Risks From Data Breach Sufficient For Standing?

Data breaches, unfortunately, are not entirely uncommon. A question that has arisen is whether there is standing to sue for people whose data has been stolen but who have not yet suffered actual damages. The Circuit Courts of Appeal have been split on the issue, with a recent decision by the D.C. Circuit, In re U.S. Office of Personnel Management Data Security Breach Litigation, 928 F.3d 42 (D.C. Cir 2019) (“OPM“), extending standing in this context farther than before in a case that may make its way to the U.S. Supreme Court.

The OPM facts and procedural background are relatively straightforward.

Private information is maintained by the Office of Personnel and Management (“OPM”) regarding federal employees. In turn, the OPM has retained KeyPoint Government Solutions, Inc. (“KeyPoint”) to assist with respect to internal investigations. As a consequence, KeyPoint has been given access to the database of OPM.

Hackers gained access and obtained the private data of more than 21 million people from OPM’s database by using stolen KeyPoint credentials. A lawsuit was brought on behalf of people who had their data stolen against OPM and KeyPoint for negligence and violation and certain federal statutes. A few of the plaintiffs asserted that they already had suffered identity theft and fraud after the data breach, but that was not alleged for most of the plaintiffs.

OPM and KeyPoint sought to dismiss the complaints in district court. The court granted their motions on two grounds. Most importantly here, the court ruled that most of the plaintiffs lacked standing because they did not allege injury in fact and causation linked to the conduct of OPM and KeyPoint. An appeal followed to the D.C. Circuit.

Contrary to the district court, the per curium panel of the D.C. Circuit concluded that the plaintiffs actually had alleged facts adequate enough to meet the “low bar” of standing at the pleading stage. The plaintiffs alleged that the data breach had caused them harm by putting them at risk of future injuries like identity theft. To make sure this type of harm was actual or imminent, as opposed to speculative, the Court sought to determine if the plaintiffs had alleged that the hackers had “both the intent and the ability to use [the plaintiffs’] data for ill will.”

The Court noted the plaintiffs had alleged that a few of them “already had experienced various types of identity theft,” which could have been as a result of the hacked information. Thus, the allegations in the complaints demonstrated that the hackers were “sophisticated and apparently quite patient” and that the plaintiffs who had not yet been injured in terms of identity theft or others harms as a result of their data being stolen faced “a substantial risk of future identity theft” resulting from the breach. Accordingly, these plaintiffs had sufficiently alleged injury in fact for purposes of standing at the pleadings stage. And the Court also held that money damages for protective services would be proper redress if the plaintiffs were to prevail and they were not able to prove up other damages.

It will be worth watching to see whether OPM moves the needle at all in terms of the conflict in the Circuits as to the standing requirements for those who seek redress for data breaches when they have not yet been actually been harmed by injuries such as identity theft. It also is not known quite yet whether a petition for writ of certiorari will be filed in OPM. In a recent application to the U.S. Supreme Court, the Solicitor General stated that a decision had not yet been determined as to whether to file a writ petition, and sought an extension until February 18, 2020 to file such a petition.

Eric Sinrod (@EricSinrod on Twitter) is a partner in the San Francisco office of Duane Morris LLP, where he focuses on litigation matters of various types, including information technology and intellectual property disputes. You can read his professional biography here. To receive a weekly email link to Mr. Sinrod’s columns, please email him at ejsinrod@duanemorris.com with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author’s law firm or its individual partners.