The Injuries Reilly Ignored: Consumer Data Breaches and Injury-in-Fact

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

In 2012, the Supreme Court declined a valuable opportunity to address the U.S. Court of Appeals for the Third Circuit's flawed renunciation of the parallels between data breach, medical monitoring and toxic tort cases, and future courts should avoid the same oversight, the author writes.

By Shannon M. Grammel

Shannon M. Grammel is the winner of the 2016 Bloomberg Law Student Write-On Competition. She is a third year student at Stanford Law School and editor in chief of the Stanford Law Review.

I. Introduction

The U.S. Supreme Court denied review in 2012 to thousands of individuals whose data was breached who were alleging increased harm of identity theft and seeking to reversethe U.S. Court of Appeals for the Third Circuit's decision to deny them standing in Reilly v. Ceridian Corp.1 In so doing, the Supreme Court declined a valuable opportunity to address the Third Circuit's flawed renunciation of the parallels between data breach, medical monitoring and toxic tort cases.2 Such renunciation erred in conspicuously excluding from its calculus two critical injuries present in all three types of cases: heightened “at risk” status and fear of future harm. These injuries, this article argues, ought to have sufficed for Article III standing in Reilly.

This article proceeds in four parts. It first summarizes the injury-in-fact standing requirement. Next, it introduces the circuits' divergent approaches to analogizing data breach, medical monitoring, and toxic tort cases. An illustration of the critical oversight the Third Circuit made in mistakenly rejecting these analogies follows. It concludes by urging that the present injuries of “at risk” status and fear of future harm be given their due consideration in the standing calculus.

II. Defining 'Injury-in-Fact'

The Supreme Court has interpreted Article III's “case-or-controversy requirement” to limit the federal courts' jurisdiction to cases in which the plaintiff has demonstrated standing.3 This demonstration requires, among other things, a showing of “injury in fact.”4 Put simply, an injury-in-fact is an “invasion of a legally protected interest.”5 This invasion must be “particularized” and “actual or imminent,”6 “concrete in both a qualitative and temporal sense.”7 Notably, an injury-in-fact need not have already occurred. Rather, even “threatened injury constitutes 'injury in fact,’”8 provided it is “certainly impending”9 and “proceed[s] with a high degree of immediacy, so as to reduce the possibility of deciding a case in which no injury would have occurred at all.”10

III. Drawing (and Rejecting) Analogies

In applying the above definition in data breach cases, courts have historically looked to its application in medical monitoring, toxic tort and environmental injury cases as a guide.11 This article focuses on the first two of these types of cases: medical monitoring and toxic tort cases. In just the last decade, the U.S. Courts of Appeals for the Seventh12 and Ninth13 Circuits have analogized medical monitoring and toxic tort cases with data breach cases in holding that, put simply, “the injury-in-fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm.”14 While the Seventh Circuit relegated these parallels to a footnote,15 the Ninth Circuit took the liberty of elucidating them more fully.16In denying standing to data breach victims alleging “an increased risk of identity theft,” the Third Circuit in Reilly v. Ceridian Corp.17 dismissed the Seventh and Ninth Circuits' parallels as “skimpy rationale.”18 Its strikingly robust yet cursory dismissal was predicated on the assertions that medical monitoring and toxic tort cases involve “injury [that] has undoubtedly occurred” and “hinge[] on human health concerns.”19 Data breach victims alleging no misuse, the court distinguished, have endured “no change in the status quo;” their “credit card statements are exactly the same” as they would have been sans breach.20 Such distinctions led the court to mistakenly conclude that the plaintiffs had “yet to suffer any harm.”21

IV. Two Fundamental Injuries The Third Circuit Failed to Consider

In drawing such superficial distinctions, the Reilly court failed to recognize two fundamental injuries that the plaintiffs--like plaintiffs in medical monitoring and toxic tort cases--had suffered: (1) heightened “at risk” status and (2) fear of future injury.

