With data breach incidents on the rise, federal courts are grappling with the issue of standing in class action lawsuits arising from data breaches. As Lawfare has covered previously, there is arguably a circuit split over whether plaintiffs can establish an “injury in fact,” one of three constitutional standing requirements, on the grounds that a breach has put them at a heightened risk of identity theft.
In a 2-1 decision this past summer titled In re: U.S. Office of Personnel Management Data Security Breach Litigation, the U.S. Court of Appeals for the D.C. Circuit weighed in on that question, ruling that plaintiffs whose personal information was exposed in the 2014 infiltrations of the Office of Personnel Management (OPM) sufficiently alleged an “injury in fact” based on their “risk of future identity theft.” The court, in a per curiam opinion, added clarity as to the bar data breach victims must clear in order to establish that they have standing. And because the Supreme Court passed on two opportunities last term to apply its standing doctrine in data breach class actions, the D.C. Circuit’s decision serves as an important marker of the current state of the law.
This post examines the court’s holding with regard to standing for those plaintiffs who brought statutory claims against the government and a government contractor responsible for the OPM database.
In 2015, OPM revealed that in “two separate but related cybersecurity incidents” the personal information of 21.5 million former, current and prospective federal employees had been stolen from its databases. According to the government, the information included full names, birthdates, home addresses, Social Security Numbers, fingerprints, and “findings from interviews conducted by background investigators,” such as “some information regarding mental health and financial history provided by applicants and people contacted during the background investigation.” On Lawfare, former national security official Michael Adams explained why the OPM breach involved “the greatest theft of sensitive personnel data in history.”
The magnitude of the breach led to national headlines and congressional hearings. While the U.S. government did not formally accuse the Chinese government of committing the hack, then-Director of National Intelligence James Clapper said in 2015 that China was the “leading suspect,” famously adding that “you have to kind of salute the Chinese for what they did.” More recently, the FBI arrested a Chinese national allegedly connected to the OPM breach.
The OPM breach was also the source of 21 lawsuits filed in various judicial districts. The lawsuits were assigned to the U.S. District Court for the District of Columbia and ultimately consolidated into two complaints. In one complaint, the American Federation of Government Employees filed a putative class action on behalf of several individual plaintiffs and a class of others similarly affected by the breaches (“Arnold Plaintiffs,” named after one of the individual plaintiffs) against OPM and KeyPoint Government Solutions, Inc., a contractor used by federal agencies to conduct background checks. The Arnold Plaintiffs brought claims against the government under multiple federal statutes. On appeal, the Arnold Plaintiffs only asserted their claims under the Privacy Act of 1974, which requires that agencies “establish appropriate ... safeguards to insure the security and confidentiality of records and to protect against any anticipated threats or hazards to their security or integrity ....” Against KeyPoint, they brought a variety of common law and statutory claims.
The second complaint was filed by the National Treasury Employees Union and three of its members. They sought declaratory and injunctive relief against the acting director of OPM in her official capacity based on an alleged violation of their “constitutional right to informational privacy.”
The district court dismissed both complaints, finding that the Arnold Plaintiffs lacked standing and that the doctrine of sovereign immunity barred their claims from going forward.
D.C. Circuit Decision
Under the Article III “case or controversy” requirement, the federal judicial power is generally limited to cases where the plaintiff has “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” And in certain cases, the Supreme Court has recognized that “a substantial risk that the harm will occur” in the future is enough for a plaintiff to establish standing. Regarding the Arnold Plaintiffs’ claims, the D.C. Circuit focused its analysis on the “injury in fact” element.
As the majority opinion summarized, certain of the Arnold Plaintiffs claimed “to have suffered a variety of past and future data-breach related harms,” including “the improper use of their Social Security numbers, unauthorized charges to existing credit card and bank accounts, fraudulent openings of new credit card and other financial accounts, and the filing of fraudulent tax returns in their names.” The court also noted that some plaintiffs had spent “time and money” both to address fraudulent transactions made in their name and in taking measures to mitigate the increased risk of identity theft caused by the OPM breach. And one of the plaintiffs had been informed by the FBI that her information had been obtained by the Islamic State. For the purpose of its standing analysis, however, the court stated that it would “focus on [the] one injury [that all of the Arnold Plaintiffs] share” as a result of being involved in the breach: “the risk of future identity theft.”
The court determined it necessary to credit only some—but not all—of the Arnold Plaintiffs’ allegations to find that they indeed faced a substantial risk of future identity theft and, in turn, met the “injury in fact” requirement. To reach that conclusion, the court referred to its 2017 decision in Attias v. CareFirst. There, the court ruled that a health insurance company’s negligent failure to thwart a data breach that exposed plaintiffs’ personal identification information, credit card numbers and Social Security numbers created a substantial future risk of identity theft since, with that information, a cyber intruder could open new financial accounts and incur charges in another person’s name, among perpetrating other sorts of financial fraud. With respect to the Arnold Plaintiffs’ claims, the court emphasized that the information disclosed in the OPM hack potentially put plaintiffs at even more of a risk of identity theft than those in Attias. In comparison to credit card numbers that can be changed, the court noted that the OPM hack included Social Security numbers and home addresses, which are not easily changed, and birth dates and fingerprints, which, as the Court wrote, “are with us forever.” Particularly since some Arnold Plaintiffs had already experienced the “unauthorized opening of new credit card and other financial accounts and the filing of fraudulent tax returns in their names,” the court “conclude[d] that not only do the incidents of identity theft that have already occurred illustrate the nefarious uses to which the stolen information may be put, but they also support the inference that Arnold Plaintiffs face a substantial ... risk of future identity theft.” As the court wrote succinctly, “It hardly takes a criminal mastermind to imagine how such information could be used to commit identity theft.”
