Press "Enter" to skip to content

4th Cir. Holds Data Breach Victims Have Standing When Fraudulent Accounts Opened

The U.S. Court of Appeals for the Fourth Circuit recently vacated a judgment of dismissal in consolidated class actions arising from a data breach of personal information, holding that the plaintiffs had standing to sue because fraudulent credit cards were actually opened in the victims’ names.

In so ruling, the Court distinguished its 2017 ruling in Beck v. McDonald, which held “a mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft.”

A copy of the opinion in Rhonda Hutton v. National Board of Examiners is available at:  Link to Opinion.

In July 2016, a group of optometrists who communicated through Facebook groups dedicated to the profession noticed that credit card accounts were fraudulently opened in their names. The victims concluded that the source of the problem had to be the national board that administered the test required to obtain an optometrist license, to which they were required to submit their social security numbers and other personal information.

Two optometrists filed suit in the U.S. District Court for Maryland under the Class Action Fairness Act, 28 U.S.C. § 1332(d)(2). Two weeks later, a third optometrist filed a similar class action in the same court. Both cases alleged that the national board database had been compromised and sought damages, restitution and injunctive relief.

In October 2016, the national board moved to dismiss both complaints based on lack of subject matter jurisdiction under Fed. Civ. P. 12(b)(1) and failure to state a claim upon which relief can be granted under Rule 12(b)(6). Shortly thereafter, the board moved to consolidate the two cases.

In March 2017, the trial court dismissed both complaints for lack of standing, reasoning that “the Complaints simply alleged speculative harms that could only occur in the future [and] failed to establish standing either upon their asserted increased risk of identity theft or upon their expenses to negate identity theft.” The trial court also concluded that any injury suffered by the plaintiffs was not fairly traceable to the national board because the plaintiffs failed to allege a plausible causal link between furnishing their personal information to the board and “their receipt of unsolicited credit cards.” The plaintiffs appealed.

The Fourth Circuit began by explaining that “[t]o possess standing, a plaintiff must sufficiently allege … that they have: ‘(1) suffered an injury-in-fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.’” … And class plaintiffs cannot meet their burden to establish standing ‘[w]ithout a sufficient allegation of harm to the named plaintiff in particular.’ … When a complaint is evaluation at the pleading stage, however, ‘general factual allegations of injury resulting from the defendant’s conduct may suffice, for on a motion to dismiss we presume that general allegations embrace those specific facts that are necessary to support the claim.’ … Accordingly, ‘we accept as true’ the ‘allegations for which there is sufficient ‘factual matter’ to render them ‘plausible on [their] face.’”

The Court focused on the “injury-in-fact and traceability” elements of standing because they were the ones challenged by the board. “To establish an injury-in-fact, the Plaintiffs must show that they ‘suffered an invasion of a legally protected interest that is concrete and particularized and actual or imminent, not conjectural or hypothetical.”

The Court then distinguished its 2017 decision in Beck v. McDonald, which held that “a plaintiff fails to ‘establish Article III standing based on the harm from the increased risk of future identity theft and the costs of measures to protect against it.’” In that case, the Court “emphasized that a mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft.”

The present action, the Fourth Circuit ruled, was different because the plaintiffs alleged “that they have already suffered actual harm in the form of identity theft and credit card fraud. The Plaintiffs have been concretely injured by the data beach because the fraudsters used — and attempted to use — the Plaintiffs personal information to open […] credit card accounts without their knowledge or approval. Accordingly, there is no need to speculate on whether substantial harm will befall the Plaintiffs.”

The Court further reasoned that even though the plaintiffs did not allege “that they suffered fraudulent charges on their unsolicited […] credit cards, … the Supreme Court long ago made clear that ‘[i]n interpreting injury in fact … standing [is] not confined to those who [can] show economic harm.’”

The Fourth Circuit concluded that “[a]t a minimum, Plaintiffs have sufficiently alleged an imminent threat of injury to satisfy Article III standing.” The Court held this is because the plaintiffs “incurred actual harm by receiving unsolicited credit cards — and in at least one instance incurring a credit score decrease….” In addition, “[b]ecause the injuries alleged by the Plaintiffs are not speculative, the costs of mitigating measures to safeguard against future identity theft support the other allegations and together readily show sufficient injury-in-fact to satisfy the first element of the standing to sue analysis.”

Turning to the “traceability” element, the Fourth Circuit noted that it had previously held that “the ‘fairly traceable standard is not equivalent to a requirement of tort causation.’”

It also noted that the plaintiffs had alleged the defendant board was “the only common source that collected and continued to store social security numbers that were required to open a credit card account, and also stored outdated personal information (such as maiden names and former married names) during the relevant time periods. Furthermore, other national optometry organizations do not gather or store Social Security numbers, or have investigated and confirmed that their databases have not been breached.”

Based on these allegations, the Court concluded that “the Complaints contained sufficient allegations that [the board] was a plausible source of the Plaintiffs’ personal information. Accordingly, the Complaints contain ‘sufficient factual matter’ to render the Plaintiffs’ allegations plausible on their face with respect to traceability.”

Because the Fourth Circuit held that the injury-in-fact and traceability elements of standing to sue were sufficiently alleged in the complaints, and the third element of redressability was not contested, the Court concluded that the trial court erred in dismissing the complaints for lack of standing, vacated the judgment, and remanded the case for further proceedings.

Print Friendly, PDF & Email

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.