It’s become an unfortunate rite of passage for the modern age: the receipt of a letter from a company explaining that one’s personal information been lost or stolen in a data breach.

The letter usually offers to provide free credit monitoring or identity-theft insurance through a third-party vendor. The law usually does not require this type of offer, but companies do it anyway. One reason may be because these types of offers have been shown to reduce the chance of consumer lawsuits.

But if consumers do sue, can the company’s offer be used against it? 

This post addresses this question, one recently addressed by three federal appellate courts. As we’ll see, those courts analyzed whether the plaintiffs had Article III standing, a key issue in data-breach litigation.

Standing in data breach cases

In a typical data-breach case, individuals sue the breached company before thieves have misused their data. The alleged injury, then, is usually an increased risk of future fraud or identity theft.

Future harm, however, is often not enough to establish Article III standing in federal court. In Clapper v. Amnesty International, the U.S. Supreme Court confirmed that an alleged “future injury” constitutes an injury-in-fact—and satisfies Article III standing—only if that future injury is “certainly impending.”

This standard, the Supreme Court explained, does not always mean “literally certain.” Instead, a court may find standing based on a showing of “substantial risk” that harm will occur, “which may prompt the plaintiffs to reasonably incur costs to mitigate or avoid that harm.” 

Federal courts assessing standing in recent data-breach cases have turned to Clapper and the “substantial risk” standard. The Seventh Circuit’s decision in Remijas v. Neiman Marcus and the Sixth Circuit’s decision in Galaria v. Nationwide are two leading examples. In both cases:

• the defendants suffered breaches of their networks by hackers who targeted and stole customers’ personal information;

• the defendants sent consumers notification letters that included an offer to provide free credit monitoring and identify-theft protection insurance; and

• the plaintiffs’ injuries consisted in part of an alleged risk of future identity theft.

On these facts, the district courts in both dismissed the plaintiffs’ claims for lack of standing. The appeals, however, yielded different results.

In Remijas, the Seventh Circuit concluded that the threat of future harm, and expenditures made by the plaintiffs to protect against that threat, established standing under Clapper. The Seventh Circuit focused specifically on “telling” evidence that Neiman Marcus had offered free protective services to consumers after the breach. The cost of that offer was not de minimis, the court noted. According to the Seventh Circuit, Neiman Marcus would not have offered the services if the risk to the plaintiffs were so “ephemeral” that it “could safely be disregarded.” 

Interestingly, the plaintiffs’ brief never argued this point.  It only appears to have arisen in questioning by Chief Judge Diane Wood, the author of the court’s decision, at oral argument. 

The Sixth Circuit followed the same reasoning in Galaria. It concluded that the plaintiffs’ allegations of a substantial risk of harm, coupled with reasonably incurred mitigation costs, were sufficient to overcome a Rule 12(b)(1) motion. The Sixth Circuit relied in part on the defendant’s offer of free credit monitoring, reasoning that the offer must reflect the severity of the risk.

In doing so, the Sixth Circuit rejected the company’s public-policy argument: companies might stop offering these free services if the offers themselves give rise to lawsuits.

Beck v. McDonald: Don’t punish good deeds.

A third recent appellate case, however, is more favorable for defendants.

In Beck v. McDonald, the Fourth Circuit considered whether individuals had standing to assert claims arising from data breaches at a Veterans Affairs hospital. One breach was caused by the theft of a laptop containing patients’ unencrypted personal information. Another breach was caused by the theft or misplacement of four boxes of pathology reports. In each case, hospital officials notified affected individuals of the breach and offered free credit monitoring. 

Individuals affected by each incident filed separate class actions against the Secretary of Veterans Affairs and hospital officials. In each case, the plaintiffs’ alleged injuries consisted of the threat of future identity theft and measures taken to mitigate that threat.  In each case, the district court relied on Clapper to dismiss the plaintiffs’ claim for lack of standing.

On appeal, the plaintiffs turned to Remijas. They emphasized that the expenditure of federal funds on credit monitoring showed a substantial risk of harm to the plaintiffs. 

The Fourth Circuit, however, sidestepped this argument. Instead, the court distinguished Remijas and Galaria on the ground that those cases involved thieves who intentionally targeted personal information. In Beck, by contrast, there was no evidence the missing laptop or pathology reports were taken because of the personal information they contained. 

In addition, the Fourth Circuit adopted the very public-policy point that the Sixth Circuit disregarded in Galaria. The Fourth Circuit reasoned that, if an offer to provide free credit monitoring services is interpreted to imply a substantial risk of harm, organizations would be discouraged from offering these valuable services.

Implications for Companies

Remijas and Galaria deserve some consideration by companies deciding whether to offer free credit monitoring in the wake of a data breach.  But in most cases the benefits of offering these services—meeting customer expectations, preserving goodwill, and possibly avoiding the filing of an action—will outweigh the risk.  That’s especially true now that a defendant can turn to the Fourth Circuit’s decision in Beck if plaintiffs try to turn its generosity against it. 

Author: Alex Pearce