A. “At Risk” Status as Injury-in-Fact

A number of courts have granted standing to toxic exposure and medical monitoring victims after reframing their heightened risk of disease as a present, rather than future, injury.22 Indeed, some “circuits have had no trouble understanding the injurious nature of risk itself.”23 The court in In re “Agent Orange” Prod. Liab. Litig.,24 for example, allowed standing based not on the plaintiffs' increased risk of future disease after their exposure to Agent Orange, but rather on their present status of being “at risk” for developing such disease.25 Similarly, in Sutton v. St. Jude Med. S.C., Inc.,26 it was sufficient for a plaintiff who had a defective valve implanted in his heart to show an “increased risk of harm when comparing those individuals implanted with the device to those undergoing traditional surgery.”27

There is a “well-established principle that harm need not have already occurred or be 'literally certain’” to required to establish injury-in-fact.


U.S. Supreme Court in Clapper v. Amnesty Int'l

Protective measures an individual takes to protect herself from such risk, however, would be insufficient to establish standing. The Court recently clarified in Clapper v. Amnesty Int'l28 that “costly and burdensome measures” taken to protect oneself from “the risk of surveillance” are insufficient to establish standing.29 These measures, the Court reasoned, are simply not impending.30 Allowing plaintiffs to “manufacture standing” based on this sort of “reasonable reaction to a risk of harm,” the Court reasoned, “improperly waters down the fundamental requirements of Article III.”31

The logic of harm by “at risk” status also applies in data breach cases. As a result of a hack, its victims endure an exacerbation of their “at risk” status for identity theft.32 While such exacerbation may not immediately manifest itself in the victims' credit card statements, it is nonetheless actual and imminent. Indeed, as one court noted, “the risk that Plaintiffs' personal data will be misused by the hackers who breached [the] network is immediate and very real.”33 Prior to a hack, the risk of identity theft is null. Afterwards, it is necessarily greater. As the Seventh Circuit aptly noted, once plaintiffs have established heightened “at-risk” status, “the fact that [they] anticipate that some greater potential harm might follow … does not affect the standing inquiry.”34

Protective measures taken as a result of the heightened risk of imminent identity theft or fraud could also, despite Clapper, contribute to data breach victims' injury-in fact. The court in Remijas v. Neiman Marcus Group35 noted that mitigation expenses taken as a result of “speculative harm based on something that may not even have happened” are distinct from those taken to protect from the very real and imminent risk of harm many data breaches present.36 To not recognize this distinction, the court maintained, would be “to overread Clapper.”37 Other courts, meanwhile, read Clapperto preclude standing on the basis of preventive costs.38 In In re Sci. Applications Int'l Corp. (SAIC) Backup Tape Data Theft Litig.,39 for instance, the court reasoned that, although there is “nothing unreasonable about monitoring your credit after a data breach,” Clapper simply means that the “cost of credit monitoring and other preventive measures” is not enough to establish Article III standing.40

The Third Circuit nonetheless neglected to employ this analysis in Reilly.41 It isn't true, as the Reillycourt purported, that data breaches cause “no change in the status quo.”42 As explained above, the victims of data breaches necessarily endure an increase in the risk of identity theft. This increase cannot fairly be called “entirely speculative.”43 Indeed, as in Neiman Marcus, it is “telling”44 that “Ceridian arranged to provide the potentially affected individuals with one year of free credit monitoring and identity theft protection.”45 There is a “well-established principle that harm need not have already occurred or be 'literally certain’” to required to establish injury-in-fact.46 The court erred in forcing the Reilly plaintiffs' to do precisely this--to wait, in the face of actual and increased risk of harm, until they have already suffered identity theft or fraud to seek protection and redress in court.

