The 4th U.S. Circuit Court of Appeals held Wednesday that victims’ standing to sue over the theft of their personal data depends on the intent of the thieves who stole it.
Specifically, in a joint appeal by two classes of military veterans who sued over personal data compromised in two thefts from a VA hospital in South Carolina – one of a laptop containing information about patients who underwent pulmonary tests, the other of four boxes of old pathology records – the appeals court said veterans could not establish they’d suffered a concrete or imminent injury from the thefts.
Judges Albert Diaz, Paul Niemeyer and U.S. District Judge Irene Keeley of Clarksburg, West Virginia, sitting by designation, held it’s not clear that the goal of the thefts was the patients’ personal data. The breaches occurred in 2013 and 2014, and, so far, patients haven’t been victims of identity theft. So, according to the 4th Circuit, they don’t meet the test for constitutional standing the U.S. Supreme Court clarified in its 2013 opinion in Clapper v. Amnesty International.
“For the plaintiffs to suffer the harm of identity theft that they fear, we must engage with the same ‘attenuated chain of possibilities’ rejected by the court in Clapper,” Judge Diaz wrote in the 4th Circuit’s opinion. “In both cases, we must assume that the thief targeted the stolen items for the personal information they contained. And in both cases, the thieves must then select, from thousands of others, the personal information of the named plaintiffs and attempt successfully to use that information to steal their identities. This ‘attenuated chain’ cannot confer standing.”
The 4th Circuit reasoning, which closely tracked the Justice Department’s position in its appellate brief for the VA, may seem at odds with decisions from the 6th, 7th and 9th Circuits allowing plaintiffs to move forward with data breach class actions based just on the fear their personal information may be misused. But the 4th Circuit panel said all of those decisions were based on allegations that thieves had specifically gone after customer data in order to commit identity fraud. In the VA case, by contrast, the theft was not a computer hack targeting personal identifying information. Lawyers for the veterans argued that the VA thieves could only have been motivated by the opportunity to commit identity theft because there was no other reason to steal an old laptop and boxes of paper. But the 4th Circuit said the argument was “too speculative” to establish their “enhanced risk of future identity theft.”
That seems like a pretty narrow needle to thread. Meanwhile, you’re probably wondering where the Supreme Court’s 2016 decision in Spokeo v. Robins fits into the 4th Circuit analysis. It doesn’t: The appeals court said the military veterans hadn’t argued for standing based on alleged statutory violations of the federal Privacy Act so Spokeo doesn’t control its decision.
Fair enough, but it’s getting awfully hard to discern rules on how to plead and defend Article III standing in privacy cases. Last month, you’ll recall, the 3rd Circuit held Spokeo did not preclude a class action claiming Horizon Healthcare violated the Privacy Act when it allegedly left customer data exposed to hackers. Immediately thereafter, however, the 7th Circuit cited Spokeo to toss a privacy class action claiming Time Warner violated the Cable Communications Policy Act by failing to delete personal information on former customers. And yes, that’s the same 7th Circuit that has allowed data breach class actions to proceed based on the likelihood of identity theft.
If there is an overarching theme in the recent appellate precedent on privacy, it seems to be that class action plaintiffs have to assert a credible claim not just that their personal information was exposed but that it was snatched by identity thieves targeting personal data. I expect we’ll see class action lawyers drafting complaints to comply with that emerging standard.
Douglas Rosinski, who argued at the 4th Circuit for the military veterans suing the VA, told me he and co-counsel are reviewing the 4th Circuit decision and are “very aware” of a split among the circuits on standing for data breach plaintiffs.