Adam Pitchel, Associate Member, University of Cincinnati Law Review
Identity theft has developed into a serious concern for most people in the 21st century.[1] Criminals’ ability to open fraudulent accounts, make purchases, and tamper with people’s credit history has drastically increased the importance of protecting private information. Companies responsible for preserving and protecting this information have occasionally failed to do so, resulting in breaches and possible theft of personal data.[2] When these incidents occur, the risk of identity theft increases significantly.[3] There remains a question of whether the risk of future identity theft creates enough harm to sustain a civil claim. Currently, circuit courts are divided over this issue. The Sixth, Seventh, and Ninth Circuit Courts have held that an increased risk of identity theft is sufficient to justify a claim.[4] In contrast, the First, Third, and Fourth Circuits have held that an increased risk of identity theft is not a sufficient injury to warrant a lawsuit.[5] The approach used by the Sixth, Seventh, and Ninth Circuits is simpler and better comports with the requirements of Article III of the Constitution.
More Risk, More Harm
The requirement for a claimant to file a lawsuit is set forth in Article III Section 2 of the Constitution.[6] It is further explained in Hollingsworth v. Perry, where the Supreme Court stated that a litigant must “prove that he has suffered a concrete and particularized injury that is fairly traceable to the challenged conduct, and is likely to be redressed by a favorable judicial decision.”[7] In Remijas v. Neiman Marcus, the plaintiffs were victims of a cyber-attack that targeted their personal information that was stored on the defendant’s servers.[8] This attack caused several victims to lose control of the credit accounts and allowed the perpetrators to open several new lines of credit using the victims’ information.[9] However, not every person whose identity was compromised had suffered these problems.[10] Nevertheless, the Seventh Circuit held that all of the victims of the cyber-attack had standing to sue.[11] It emphasized that the targeted attack conducted on the defendant and the resulting theft of private information created actual, rather than speculative risk of future identity theft.[12] It further stressed that victims should not be forced to wait until the perpetrators committed actual credit-card fraud or identity theft because there was “an objectively reasonable likelihood that such an injury would occur.”[13]
This approach was reiterated by the Ninth Circuit in Krottner v. Starbucks Corporation.[14] In Krottner, the court held that a plaintiff had suffered an injury-in-fact if they could show that an act by the defendant had created a credible risk of future harm that was not conjectural or speculative.[15] The Sixth Circuit followed a similar approach in Galaria v. Nationwide Mutual Insurance.[16] In Galaria, hackers breached the customer database of the defendant and stole the private information of over one million people.[17] The court held that “an identifiable taking” of private information coupled with the defendant’s response of providing free credit-monitoring was sufficient to satisfy the standing requirement of Article III.[18]
No Harm, No Foul
The First, Third, and Fourth Circuits have decided not to follow this line of reasoning. -Instead, the circuits have held that the future risk of identity theft is too speculative to satisfy the standing requirement. In Reilly v. Ceridian Corp., the defendant suffered a breach of its firewall, potentially compromising the personal data of over 27,000 employees.[19] However, the Third Circuit held that the breach by itself was inadequate to establish standing for a lawsuit.[20] It found that the allegations of the plaintiffs were too speculative to satisfy the standing requirement and necessitated several inferences before any actual harm to the plaintiffs could occur.[21] It determined that while harm to the plaintiffs was certainly possible, it was not impending and did not satisfy the requirement laid out by the Supreme Court in Lujan v. Defenders of Wildlife.[22] The First Circuit announced a similar opinion in Katz v. Pershing, LLC.[23] In Katz, the plaintiff’s personal information was stored by the defendant in such a way that allowed certain users to access, download, and save that information.[24] The court found this insufficient to satisfy standing, emphasizing that the plaintiff failed to identify a single instance of an unauthorized person accessing her information.[25] In the most recent opinion on this issue, the Fourth Circuit joined the First and Third Circuits in Beck v. McDonald.[26] In Beck, the defendant stored the personal information of approximately 7,400 medical patients on a laptop computer that was stolen from its facility.[27] The court held that because there was no indication that the computer was stolen for the purpose of accessing the personal information of the victims, the plaintiffs did not have standing to file a claim.[28]
Maximum Risk
Article III of the Constitution dictates that federal courts shall have jurisdiction over “cases and controversies.”[29] Facially, it is difficult to discern whether the Founding Fathers contemplated an increased risk of identity theft as a possible case or controversy. This is because, in order to have a case, one of the parties involved must have suffered some harm or injury.[30] Courts have wrestled with the concept that an increased risk of future harm constitutes an injury-in-fact for the purposes of litigation. Generally, the circuits and the Supreme Court have agreed that the threat of a future injury constitutes an injury-in-fact when it is “imminent” or “impending”.[31] The theft of private information and subsequent increased risk of identity theft satisfies this requirement for two reasons. First, personal information cannot be changed by the victim. While credit accounts can be closed and fraudulent transactions disputed; some information, such as dates of birth, cannot be changed and other personal information, such as social security numbers, are overly burdensome to change. Consequently, it is impossible for individuals whose information was stolen to completely eliminate the risk of identity theft once the tools for committing the crime have been released. Second, since it is impossible for victims to completely eliminate the risk of identity theft once their information has been compromised, it is also impossible to determine when such a threat becomes “conjectural” or “speculative.”[32] While a certain amount of time may pass between the initial breach and any fraudulent behavior, that passage will not ease the burden that such behavior will place on the victim. Additionally, this passage of time may impose several procedural hurdles to a claim if the plaintiffs are forced to wait until after someone attempts to use their identity.
