On August 30, 2017, the Eighth Circuit Court of Appeals became the latest circuit court to hold that the threat of future harm is insufficient to satisfy the injury-in-fact requirement for Article III standing. See In re SuperValu, Inc., Nos. 16-2378, 16-2528, 2017 WL 3722455, at *2 (8th Cir. Aug. 30, 2017). This decision widens the split between those circuits that have held the risk of future harm is sufficient to satisfy Article III standing and those that have held it is insufficient.
The case arose out of a widespread data breach affecting a chain of retail grocery stores owned and operated by defendants, SuperValu, Inc. and New Albertsons. During the summer and early fall of 2014, hackers accessed the computer network used to process payment card transactions for 1,045 of defendants’ stores. The hackers installed malicious software on the defendants’ networks that allowed them to gain access to the payment card information of defendants’ customers, including their names, credit or debit card account numbers, expiration dates, card verification value codes, and personal identification numbers. By harvesting the data on the networks, the hackers allegedly stole customers’ personal information, including credit card information. In re SuperValu, Inc., 2017 WL 3722455, at *2.
Following notification of the breaches from defendants, affected customers filed putative class actions in several different states. Those actions were transferred to, and consolidated in, the United States District Court for the District of Minnesota for coordinated pretrial proceedings. The district court ordered plaintiffs to file a consolidated amended complaint. On June 26, 2015, sixteen named plaintiffs filed an amended and consolidated complaint bringing claims on behalf of a putative class of persons affected by defendants’ data breaches. Id., at *2.
The consolidated complaint alleged that each of the sixteen plaintiffs shopped at defendants’ affected stores using a credit or debit card, and that their card information was compromised in the breaches. Plaintiffs brought several claims for relief, including violations of state consumer protection and data breach statutes, negligence, breach of implied contract, and unjust enrichment. Id.
The plaintiffs’ claims rested on two theories of harm. First, plaintiffs alleged a “substantial risk of future harm because of defendants’ failure to properly secure their computer network” from hackers. In re SuperValu, Inc., 14 MD 2586 (ADM), 2016 WL 81792, at *4 (D. Minn. Jan. 7, 2016). Second, plaintiffs alleged that members of their class had already been harmed because data affected by the breach had actually been misused at the time of the suit. Specifically, plaintiffs alleged that a single named plaintiff, David Holmes, experienced a fraudulent charge on his payment card after shopping at one of defendants’ affected stores and, upon noticing the fraudulent charge on his credit card statement, cancelled his credit card. Id., at *2. Plaintiffs also alleged that after the data breaches were announced, each plaintiff “spent time determining if [his or her] card was compromised” by reviewing information released about the breaches and the impacted locations, and monitoring account information to guard against potential fraud. Id.
Defendants moved to dismiss on the ground that the plaintiffs lacked Article III standing, and for failure to state a claim. Article III standing is a jurisdictional requirement, and the party invoking federal jurisdiction has the burden of establishing standing. Lujan v. Defenders of Wildlife, 504 U.S. 555, 561 (1992). To meet this burden, the party must show: (1) an injury-in-fact; (2) a causal connection between the injury and the challenged conduct of the defendant; and (3) a likelihood that a favorable ruling will redress the alleged injury. Id., at 560–61. To satisfy the injury-in-fact element, an injury must be “concrete, particularized, and actual or imminent.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 408 (2013). When a party’s alleged injury is based on alleged future harm, the U.S. Supreme Court has held that standing exists only if the threatened injury is “‘certainly impending,’ or there is a ‘substantial risk’ that the harm will occur.” Susan B. Anthony List v. Driehaus, 134 S.Ct. 2334, 2341 (2014) (quoting Clapper, 568 U.S. at 414, n.5). “[A]llegations of possible future injury are not sufficient.” Clapper, 568 U.S. at 409 (internal quotation marks omitted). In In re SuperValu, the defendants argued that the “plaintiffs’ allegations of future harm were actually only speculative claims of possible future injury, which are not sufficient to satisfy Article III standing.” In re SuperValu, 2016 WL 81792, at *4.
The district court agreed with defendants and granted their Rule 12(b)(1) motion to dismiss the complaint for lack of standing. The district court found that plaintiffs’ allegations were insufficient because they required the court to speculate that the hackers: (1) read, copied, and understood plaintiffs’ personal information; (2) intended to commit future criminal acts by misusing the information; and (3) would be able to use such information to the detriment of plaintiffs by making unauthorized transactions in plaintiffs’ names.” In re SuperValu, Inc., 2016 WL 81792, at *5. Moreover, the court noted that the time frame in which this alleged harm could occur was entirely speculative, noting that “in addition to the speculation of whether future harm from a data security breach will materialize, it cannot be known when such harm will occur.” Id. Since nearly a year-and-a-half had passed without the occurrence of harm traceable to the breaches, the court held that plaintiffs’ allegations of future harm did not satisfy the injury-in-fact element of Article III standing. Id.