B. Fear of Identity Theft as Injury-in-Fact

Courts have additionally acknowledged a second present injury that toxic tort and medical monitoring claimants suffer: the fear of future injury. This present fear, courts reason, is itself an injury “theoretically distinct from [any] future injury.”47 In Duke Power Co. v. Carolina Envtl. Study Group, Inc.,48 for instance, the plaintiffs' “present fear and apprehension” of the exposure that would result from the planned construction of a nuclear power plant in close proximity to their homes was injury-in-fact enough to establish standing.49 The court in Friends of the Earth, Inc. v. Gaston Copper Recycling Corp.50 likewise recognized that “reasonable fear and concern about the effects of [toxic] discharge, supported by objective evidence, directly affect [the plaintiff's] recreational and economic interests” and thus amounts to an injury-in-fact.51

The very real fear associated with the risk of this sort of loss cannot be “easily and precisely compensa[ted] with a monetary award.”


U.S. Court of Appeals for the Third Circuit in Reilly v. Ceridian Corp.

Data breach victims similarly suffer fear and apprehension of identity theft. They know that, should their identities be stolen, they may endure, among other problems, damaged credit, difficulty obtaining loans, harassment by debt collectors, and insecure financial accounts.52 Even more troubling, however, is the prospect that they may lose control over their own identities, the very essence of who they are. In light of these fears, courts have acknowledged standing for data breach victims on the basis of their fear and apprehension. In a case involving data theft, for instance, the Western District of Washington maintained that “claims of emotional distress and anxiety arising from the laptop theft are enough to satisfy Article III.”53.

Given the courts' logic in both toxic tort and medical monitoring cases, the Reilly court erred in conspicuously neglecting to consider fear of identity theft and fraud as an injury-in-fact for Article III purposes. As detailed above, it simply missed the mark when it stated that “the thing feared lost here is simple cash.”54 The Reilly plaintiffs feared a far worse outcome; they feared that pieces of information associated with their unique identities would fall subject to control and abuse of others. The very real fear associated with the risk of this sort of loss, unlike the loss of “simple cash,” frankly, cannot be “easily and precisely compensa[ted] with a monetary award.”55 It is--as the Reilly court failed to recognize--an actual and concrete injury.

V. Conclusion

As the incidence of data breaches continues to rise,56 we can expect the incidence of cases like Reilly to rise in tandem. The courts charged with resolving these cases should take heed to avoid making the same oversight the Third Circuit made; they ought to give the present injuries of “at risk” status and fear of future harm their due consideration in the Article III standing calculus.

1 Reilly v. Ceridian Corp., 132 S. Ct. 2395 (2012) .

2 664 F.3d 38, 44-46 (3d Cir. 2011), cert denied, 132 S. Ct. 2395 (2012).

3 See Allen v. Wright, 468 U.S. 737, 751 (1984).

4 Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81 (2000).

5 Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992) (internal quotation marks omitted).

6 Friends of the Earth, 528 U.S. at 180-81.

7 Whitmore v. Arkansas, 495 U.S. 149, 155 (1990).

8 Cent. Delta Water Agency v. United States, 306 F.3d 938, 947 (9th Cir. 2002).

9 Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138, 1143 (2013).

10 Lujan, 504 U.S. at 564 n.2.

11 Krottner v. Starbucks Corp., 628 F.3d 1139, 1142-43 (9th Cir. 2010); Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 n.3 (7th Cir. 2007).

12 Pisciotta, 499 F.3d at 634 n.3.

13 Krottner, 628 F.3d at 1142-43.

14 Pisciotta, 499 F.3d at 634.

15 Id. at 634 n.3.

16 Krottner, 628 F.3d at 1142-43.

17 664 F.3d 38 (3d Cir. 2011).

18 Id. at 43-44.

19 Id. at 45.

20 Id.

21 Id. at 43.

22 SeeId. at 45; Jeremy Gaston, Note, Standing on its Head: The Problem of Future Claimants in Mass Tort Class Actions, 77 TEX. L. REV. 215, 229-30 (1998).

23 Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149, 160 (4th Cir. 2000).