Furthermore, the approach used by the Sixth, Seventh, and Ninth Circuits creates a better, simpler framework for analyzing the complicated facts of identity theft cases. This approach allows courts to look primarily at what information was stolen and the possible consequences of that theft.[33] While there are limits as to the inferences that courts are allowed to draw, they are permitted to look into the near future to ascertain the level of increased risk of identity theft. In contrast, the approach used by the First, Third, and Fourth Circuits looks primarily at the purpose for which the information was stolen.[34] In Beck, the court emphasized that the plaintiffs could not prove that any of the information on the computer had been accessed or that the computer had been taken for the purpose of stealing personal information.[35] This “intent” or “targeting” requirement, used by the Fourth Circuit, forces plaintiffs to prove the goal that the perpetrators contemplated during the theft. Efforts to provide evidence of intent is normally futile, as plaintiffs and defendants alike are typically unaware of who committed the crime.
The analysis used by the Sixth, Seventh, and Ninth Circuits is also simpler in its risk determination. Under this analysis, if the plaintiffs can show they suffered an increased risk of identity theft as a result of the defendant’s negligence, the standing requirement is satisfied. Such a test does not require courts to weigh the degree or amount of risk; these determinations are best left to the trier of fact. Conversely, the test devised by the First, Fourth, and Fifth Circuits requires judges to engage in a balancing test, weighing the possible consequences associated with the defendant’s negligence.
Conclusion
Identity theft remains a growing problem in an increasingly technology-dependent society. Someone’s personal information can be stolen, sold, or traded without their knowledge while the victim is forced to deal with the consequences. As with most technology matters, courts have been slow to develop an appropriate framework for analyzing the issues associated with identity theft. Of the two approaches that have developed, the Sixth, Seventh, and Ninth Circuits have expressed a clearer methodology for addressing these unique problems. This approach better comports with the low threshold required by Article III and focuses on the increased risk itself. Such a test does not require courts to gauge the potential for actual harm, creating a simpler analysis. Altogether, this body of law will likely become increasingly important as people invest more time, money, and energy into storing their information electronically.
[1] J. Craig Anderson, Identity theft growing, costly to victims, USA TODAY (April 14, 2013), http://www.usatoday.com/story/money/personalfinance/2013/04/14/identity-theft-growing/2082179/.
[2] Michael Riley, Benjamin Elgin, Dune Lawrence, and Carol Matlack, Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It, BLOOMBERG (March 17, 2014), https://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data.
[3] Id.
[4] See Galaria v. Nationwide, No. 15-3386, 2016 WL 4728027 (6th Cir. September 12, 2016); Remijas v. Neiman Marcus, 794 F.3d 688 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).
[5] See Katz v. Pershing, 672 F.3d 64 (1st Cir. 2012); Reilly v. Ceridian Corp, 664 F.3d 38 (3rd Cir. 2011); Beck v. McDonald, No. 15-1395, 2016 WL 477781 (4th Cir. February 6, 2017).
[6] U.S. Const. Article III Section II, “The judicial Power shall extend to all Cases, in Law and Equity, arising under this Constitution.”
[7] Hollingsworth v. Perry, 133 S. Ct. 2652 (2013).
[8] Remijas v. Neiman Marcus, 794 F.3d 688 (7th Cir. 2015).
[9] Id. at 689-690.
[10] Id. at 692.
[11] Id. at 697.
[12] Id. at 695.
[13] Remijas v. Neiman Marcus, 794 F.3d 688, 693 (7th Cir. 2015).
[14] Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).
[15] Id. at 1143.
[16] Galaria v. Nationwide, No. 15-3386, 2016 WL 4728027 (6th Cir. September 12, 2016).
[17] Id. at 1.
[18] Galaria v. Nationwide, No. 15-3386, 2016 WL 4728027, 8 (6th Cir. September 12, 2016).
[19] Reilly v. Ceridian Corp, 664 F.3d 38, 40 (3rd Cir. 2011).
[20] Id. at 45-46.
[21] Id. at 43.
[22] Id. at 43; Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992).
[23] Katz v. Pershing, 672 F.3d 64 (1st Cir. 2012).
[24] Id. at 69-70.
[25] Id. at 79-80.
[26] Beck v. McDonald, No. 15-1395, 2016 WL 477781 (4th Cir. February 6, 2017).
[27] Beck v. McDonald, No. 15-1395, 2016 WL 477781, 1 (4th Cir. February 6, 2017).
[28] Id. at 8.
[29] U.S. Const. Article III Section II.
[30] Lujan v. Defenders of Wildlife, 504 U.S. 555, 556 (1992).
[31] Clapper v. Amnesty Int’l USA, 133 S.Ct. 1138, 1141 (2013).
[32] Id. at 1143.
[33] See Remijas v. Neiman Marcus, 794 F.3d 688, 694 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010); and Galaria v. Nationwide, No. 15-3386, 2016 WL 4728027, 3 (6th Cir. September 12, 2016).
[34] See Katz v. Pershing, 672 F.3d 64, 79-81 (1st Cir. 2012); Reilly v. Ceridian Corp, 664 F.3d 38, 44-46 (3rd Cir. 2011); Beck v. McDonald, No. 15-1395, 2016 WL 477781, 6-9 (4th Cir. February 6, 2017).
[35] Beck v. McDonald, No. 15-1395, 2016 WL 477781, 7 (4th Cir. February 6, 2017).
