15.4 million
Americans were victims of identity theft in 2016.[1] Data breaches are becoming more common, and
some consumers want to sue the company that suffered the data breach. There is a circuit split regarding whether
the consumers whose information was stolen satisfy the injury element of
standing.[2] The Eighth Circuit contributed to that split
in In re SuperValu by holding that
the consumers did not satisfy the injury requirement because they had not yet
and may never suffer identity theft.[3]
I.
Facts and Holding
On August 14,
2017, SuperValu, a grocery store chain, issued a press release stating a data
breach had occurred and the attack “may have resulted in the theft” of some of
their consumers’ credit and debit card information.[4] The data breach affected consumers who
purchased goods with a credit or debit card from SuperValu stores in Missouri,
Illinois, Maryland, Pennsylvania, Delaware, Idaho, and New Jersey.[5] The hackers accessed the consumers
names, credit or debit card numbers, expiration dates, card verification value
(“CVV”) codes, and personal identification numbers (“PINs”) (hereinafter “Card
Information”).[6]
In September of 2014, SuperValu
announced a second data breach.[7] The hackers again accessed consumers’ Card
Information.[8]
Sixteen consumers who
purchased goods at SuperValu stores with a credit or debit card filed a class
action.[9] The plaintiffs alleged SuperValu was on
notice there was a risk of consumer data breaches because other national
retailers suffered similar attacks, and the store was negligent in failing to
follow industry standards for protecting consumer Card Information.[10] The plaintiffs sued SuperValu for negligence,
breach of implied contract, and other claims.[11] Only one plaintiff, David Holmes, suffered a
fraudulent charge on his credit card after the data breach.[12] The Eighth Circuit reversed the trial court’s
dismissal of the action as to Holmes, holding he did suffer an injury in fact
and therefore had standing because he suffered credit card fraud.[13] But the court affirmed the district court’s
dismissal of the remaining plaintiffs for lack of standing because there was
not a substantial risk they would suffer identity theft in the future.[14]
II. Legal
Background
The United States
Constitution limits judicial power to deciding “cases” and “controversies.”[15] Courts have interpreted this to mean that a
plaintiff must have standing to sue in federal court.[16] Standing has three elements: 1) the plaintiff
must suffer an injury in fact; 2) the injury must be “fairly traceable to
defendant’s conduct”; and 3) the relief the plaintiff seeks must be likely to
redress her injury.[17] The plaintiff’s injury must be “concrete and
particularized” and “actual or imminent.”[18] It is possible to satisfy the injury
requirement with a future injury if “the threatened injury is certainly
impending, or there is a substantial risk that the harm will occur.”[19]
Some federal
courts have held that the threat of future identity theft satisfies the injury
in fact element of standing in data breach cases. The Seventh Circuit held the plaintiffs had
standing because there was an “objectively reasonable likelihood” they would
suffer identity theft, and some of the cards had already experienced fraudulent
charges.[20] The court asked “[w]hy else would hackers break
into a store’s database and steal consumers’ private information?”[21] The Sixth Circuit found
that the plaintiffs had standing because they had an increased risk of identity
theft.[22] It was reasonable to infer that the hackers
would use the plaintiffs data for fraudulent purposes.[23] Further, the plaintiffs were damaged when
they expended resources mitigating that risk.[24] The Ninth Circuit also held that the plaintiffs
had standing because they alleged a “credible threat of real and immediate
harm” even though no identity theft had occurred.[25]
Other federal
courts hold that the risk of future identity theft or credit card fraud is
insufficient to satisfy the standing requirement.[26] The Third Circuit found the alleged injury
too attenuated because the injury “is dependent on entirely speculative, future
actions of an unknown third-party.”[27] In that case, it was unclear if the hacker read and copied the
information, if the hacker would
attempt to use the information, and if
he would use it successfully.[28] The Fourth Circuit also held that the future
risk was not sufficient to constitute an injury; rather, the plaintiffs needed
to show that there was a substantial risk that the information would be
misused.[29] The Eighth Circuit’s analysis more closely
followed the Third and Fourth Circuit’s reasoning.[30]
III. Instant
Decision
The Eight Circuit
held in In re SuperValu that “the
complaint ha[d] not sufficiently alleged a substantial risk of identity theft,
and plaintiffs' allegations of future injury do not support standing in this
case.”[31]
The plaintiffs
claimed that they were damaged in two ways.[32] First, the plaintiffs spent time determining
if their cards were compromised after they learned about the data breaches.[33] The court reasoned that the time the plaintiffs
spent did not satisfy the injury requirement because they were protecting
themselves from a speculative threat.[34]
Second, the plaintiffs
alleged the data breach created a substantial risk of future identity theft.[35] The court reasoned that while other courts “have
ruled that a complaint could plausibly plead that the theft of a plaintiff’s
personal or financial information creates a substantial risk that they will
suffer identity theft sufficient to constitute a threated injury in fact … we
conclude that plaintiffs have not done so here.”[36] The court found that a report from the U.S.