24 996 F.2d 1425 (2d Cir. 1993), overruled in part on other grounds bySyngenta Crop Prot., Inc. v. Henson, 537 U.S. 28 (2002).

25 Id. at 1434.

26 419 F.3d 568 (6th Cir. 2005).

27 Id. at 575 (noting that, though plaintiff was able to show a seven hundred percent increase in risk, such a precise showing was unnecessary).

28 133 S. Ct. 1138 (2013).

29 Id. at 1151.

30 See supra note 9 and accompanying sources.

31 Id.

32 SeeMiles L. Galbraith, Comment, Identity Crisis: Seeking a Unified Approach to Plaintiff Standing for Data Security Breaches of Sensitive Personal Information, 62 AM. U. L. REV. 1365, 1387 (2013).

33 In re Adobe Sys., Inc. Privacy Litig., 66 F. Supp. 3d 1197, 1214 (N.D. Cal. 2014).

34 Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629, 634 (7th Cir. 2007).

35 794 F.3d 688 (7th Cir. 2015).

36 694 (finding standing on the basis of a “substantial risk of harm” and accompanying “mitigation expenses”);

37 Id.

38 See, e.g., Strautins v. Trustwave Holdings, Inc., 27 F. Supp. 3d 871, 876 n.9 (N.D. Ill. 2014) .

39 45 F. Supp. 3d 14 (D.D.C. 2014) .

40 Id. at 26.

41 The Third Circuit does not stand alone in this rejection. SeeIn re, Inc., Customer Data Sec. Breach Litig., 108 F. Supp. 3d 949, 955 (D. Nev. 2015) (“The majority of courts dealing with data-breach cases post-Clapper have held that absent allegations of actual identity theft or other fraud, the increased risk of such harm alone is insufficient to satisfy Article III standing.”) .

42 Reilly v. Ceridian Corp., 664 F.3d 38, 45 (3d Cir. 2011).

43 Id.

44 Neiman Marcus, 794 F.3d at 694 (noting that an offer of a year's credit monitoring and identity-theft protection indicates that the risk is more than “ephemeral”).

45 Reilly v. Ceridian Corp., 664 F.3d 38, 40 (3d Cir. 2011).

46 In re Adobe, 66 F. Supp. 3d at 1215 (quoting Clapper v. Amnesty Int'l, 133 S. Ct. 1138, 1150 n.5 (2013)).

47 Gaston, supra note 22, at 245; see also Denney v. Deutsche Bank AG, 443 F.3d 253, 264 (2d Cir. 2006) (“An injury-in-fact may simply be the fear or anxiety of future harm.”).

48 438 U.S. 59, 73 (1978).

49 Duke Power, 438 U.S. at 73.

50 204 F.3d 149 (4th Cir. 2000).

51 Id. at 161.

52 Joshua R. Levenson, Strength in Numbers: An Examination into the Liability of Corporate Entities for Consumer and Employee Data Breaches, 19 U. FLA. J.L. & PUB. POL'Y 95, 112-13 (2008).

53 Krottner v. Starbucks Corp., No. C09-0216-RAJ, 2009 BL 293725, at *6 (W.D. Wash. Aug. 14, 2009) (citing Doe v. Chao, 540 U.S. 614, 624 (2004) ), affirmed 628 F.3d 1139, 1140 (9th Cir. 2010)

54 Reilly v. Ceridian Corp., 664 F.3d 38, 45-46 (3d Cir. 2011).

55 Id. at 46.

56 Galbraith, supra note 32, at 1368.


2016 Bloomberg Law Write-On Competition

For the second year in a row, Bloomberg Law invited students from U.S. law schools to submit original articles, the best of which would be chosen for publication in selected Bloomberg BNA legal reports. Entries were evaluated by our editorial team based on accuracy, depth of analysis, writing style and usefulness to our audience.

The winning articles are appearing during April in 10 Bloomberg BNA publications and on Bloomberg Law.


Request Bloomberg Law: Privacy & Data Security