Some courts have suggested that there is a circuit split “on whether a plaintiff may establish an Article III injury-in-fact based on an increased risk of future identity theft.” But the D.C. Circuit majority seemed careful to avoid such a framing, distinguishing two out-of-circuit decisions that the government’s brief cited in support of its position on their facts. In Beck v. McDonald, the Fourth Circuit found that plaintiffs failed to allege an injury in a lawsuit that arose out of a stolen or misplaced laptop from a Veterans Affairs medical center. And in Reilly v. Ceridian Corp., the Third Circuit ruled that plaintiffs did not have standing where hackers infiltrated a company’s payroll database but it was “‘not known whether the hacker read, copied, or understood the data.’” The D.C. Circuit, however, noted that the Arnold Plaintiffs advanced two claims that were missing from both of these prior cases: first, that the OPM hackers “intentionally targeted [the Arnold Plaintiffs’] information[;]” and, second, that their evidence of “subsequent misuse of that information” bolstered the credibility of the Arnold Plaintiffs’ purported risk of future harm. In the court’s view, this was sufficient to distinguish those prior opinions.
Both the district court and a dissent written by Judge Stephen Williams disagreed with the majority’s conclusion. In dismissing the complaint for lack of standing, the district court focused on the suspected identity of the hackers. Although the Arnold Plaintiffs did not make any allegations concerning the identity of the OPM intruders, and the district court noted that determining the identity of the hackers was “beyond the scope of this proceeding at this juncture,” the court cited multiple news articles that suggested that the Chinese government was responsible for the breach. Based on that inference, it concluded that the complaint did not sufficiently allege that “those behind this attack are likely to use the information for credit card fraud or identity theft purposes, that they are likely to make it available to other criminals for that purpose, or that the breach has enabled other bad actors to have greater access to the information than they did before.” The dissent’s approach focused on the government nature of the target. Judge Williams wrote that because this case involves government databases, “hacking focused entirely on pursuit of espionage” was an “obvious alternative explanation” for the intrusion that made the risk of criminal identity theft virtually nonexistent.
The majority rejected both lines of argument. First, the court was critical of the district court for conducting what it described as “its own extra-record research” since neither the Arnold Plaintiffs nor the government made allegations concerning the identity of the hackers. Then, more generally, the court explained that plaintiffs could still be at risk of identity theft even if the hackers had other goals. “[T]he likely existence of an espionage-related motive hardly renders implausible Arnold Plaintiffs’ claim that they face a substantial future risk of identity theft and financial fraud as a result of the breaches,” the majority wrote.
On causation, the second standing requirement, the court’s discussion was relatively brief. Because the Arnold Plaintiffs had alleged that the hackers were able to get in as a result of OPM’s “failure to secure its information systems,” the court found that “their claimed data breach-related injuries are fairly traceable” to OPM. Judge Williams’s dissent challenged that conclusion by noting that, in a class of 21.5 million, it was unremarkable that some individuals had experienced identity theft, making the link between the OPM breach and identity theft already experienced attenuated at best. But the court found that line of argument unpersuasive. Given the facts the Arnold Plaintiffs had alleged, the court explained that the possibility that they had been victims of other data breaches did not defeat their claims on causation. The court also held that plaintiffs had adequately alleged that their injuries were traceable to KeyPoint, the government contractor, on the grounds that the intruders obtained access to the database with KeyPoint credentials and that KeyPoint may have been negligent in its data security practices.
And on the final element of standing, redressability, the court found that “the money damages Arnold Plaintiffs seek can redress certain proven injuries related to that risk (such as reasonably-incurred credit monitoring costs).” Neither the district court nor the dissent discussed the issue of redressability.
Lastly, Arnold Plaintiffs had to clear the jurisdictional hurdle of showing that they had unlocked the Privacy Act’s waiver of sovereign immunity, codified at 5 U.S.C. § 552a(g)(4), which expressly authorizes a cause of action against the government where the agency “intentional[ly] or willful[ly]” violates the act and plaintiffs sustain “actual damages” that are “as a result” of that violation. Relying on findings from OPM inspector general reports that “repeatedly warned OPM about material deficiencies in its information security systems,” the court determined that the Arnold Plaintiffs had sufficiently alleged that OPM’s violation was willful and met the causation requirement. And pointing to certain of the Arnold Plaintiffs who had spent money to protect themselves from identity theft, the court found that the Arnold Plaintiffs adequately pleaded that they suffered “actual damages” within the meaning of the Privacy Act. The court also held that KeyPoint was not entitled to derivative sovereign immunity, under which contractors sometimes “obtain certain immunity in connection with work which they do pursuant to their contractual undertakings with the [federal government].”
No two data breach incidents are entirely alike, and given the fact-intensive nature of the standing inquiry, it’s difficult to draw decisive conclusions from any single decision. (As a federal district court in Florida recently observed after reviewing several of the recent appellate court decisions, “the differing sets of facts involved in each circuit’s decision are what appear to have driven the ultimate decision on standing, not necessarily a fundamental disagreement on the law.”). However, building on its prior decision in Attias, the majority’s opinion suggests that the courtroom doors may be open for plaintiffs whose unchangeable personal information is deliberately stolen and there is reason to believe that they may be at risk of identity theft. Without further guidance from the Supreme Court, the D.C. Circuit’s approach is likely to influence both litigants and judges in the inevitable lawsuits to come.