In a typical data-breach lawsuit, a business acknowledges it has been hacked.  Indeed, the precipitating event leading to litigation is often the business’s notification to affected individuals that their personal information has been compromised.

What if individuals suspect a business has been hacked, but the business denies it? Can those individuals still maintain claims against the business for failing to protect their personal information?

An interesting recent decision from the Fourth Circuit addressed that question. This post studies that decision, called Hutton v. National Board of Examiners of Optometry. 

It’s true. I saw it on Facebook.

Hutton arose after optometrists throughout the country noticed that credit card accounts had been fraudulently opened in their names. The victims—who believed that thieves stole their personal information—discussed the thefts in a Facebook group for optometrists. 

Through those discussions, the optometrists concluded that a common source to which they had all given their personal information, including social security numbers, was the National Board of Examiners in Optometry. NBEO creates and administers licensing examinations in the field of optometry.

NBEO learned of the optometrists’ concerns. In response, NBEO released a statement on Facebook asserting that “after a thorough investigation” NBEO had determined that its systems had “NOT been compromised.” 

Shortly thereafter, however, NBEO revised that view. It issued subsequent statements explaining that it had “decided to further investigate” whether its systems had been compromised and advising optometrists to “remain vigilant” in checking their credit.

Dissatisfied with that response, the optometrists sued. Their complaint asserted that NBEO had suffered a data breach and asserted claims against NBEO that included negligence and breach of contract based on NBEO’s failure to protect their personal information.

The district court’s opinion: no fraudulent charges + no confirmed data breach = no standing

NBEO moved to dismiss the complaint under Rule 12(b)(1) for lack of standing, and made two arguments:

• the optometrists couldn’t establish an injury-in-fact because they did not allege they incurred any fraudulent charges on the accounts opened in their names; and
• any injury the optometrists suffered was not fairly traceable to NBEO, because the complaint’s data-breach allegations, which relied on the “bare assertions” derived from a Facebook group discussion, were speculative and conclusory.

The district court agreed on both counts and dismissed for lack of standing. 

First, relying on its earlier data-breach standing decision in Beck v. McDonald, the court found that the plaintiffs could not show an injury-in-fact.  Like the plaintiffs in Beck, reasoned the court, the optometrists did not allege that they sustained any actual economic injury.  Instead, they alleged a series of pecuniary harms that could happen, such as use of their information to commit immigration fraud, to obtain government benefits, or to file fraudulent tax returns.  But those theoretical future harms were speculative and insufficient to establish a concrete injury under Article III.

Second, the court held that the optometrists’ data-breach allegations were “sheer speculation,” insufficient to establish a link between any injury and NBEO’s conduct. Nor, explained the court, could that link arise from NBEO’s “neutral announcement” that it had decided to investigate whether an intrusion occurred, especially since NBEO denied that one had.

The Fourth Circuit reverses

The Fourth Circuit disagreed, and found that the optometrists had pleaded facts sufficient to establish standing under Article III.

On injury-in-fact, the court distinguished the optometrists’ allegations from those at issue in Beck.  In Beck, the court explained, the plaintiffs alleged a threat of future injury from the potential misuse of their information, but no actual misuse. 

Here, in contrast, the optometrists alleged that thieves used their personal information had to open fraudulent accounts in their names. That the thieves made no fraudulent charges to those accounts didn’t matter: use of the optometrists’ personal information to open accounts without their knowledge or approval was itself a concrete injury for Article III purposes.

Second, the court held that the optometrists’ injuries were fairly traceable to NBEO’s conduct, even though NBEO denied that it ever suffered a data breach. The optometrists, the court explained, had alleged that they provided the information used to open the fraudulent accounts to NBEO, and that NBEO was the only common source of that information.  Those allegations, reasoned the court, provided “sufficient factual matter” to render the optometrists’ data-breach allegations plausible on their face.  And that, concluded the court, was enough to establish traceability under Article III.

Key takeaways from Hutton

Hutton represents a significant victory for data breach plaintiffs in the Fourth Circuit, in at least two important respects. 

First, the decision makes clear that plaintiffs need not allege actual economic injury—such as fraudulent charges made in their name—to establish an injury-in-fact.  Allegations that personal information has been stolen and “used in a fraudulent manner” are enough.

Second, under Hutton’s reasoning, a data-breach lawsuit can survive dismissal for lack of standing even without a confirmed data breach.  If plaintiffs can plausibly allege that a business was the likely source of fraudulently misused personal information, Hutton suggests a complaint will survive dismissal at the pleadings stage, even if the business steadfastly denies a breach occurred.

Hutton also shows the importance of an incident response plan that includes a well-managed communications strategy.  By saying too little too late about the suspected data breach once it became aware of the optometrists’s concerns, NBEO likely brought focus to their efforts to assign blame for the data theft. 

Author: Alex Pearce