The recent decision in Kimbriel v. Abb, Inc.,19-CV-215 (October 1, 2019), provides insight into how far privacy law has developed in a short time. A couple of years ago there was little guidance as to what a plaintiff needed to establish standing in a data breach case. Many data breach lawsuits were dismissed as courts found the nexus between the breach and the alleged damages to be too weak or speculative to support a viable cause of action. The Kimbriel decision provides a “range” for plaintiffs to show they have standing to bring a lawsuit after a breach. First, the Kimbriel court finds plaintiffs cannot meet their burden to establish standing if they cannot show breached data was used or reasonably could be used after the breach. For example, credit inquiries using breached data is not sufficient to establish standing under the Kimbriel court’s reasoning. On the other end of the range, to meet their burden, plaintiffs will need to show they suffered an injury-in-fact and have standing when they can show criminals used their data. For example, plaintiffs that can show fraudulent credit cards were open with the breached information have a better chance of establishing standing to sue.
The Plaintiffs’ Allegations Related To The Breach Of Personal Information
In Kimbriel, the Defendant, the Plaintiffs’ employer, filed a motion to dismiss the Plaintiffs’ complaint asserting the Defendant breached employee data. Plaintiffs claimed the breach involved a database that housed employees’ sensitive information including full names, addresses, birth dates and social security numbers plaintiffs provided to Defendant in order to participate in an employee health plan. After the breach, the Defendant agreed to pay for identity credit monitoring services for the employees. On February 13, 2019, a credit-monitoring service notified the lead plaintiff, Paula Kimbriel, of five unauthorized credit inquiries with banking institutions.
The Defendant’s Argument That Plaintiffs Lack Standing For This Action
On the other hand, the Defendant argued in its motion to dismiss that Plaintiffs lack standing under Article III of the U.S. Constitution to bring this action because they have not alleged an injury-in-fact. That is, it is well settled by the U.S. Supreme Court that “[t]o establish standing, plaintiffs must show they have suffered an injury-in-fact-an injury that is “concrete, particularized, and actual or imminent[.]” See, Clapper v. Amnesty Int’l USA. The Clapper court held the injury-in-fact must be “fairly traceable to the challenged action[,] and redressable by a favorable ruling.” Id. Threatened injuries cannot be speculative, but “must be certainly impending.” Id.” Questions related to standing have plagued many data breach plaintiffs to the extent it is difficult to show damage (such as credit card fraud) is directly related to a particular breach. The Kimbriel court address this question by creating a range that examines the damage from a breach.
The District Court’s Dismissal Of The Complaint
The District Court dismissed the Plaintiffs’ complaint finding the District Court lacked subject-matter jurisdiction over the plaintiffs’ claims. In particular, the District Court held that without any allegations the hacked personal information had or will be used, in identity theft or fraud, the employees are not capable of demonstrating a concrete injury.
The District Court found this case fell in the middle of two recent decisions that “address injury-in-fact in the data privacy context.” First, Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), provides an example where “the plaintiffs did not have standing because, critically, they could neither show that their data was actually used nor allege enough plausible facts to show that threatened future harms were “certainly impending.” The plaintiff’s allegations in the Beck case were fatally defective since the “mere compromise of personal information, without more, fails to satisfy the injury-in-fact element in the absence of an identity theft.”
On the other end of the range, the court in Hutton v. Nat’l Bd. of Examiners in Optometry, Inc. Hutton v. Nat’l Bd. of Examiners in Optometry, Inc., 892 F.3d 613 (4th Cir. 2018), found “plaintiffs had suffered an injury-in-fact because their data had actually been used to open fraudulent credit card accounts.
Here, the District Court found the Plaintiffs’ allegations in the Kimbriel case were closer to the allegations brought by the plaintiffs in Beck rather than the allegations in Hutton That is, Plaintiffs’ complaint in Kimbriel did not establish the District Court had standing since, “[b]y plaintiffs’ own admission, the credit inquiries do not, by themselves, constitute an independent injury-in-fact.” Further, the District Court rejected the argument that the credit inquiry coupled with allegations that the breach was a result of a targeted phishing scheme, “constitute a sufficient factual basis to conclude there is a certainly impending risk of identity theft.”
While the District Court found the Plaintiffs in Kimbriel presented a stronger case for an injury-in-fact than the plaintiffs in Beck, “their asserted injuries are still too speculative to meet the ‘certainly impending’ threshold” necessary to support their claim.
What The Kimbriel Decision Tells Us About Privacy Law
We can expect other courts to adopt a similar analysis to that seen in Kimbriel as data breach cases continue to reach the courts. Thankfully, not every data breach results in damage to the individuals that had their information compromised. This decision provides an important reminder that not every data breach results in damages.