSO IN THE NEWS
King & Spalding’s 2017 Cybersecurity & Privacy Summit—On Monday, April 24, 2017, please join the cybersecurity and privacy experts at King & Spalding for the 2017 Cybersecurity & Privacy Summit. This event is for legal and business professionals who want to participate in a discussion about the latest developments and strategies for data protection. King & Spalding will provide a registration link in the coming weeks.