In Hutton v. Nat’l Bd. of Exam’rs in Optometry, Inc., published on June 12, 2018, the U.S. Court of Appeals for the Fourth Circuit decided that a class of plaintiffs alleging damages related to a data breach had standing to assert their claim. While this decision does not challenge the legal test for standing developed in federal precedent, it does suggest that the bar to passing that test for plaintiffs in data breach cases is much lower than previously understood.
Fourth Circuit Standing Before Hutton
Article III of the U.S. Constitution requires that a plaintiff must have standing to bring her case. Generally speaking, at a minimum the federal courts require the following for standing: (1) an actual or impending injury; (2) that is traceable to the defendant; and (3) can be effectively redressed by the court.
While these requirements may appear minimal, historically they have worked to bar the claims of numerous data breach plaintiffs. Often when a plaintiff experiences the theft of her personal information, it is very difficult to determine where, exactly, that data was stolen from. This problem of traceability can make it very difficult for a prospective plaintiff to bring a case against a prospective defendant, particularly in the face of denials from the potential defendant that its system was breached.
The requirement of an actual or imminent injury has been even more onerous. In the case of Beck v. McDonald, for instance, a class of plaintiffs sued a medical provider that had lost a laptop containing the plaintiffs’ unencrypted personal information. The Beck plaintiffs alleged that because of the mishandling of their personal information, they now faced “the threat of current and future substantial harm from identity theft and other misuse of their Personal Information.” The Fourth Circuit affirmed the lower court’s decision that the Beck plaintiffs lacked standing. It reasoned that the mere “threat of future injury” was insufficient for standing, even where the plaintiffs felt compelled to purchase credit monitoring services as a result of the loss of their data.
The plaintiffs in Hutton included three optometrists, each of whom had provided personal information to the National Board of Examiners in Optometry (“NBEO”). In 2016, each plaintiff realized that an unknown party had fraudulently opened a Chase Amazon Visa credit card account in their name. After communicating with one another, the plaintiffs realized that each of them had previously provided the NBEO with their personal information, and that it was the only common point of contact between them. The Court ruled this was enough to meet the traceability requirement.
Additionally, the plaintiffs purchased credit monitoring services. The Court distinguished Beck, noting that in this case, the plaintiffs were faced with a substantial risk of harm, whereas any harm to the Beck plaintiffs was speculative. On this basis, the Court ruled that the Hutton plaintiffs’ purchase of credit monitoring service was enough to meet the injury requirement for standing.
Two Takeaways from Hutton
1. It eases the burden of traceability.
While on average it takes about six months for a company to become aware it was hacked, many may never realize it, and some that do may not report it properly or at all. Hutton makes it easier for plaintiffs to sue corporations without that corporation knowing or admitting that it was the victim of a hack.
2. It makes it easier for data breach plaintiffs to show an injury.
While the plaintiffs in Hutton each had a fraudulent credit card account set up in their names, none of them faced any charges connected with that account. Even so, the Court ruled that because the fraudulent accounts had been set up, this showed that the plaintiffs’ information was in the hands of a fraudster who was intent on using it to the detriment of the plaintiffs. The minor out-of-pocket expense associated with purchasing a credit monitoring service is, in these circumstances, enough to show an injury.
What Hutton Means for Your Company
Hutton makes it easier for plaintiffs to bring claims related to data breaches. Companies that store personal information for residents of North and South Carolina, Virginia, West Virginia, and Maryland must now be even more cautious with that data. They should review their policies to determine that they are only collecting data they need, that they are not keeping it any longer than they have to, and that they are following acceptable security protocols.
If you have any questions about what steps your company can take to protect itself from expensive data breaches and related lawsuits, feel free to contact me at firstname.lastname@example.org or (804) 648-1636.
Chris Jones is a member of Sands Anderson’s Cybersecurity Team.