Government Accountability Office (“the Report”’), stating that there are some
cases where identity theft occurred as a result of a data breach, was
insufficient to support plaintiffs’ claim.[37]
The court agreed
with the Report, which states it is difficult to open an unauthorized account
with only credit or debit card information; rather, fraudsters usually need
social security numbers, birth dates, or driver’s license numbers.[38] As for credit or debit card fraud, the court
again relied on the Report in finding that “data breaches are unlikely to
result in account fraud.”[39] The court left open the possibility that, in
the future, plaintiffs will be able to satisfy the injury requirement if there
is more statistical support showing that fraud is likely to occur after a data
breach.[40] Because there was a mere possibility that
Plaintiff would suffer identity theft, the court held that the plaintiffs did
not allege an injury in fact and therefore did not have standing.[41]
IV. Comment
The Eighth Circuit
underestimated the frequency of identity theft in holding that the risk of
future identity theft was not sufficient to satisfy the injury
requirement. From 2015 to 2016, identity
theft increased sixteen percent, resulting in the theft of $16 billion.[42] Identity theft where the criminal uses credit
and debit card numbers to buy items online, rather than stealing the physical
card, increased forty percent in the last year.[43] Additionally, identity theft completed by
opening new accounts in a victim’s name nearly doubled.[44]
There is limited
information about how often data breaches are the cause of identity theft
because it is difficult to determine how the thieves obtained the Card Information.[45] However, this should not prevent the court
from finding that the plaintiffs have standing. First, the risk of identity theft is real
because as the Seventh Circuit asked, “[w]hy else would hackers break into a
store’s database and steal consumers’ private information?”[46]
Plaintiffs are
also injured because they have to spend time and money preventing identity
theft.[47] Many experts advise freezing your credit and
choosing a credit monitoring service if your information was exposed during a
data breach.[48] It generally costs between $3 and $30 to
freeze your credit cards and around $150 per year to monitor your credit.[49] While these costs do not
seem significant, they add up in a class action. These are just a few of the steps a vigilant
consumer should take. The court should
have found that the plaintiffs had standing by recognizing both the substantial
risk that the plaintiffs’ identities would be stolen and the costs that
plaintiffs incur to reduce that risk.
-
Ariel Kiefer
[1] Herb Weisbaum, Identity Fraud Hits Record Number of Americans in 2016, NBC
News (Feb. 2, 2017),
https://www.nbcnews.com/business/consumer/identity-fraud-hits-record-number-americans-2016-n715756.
[2] See infra
Section II.
[5] Id.
[6] Id.
[7] Id.
[8] Id.
[9] Id.
[10] Id.
[11] Id. at
767. The plaintiffs also sued for
violations of the state data breach notification statutes, negligence per se,
violation of consumer protection statutes, and unjust enrichment. Id.
[12] Id.
[13] Id. at 774.
[14] Id.
[19] Susan
B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014) (internal quotation
marks omitted) (quoting Clapper v. Amnesty Int’l USA, 568 U.S. 398, 414 n.5
(2013)).
[20] Remijas
v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693–94 (7th Cir. 2015) (quoting Clapper, 568 U.S. at 410). 9200 of
the 350,000 cards had already experienced fraudulent charges. Id. at
964.
[21] Id.
[23] Id.
[25] Krottner v. Starbucks
Corp., 628 F.3d 1139, 1143 (9th Cir. 2010).
[26] See, e.g., In re Zappos.com, Inc., 108 F. Supp. 3d 949, 955 (D. Nev.
2015) (listing many federal district courts that have dismissed data breach
cases for lack of standing).
[27] Reilly v. Ceridian Corp.,
664 F.3d 38, 42, 40 (3d Cir. 2011) (The information subject to the data breach
included names, addresses, social security numbers, birthdays, and bank account
information.). However, the Third
Circuit has also held that if personal information is disclosed in violation of
the Fair Credit Reporting Act, that violation is enough to satisfy the injury
requirement even if the plaintiffs did not suffer identity theft or show that
there was a substantial risk of identity theft.
In re Horizon Healthcare Servs.
Inc. Data Breach Litig., 846 F.3d 625, 640 (3d Cir. 2017).
[29] Beck
v. McDonald, 848 F.3d 262, 275 (4th Cir. 2017) (Plaintiff’s allegation that thirty-three
percent of health-related data breaches resulted in identity theft was not
enough to constitute a “substantial risk.”).
[31] Id. at 771–72. However, the court also held that Holmes had
standing because he suffered the injury of credit card fraud, and the court
remanded his action for further proceedings. Id. at 774.
[32] Id.
[33] Id. at 767.
[34] Id. at
771.
[35] Id. at 770. Identity theft can include fraud on existing
accounts or fraudulently creating new accounts. Id.; U.S.
Gov't Accountability Office, Personal
Information: Data Breaches are Frequent, but Evidence of Resulting Identity
Theft Is Limited; However, the Full Extent Is Unknown 2 (2007),
http://www.gao.gov/assets/270/262899.pdf.
[36] Id. at 770.
[37] Id.
[38] Id.
[39] Id. at 779. The Report found that credit and debit card
fraud did occur in some data breach cases, however, “most breaches have not
resulted in detected incidents of identity theft.” Id. (quoting U.S. Gov't Accountability Office, supra note 35, at 21).
[40] Id.
[41] Id. at
771–72.
[42] Weisbaum supra,
note 1.
[43] Id.
[44] Id.
[46] Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 694
(7th Cir. 2015).
[47] See Galaria v. Nationwide Mut.
Ins. Co., 663 Fed. App’x. 384, 388 (6th Cir. 2016) (unpublished); Krottner v.
Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010). After a data breach, those affected should
check their credit report, consider placing a freeze on their credit which
costs a fee, monitor all of their credit and bank accounts, and place a fraud
alert on their files. Seena Gressin, The Equifax Data Breach: What to Do, Fed. Trade Commission (Sept. 8, 2017), https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do.
[48] Here's What It Costs
to Freeze Your Credit After Equifax Breach, CNBC (Sept. 15, 2017),
https://www.cnbc.com/2017/09/15/heres-what-it-costs-to-freeze-your-credit-after-equifax-breach.html.
[49] Id.; Should I Pay for Credit Monitoring?,
TIME,
http://time.com/money/collection-post/2791979/should-i-pay-for-credit-monitoring/
(last visited Oct. 10, 2017).
