In a case of first impression within the Fifth Circuit, a district court has dismissed a putative class action complaint brought after a data breach against one of the larger health organizations operating in California and Texas. In Peters v. St. Joseph Services Corp., the District Court for the Southern District of Texas dismissed plaintiff’s claims upon a 12(b)(1) Motion after finding that allegations of an increased risk of future harm were not sufficient to confer standing.
Plaintiff Beverly Peters alleged that hackers had accessed and stolen her information after breaching St. Joseph Health Systems’ data network. Peters alleged that someone had attempted – albeit unsuccessfully – to make purchases on her Discover card and had attempted to access her Amazon account using a family member’s name. Peters claimed these incidents as evidence that she was at an increased risk of imminent harm stemming from the breach. In dismissing the complaint for lack of standing, the court joined the Third Circuit, as well as district courts in Ohio, New Jersey, and the District of Columbia, in finding that Peters’ allegations of an increased risk of future identify theft and fraud were insufficient to survive a motion to dismiss. “’Unless and until these conjectures become true’…Peters’ alleged future injuries are speculative – even hypothetical – but certainly not imminent.” The decision relied upon the Supreme Court’s 2013 opinion in Clapper v. Amnesty International in finding that the mere increased risk of future harm does not confer Article III standing. In doing so, the Southern District of Texas argued that the Clapper decision had “arguably resolved the circuit split” as to whether allegations of risk of future harm were sufficient to confer standing in data breach cases.
Despite the court’s opinion that Clapper has resolved the circuit split over standing in data breach lawsuits, there remains significant division among circuit courts (and even, post-Clapper, among district courts within the same circuit) as to whether an alleged increased risk of future harm stemming from a data breach constitutes imminent injury under Article III. While the Seventh and Ninth Circuits held that such allegations were sufficient to confer standing, both decisions were issued prior to Clapper and district courts within those circuits have decided the issue both ways since the Supreme Court’s opinion. What does appear clear is that plaintiffs in data breach cases face a significant hurdle in a motion to dismiss for lack of standing in the wake of Clapper, and that absent allegations of actual harm already suffered (rather than an increased risk of harm), defendants stand a good chance of dismissing class actions at an early stage.