The district court also discounted plaintiffs’ allegations of actual misuse of customer data impacted by the breach, holding that those allegations were insufficient to demonstrate standing. Treating all plaintiffs collectively, the court compared plaintiffs’ allegations to those in data breach cases in which plaintiffs had alleged widespread misuse of affected data. In concluding that plaintiffs’ allegations of misuse were insufficient to satisfy the injury-in-fact requirement, the court noted that “only one unauthorized credit card charge (of an unspecified date and amount) [was] alleged to have occurred in the fifteen-month time period following the data breach that affected over 1,000 of [d]efendants’ stores.” Id., at *6. This “isolated incident” was “not indicative of data misuse that is fairly traceable to the breach.” Id. at *5. The court also found that any diminished value of plaintiffs’ data and their time spent monitoring their account information to guard against potential fraud were insufficient to demonstrate standing. The district court did not address defendants’ arguments for dismissal under Rule 12(b)(6) for failure to state a claim.
The Eighth Circuit agreed with the district court that plaintiffs’ allegations of an increased risk of future harm were insufficient to establish standing. However, the Eighth Circuit also held that the plaintiffs had established standing with respect to plaintiff Holmes, whose data had been allegedly affected by credit card fraud following the breaches.
The Eighth Circuit agreed with the district court that plaintiffs’ allegations that the breaches posed a substantial risk of future identity theft amounted to little more than the “bare assertion that ‘data breaches facilitate identity theft,’” which was too speculative to demonstrate an injury-in-fact. In re SuperValu, Inc., 2017 WL 3722455, at *5. The Court specifically rejected plaintiffs’ reliance on a 2007 Government Accountability Office report, noting that the report concluded that credit card information “generally cannot be used alone to open unauthorized new accounts;” and “most [data] breaches have not resulted in detected incidents of identity theft.” Id. In addition to rejecting plaintiffs’ reliance on the GAO report, the Court also highlighted the speculative nature of the timing of plaintiffs’ allegations of future harm: “It is possible that some years later there may be more detailed factual support for plaintiffs’ allegations of future injury. But such support is absent from the complaint here, and mere possibility is not enough for standing.” Id.
Despite the insufficient allegations of a risk of future harm, the Court held that plaintiffs had sufficiently alleged actual misuse of a named plaintiff’s data, which satisfied the injury-in-fact element of the Article III standing requirement with respect to that plaintiff. In reversing the district court’s holding on this issue, the Eighth Circuit specifically rejected the district court’s reasoning that a “single isolated instance of an unauthorized charge [suffered by a named plaintiff] is not indicative of data misuse that is fairly traceable to the data breach.” Id., at *7. Instead, the Eighth Circuit held that standing is not dependent upon the standing of other named plaintiffs and unnamed class members. Id. Rather, all that is required to satisfy Article III standing in a class action is that one named plaintiff have standing. Id. (citing Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016)). Because plaintiffs alleged that a named plaintiff had been injured by credit card fraud, the standing requirement had been met.
The Court also rejected defendants’ arguments that the specific incident of credit card fraud was not traceable to the data breach that affected defendants’ systems. The Court noted that, “[a]t this stage of the litigation, we presume that [plaintiffs’] general allegations embrace those specific facts that are necessary to support a link between [the] fraudulent charge and the data breaches.” In re SuperValu, Inc., 2017 WL 3722455, at *6 (internal quotations omitted). Essentially, because the case was in the pleading stage, plaintiffs only had to allege (rather than prove) a causal link between the breaches and the purported incident of credit card fraud. Id., at *7.
The Eighth Circuit’s decision clearly makes it more difficult for plaintiffs to demonstrate standing when litigating data breach cases. But the decision also leaves several important questions unanswered. The Court specifically addressed the possibility that there may be means to allege a substantial risk of future injury and made clear that it was not foreclosing future plaintiffs’ ability to sufficiently allege an injury-in-fact based on such a risk. Id. at *5, n.5. The Court also explicitly left open the question of whether “evidence of misuse following a data breach is necessary for a plaintiff to establish standing.” Id., at *7.
Perhaps most importantly, the Court of Appeals’ decision widens the circuit split over whether the risk of future harm is sufficient to confer standing. The Third and Fourth Circuits have also refused to grant standing to plaintiffs based on allegations of future harm, while the Sixth, Seventh, and Ninth Circuits have upheld findings of standing based on allegations of the risk of future harm. The Eighth Circuit’s decision likely increases the odds that the Supreme Court will address the widening circuit split.
Arent Fox's Privacy, Cybersecurity & Data Protection group monitors issues involving the threat of future harm. If you have any questions, please contact James Westerlind, Andrew Dykens, or the Arent Fox attorney who usually handles your matters.
 U.S. Gov’t. Accountability Off., GAO-07-737, Personal Information: Data Breaches Are Frequent, but Evidence of Resulting Identity Theft is Limited; However, the Full Extent is Unknown (2007). Available at: http://www.gao.gov/new.items/d07737.pdf