Circuit Split on Data Breach Litigation
On March 25th, 2019, the Supreme Court denied review of a case involving individuals whose personal information held in a database was breached by hackers. Specifically, the issue was whether the parties requesting review had Article III “standing” to sue due to the database breach.
Standing is the authority of a court to hear a case. For the court to exercise such authority, the court will only hear cases based on events that cause actual injuries or create real threats of imminent harm to individuals who brought the case. The D.C. Circuit Court in its ruling of June 21st, 2019 deepened the split among contradicting circuit rulings. The D.C. Circuit Court ruled the petitioning party had standing to bring the case due to the breach of 21.5 million social security numbers, birth dates, and residency details of former, current, and prospective employees. The court held that, the plaintiff’s fear of facing a substantial risk of future identity theft met the burden to establish standing.
While the Sixth, Seventh, and Ninth circuits have similarly concluded that a heightened risk of identity theft is sufficient for individuals to possess standing to sue; the Second, Third, Fourth, and Eighth Circuits have ruled in the opposite direction. Distinct facts from this latest data breach case include the nature of the defendant being a federal government agency and the alleged identity of the hacker being a foreign government entity where the breach was executed for purposes other than identity theft. Nonetheless, the D.C. Circuit Court found the federal government agency liable as well as Office of Personnel Management’s (OPMs) third-party vendor, despite the contract between the two parties. The Supreme Court may need to review and rule on this crucial issue in the near future given the current split of authority.
© 2019 Vandenack Weaver LLC
For more information, Contact Us