Federal Court Says Data Breach Alone Is Insufficient To Establish Standing
On July 16, the United States District Court for the District of Alabama issued an opinion in Blahous v. Sarrell Regional Dental Center for Public Health, Inc. dismissing a data breach lawsuit for lack of Article III standing. The order held that allegations based on potential misuse of information that may have been stolen by hackers was too speculative to establish standing. Blahous represents a strict adherence to the Supreme Court’s landmark precedents in Clapper v. Amnesty International USA and Spokeo v. Robins—in stark contrast to several more expansive opinions on privacy in recent years.
In Blahous, customers of a dental provider (Plaintiffs) brought suit against the provider after it identified and disclosed a potential cyber threat. The dental provider explained in a notice to customers that it had identified ransomware on its systems but also that its investigation did not yield “evidence that any files or information were copied, downloaded, or removed from” its network. Nevertheless, the provider offered a number of remedial measures to its customers, including a $1 million insurance reimbursement policy and a year of credit monitoring.
Plaintiffs brought suit against the provider, alleging four theories of harm. First, Plaintiffs argued that they faced an increased risk of their identities being stolen. Second, they argued that they incurred costs to mitigate the data risk, such as credit monitoring. Third, they argued that they “overpay[ed]” for dental services—i.e., that the implicit promise that their data would be secure was baked into the cost of services. Fourth, they argued that the value of their personally identifiable information (PII) was reduced because of its potential exposure to hackers.
The Blahous court rejected these theories on Article III standing grounds. Under standing doctrine, federal courts have jurisdiction to hear only claims in which a plaintiff alleges an “injury in fact” that is “actual and imminent,” not “conjectural” or “hypothetical.” The court explained that “a plaintiff must provide at least some plausible specific allegation of actual or likely misuse of data to satisfy Article III’s standing requirement[.]” The court found that Plaintiffs did not meet this standard, writing:
Plaintiffs simply have failed to plausibly point to a certain threat of the hackers’ making use of their specific personal data as a result of the Breach. . . . In the absence of an actuality or a likelihood, the mere possibility that the Plaintiffs’ PII may have been gathered and disseminated and that their credit may suffer if the hackers opt to sell or release this information to those able and willing to exploit it cannot impart the requisite standing.
Likewise, the court found that Plaintiffs’ allegations of money damages—i.e., the costs of mitigating these data risks—insufficient. The court reasoned that a plaintiff cannot create Article III standing by spending money to mitigate a speculative harm.
Were it not for a series of recent cases pointing in the opposite direction, Blahous would be somewhat unremarkable: it closely follows established Supreme Court precedent like Spokeo and Clapper in holding that one cannot allege an injury without evidence that the injury has occurred or is likely to occur. On the other hand, many courts in recent years have taken a far more capacious view of standing in data privacy and security cases. For example:
The Seventh Circuit held that plaintiffs had standing to sue a vehicle manufacturer for an alleged security vulnerability—despite no evidence that malicious hackers had ever exploited that vulnerability—based on the precise “overpayment” theory rejected in Blahous.
Similarly, a district court allowed a group of investors to sue Equifax over its data breach—not because the investors’ information was accessed, but because the company allegedly inflated its stock price by overstating its cybersecurity protections.
Last August, the Ninth Circuit held that collection of biometric data in violation of a state statute—with no allegation that the data was unlawfully accessed or otherwise used to the plaintiffs’ detriment—could satisfy Article III standing.
In sum, while Blahous makes it harder for plaintiffs to haul organizations into court for potential data breaches—at least in this jurisdiction—businesses are not out of the woods until there is greater clarity at a higher level. Action by either Congress (via a preemptive federal privacy law) or the Supreme Court (via a case further clarifying the standards articulated in Clapper and Spokeo) would be able to clearly delineate nationwide which data breach claims are allowed to proceed in federal courts.