By John Van Swearingen
On February 6, 2017, the Fourth Circuit issued a published opinion in the civil case Beck v. McDonald. The plaintiffs appealed the dismissal of their case for lack of subject-matter jurisdiction. In the United States District Court for the District of South Carolina, the plaintiffs brought suit under common-law negligence, the Privacy Act of 1974, 5 U.S.C. § 552(a) (2012) (“Privacy Act”), and the Administrative Procedure Act, 5 U.S.C. §§ 701–706 (2012) (“APA”) following data breaches at the William Jennings Bryan Dorn Veterans Affairs Medical Center (“Dorn VAMC”). The district court dismissed all claims against the Dorn VAMC, holding the court lacked subject-matter jurisdiction since, due to the speculative nature of the claimed injuries, the plaintiffs lacked Article III standing to bring their negligence and Privacy Act claims. The plaintiffs also could not establish standing for injunctive relief under the APA due to their speculative claims. The Fourth Circuit affirmed the district court’s dismissal, holding that the plaintiff’s claimed injuries were speculative, and therefore, the plaintiffs did not satisfy the injury-in-fact requirement for standing.
Facts and Procedural History
On February 11, 2013, a laptop containing the personal information of around 7,400 patients was either misplaced or stolen from the Dorn VAMC. The Dorn VAMC failed to utilize the proper procedures for handling and storing unencrypted patient data. Dorn VAMC notified every patient tested with the laptop and offered each affected individual a free year of credit monitoring. The laptop was never found.
Plaintiffs filed suit on behalf of themselves and the assumed class of 7,400 affected persons. The claims included common-law negligence, declaratory relief and monetary damages under the Privacy Act, and injunctive relief under the APA.
Regarding the Privacy Act claims, the plaintiffs alleged “embarrassment, inconvenience, unfairness, mental distress, and the threat of current and future substantial harm from identity theft and other misuse of their Personal Information.” Further, the plaintiffs claimed that they were required to purchase credit monitoring services, monitor financial statements, and move their bank accounts to different institutions.
Regarding the APA claims, the plaintiffs sought to enjoin the Dorn VAMC from transferring any new patient information until the facility could demonstrate adequate security measures. The plaintiffs also sought an order requiring the Dorn VAMC to identify and destroy any improperly-maintained records.
A second set of plaintiffs brought suit against the Dorn VAMC regarding the July 2014 loss of four boxes of pathology reports. The boxes contained the information of some 2,000 individuals. These plaintiffs sued on behalf of themselves and this second presumptive class. The claims involved almost identical factual and legal issues as those of the first set of plaintiffs, and the cases were consolidated.
The district court dismissed all claims against the Dorn VAMC for failure to allege injury-in-fact necessary to satisfy Article III standing requirements. Therefore, the district court held, it lacked subject-matter jurisdiction. The plaintiffs appealed.
Article III Standing for Threatened Injuries
The injury-in-fact requirement for Article III standing was recently explored by the Supreme Court in Clapper v. Amnesty Int’l USA, No. 11–1025, (U.S. Feb. 23, 2013). In Clapper, the Court held that a “threatened injury must be certainly impending” in order to satisfy the injury-in-fact requirement for Article III standing. Further, a plaintiff could not “manufacture standing” by taking preventative measures against a non-imminent, uncertain harm.
The Negligence and Privacy Act Claims
The Fourth Circuit analyzed the plaintiffs’ claims under Clapper and found that neither the common-law negligence claims nor the Privacy Act claims met the standard of “certainly impending” injury.
Here, the plaintiffs did not plead that the loss of their personal information resulted in any actual harm due to identity theft. The plaintiffs lack evidence of any kind to support that their information was stolen for the purposes of exploitation through identity theft. Thus, plaintiffs’ claims are only speculative in nature – they do not “certainly impending” harms.
Clapper also held that a plaintiff could establish injury-in-fact by showing that a “substantial risk” of impending harm forced the plaintiff to incur costs to mitigate or avoid the harm.
Here, the plaintiffs plead that one-third of health-care data breaches result in identity theft, and the Dorn VAMC’s offer of free credit monitoring was a concession that the risk to plaintiffs was reasonably likely.
The Fourth Circuit noted that, if one-third of breaches result in identity theft, two-thirds do not, and therefore, the risk is not substantial. Further, notion that a harm is “reasonably likely” to occur does not render that risk of harm “substantial” or “imminent.”
Finally, the Fourth Circuit noted that, since the risk of identity theft was merely speculative, the plaintiffs here could not manufacture standing by incurring costs associated with identity theft protection services. Thus, since the injuries claimed under common-law negligence and the Privacy Act were only speculative – and therefore not “certainly impending – the plaintiffs lacked Article III standing.
The APA Claims
The APA confers standing to any “adversely affected” party suing thereunder, and thus, the plaintiffs do not require Article III standing to sue under the statute. However, City of Los Angeles v. Lyons, 461 U.S. 95, 101–02 (1983), which governs the standing requirements of a plaintiff seeking injunctive relief, requires a plaintiff to show that the threat of injury must be “real and immediate.” A “conjectural” or “hypothetical” threat will not merit injunctive relief. The test, therefore, echoes the language of Clapper.
Here, the plaintiffs plead that their information was taken in two separate data breaches, but they lacked a factual basis to assert any future breaches by Dorn VAMC past a mere possibility. Thus, the plaintiffs lacked standing to seek injunctive relief under the APA.
Disposition
The Fourth Circuit affirmed the district court’s dismissal of the plaintiffs’ claims for lack of subject-matter jurisdiction. The speculative nature of the plaintiffs’ claims under common-law negligence and the Privacy Act meant the plaintiffs failed to establish the “injury-in-fact” requirement for Article III standing. Further, the speculative nature of the plaintiffs’ claims under the APA failed to meet the standing requirement for injunctive relief. Thus, the plaintiffs failed to establish standing for all claims, and dismissal for lack of subject-matter jurisdiction was proper.