As we’ve recently discussed, a growing majority of courts have applied the Supreme Court’s Clapper decision in requiring a rigorous analysis for Article III standing in data breach cases. The Southern District of Texas recently took this approach in rejecting standing in a class action filed against a Texas hospital after a cybersecurity breach.
In its complaint, the putative class premised its claims on the Fair Credit Reporting Act (FCRA), Texas statutory law, common law negligence, breach of contract, invasion of privacy, breach of fiduciary duty and breach of confidentiality. The district court, however, didn’t get to the merits of the case, instead dismissing it for lack of standing. Here’s the opinion. The court teed up the issue of standing this way:
This case raises an issue of first impression in this Circuit: whether the heightened risk of future identity theft/fraud posed by a data security breach confers Article III standing on persons whose information may have been accessed. Having reviewed the parties’ submissions and the relevant law, the Court concludes that the answer is no. Based on this determination, the Court finds that Peters has not alleged cognizable Article III injury and therefore lacks standing to bring her federal claims.
The court went on to explain that the risk of injury was not imminent enough, specifically noting: “The Court cannot agree that she faces a ‘certainly impending’ or ‘substantial’ risk of identity theft/fraud as Article III requires, and her Complaint makes the point all too clearly.” The court also held that the alleged injuries “fail[ed] to meet the causation and redressability elements of the standing test,” further explaining:
Peters essentially argues that her injuries are traceable to the FCRA because they stem from St. Joseph’s failure to comply with the requirements of the statute. She contends that as a result of this failure, acts of identity theft/fraud were (and continue to be) perpetrated against her, albeit by unknown third parties, for which St. Joseph should be held responsible: the attempted charge to her credit card; the attempted access to her Amazon.com account; the telephone solicitations she has received from medical products and services companies; the spam email sent from her account; and the physical and electronic materials she has received targeting her recorded medical conditions.
Although it is alleged that St. Joseph’s failures “proximately caused” these injuries, the allegation is conclusory and fails to account for the sufficient break in causation caused by opportunistic third parties. The injuries, to the extent that they meet the first prong, are “the result of the independent action of a third party” and therefore not cognizable under Article III.