Richard Beck v. Robert McDonald , 848 F.3d 262 ( 2017 )


Menu:
  •                                      PUBLISHED
    UNITED STATES COURT OF APPEALS
    FOR THE FOURTH CIRCUIT
    No. 15-1395
    RICHARD G. BECK; LAKRESHIA R. JEFFERY; BEVERLY WATSON;
    CHERYL GAJADHAR; JEFFERY WILLHITE, on behalf of themselves and all
    others similarly situated,
    Plaintiffs - Appellants,
    v.
    ROBERT A. MCDONALD, in his official capacity as Secretary of Veterans
    Affairs; TIMOTHY B. MCMURRY, in his official capacity as the former Medical
    Director of William Jennings Bryan Dorn VA Medical Center; BERNARD L.
    DEKONING, in his official capacity as the Chief of Staff of William Jennings
    Bryan Dorn VA Medical Center; RUTH MUSTARD, RN, Director for Patient
    Care-Nursing Services of William Jennings Bryan Dorn VA Medical Center; JON
    ZIVONY, Assistant Director of William Jennings Bryan Dorn VA Medical Center;
    DAVID L. OMURA, in his official capacity as the Associate Director of William
    Jennings Bryan Dorn VA Medical Center,
    Defendants – Appellees.
    No. 15-1715
    BEVERLY WATSON, on behalf of herself and all others similarly situated,
    Plaintiff - Appellant,
    v.
    ROBERT A. MCDONALD, in his official capacity as Secretary of Veterans
    Affairs; TIMOTHY MCMURRY, in his official capacity as the Medical Director
    of William Jennings Bryan Dorn VA Medical Center; RUTH MUSTARD, RN, in
    her official capacity as the Associate Director for Patient Care/Nursing Services of
    William Jennings Bryan Dorn VA Medical Center; DAVID L. OMURA, in his
    official capacity as the Associate Director of William Jennings Bryan Dorn VA
    Medical Center; JON ZIVONY, in his official capacity as the Assistant Director of
    William Jennings Bryan Dorn VA Medical Center; SUE PANFIL, in her official
    capacity as the Privacy Officer of William Jennings Bryan Dorn VA Medical
    Center,
    Defendants – Appellees.
    Appeals from the United States District Court for the District of South Carolina, at
    Columbia. Terry L. Wooten, Chief District Judge. (3:13−cv−00999−TLW; 3:14-cv-
    03594-TLW)
    Argued: September 20, 2016                                    Decided: February 6, 2017
    Before NIEMEYER and DIAZ, Circuit Judges, and Irene M. KEELEY, United States
    District Judge for the Northern District of West Virginia, sitting by designation.
    Affirmed by published opinion. Judge Diaz wrote the opinion, in which Judge Niemeyer
    and Judge Keeley joined.
    ARGUED: Douglas J. Rosinski, Columbia, South Carolina, for Appellants. Sonia
    Katherine McNeil, UNITED STATES DEPARTMENT OF JUSTICE, Washington, D.C.,
    for Appellees. ON BRIEF: D. Michael Kelly, Bradley D. Hewett, MIKE KELLY LAW
    GROUP, LLC, Columbia, South Carolina, for Appellants. Benjamin C. Mizer, Principal
    Deputy Assistant Attorney General, Mark B. Stern, Civil Division, UNITED STATES
    DEPARTMENT OF JUSTICE, Washington, D.C.; William N. Nettles, United States
    Attorney, OFFICE OF THE UNITED STATES ATTORNEY, Columbia, South Carolina,
    for Appellees.
    2
    DIAZ, Circuit Judge:
    The Plaintiffs in these consolidated appeals are veterans who received medical
    treatment and health care at the William Jennings Bryan Dorn Veterans Affairs Medical
    Center (“Dorn VAMC”) in Columbia, South Carolina. After two data breaches at the
    Center compromised their personal information, the Plaintiffs brought separate actions
    against the Secretary of Veterans Affairs and Dorn VAMC officials (“Defendants”),
    alleging violations of the Privacy Act of 1974, 5 U.S.C. § 552a et seq. and the
    Administrative Procedure Act (“APA”), 5 U.S.C. § 701 et seq.
    In both cases, the Plaintiffs sought to establish Article III standing based on the
    harm from the increased risk of future identity theft and the cost of measures to protect
    against it. The district court dismissed the actions for lack of subject-matter jurisdiction,
    holding that the Plaintiffs failed to establish a non-speculative, imminent injury-in-fact
    for purposes of Article III standing. We agree with the district court and therefore affirm.
    I.
    A.
    The Beck case arises from a report that on February 11, 2013, a laptop connected
    to a pulmonary function testing device with a Velcro strip was misplaced or stolen from
    Dorn VAMC’s Respiratory Therapy department.             The laptop contains unencrypted
    personal information of approximately 7,400 patients, including names, birth dates, the
    last four digits of social security numbers, and physical descriptors (age, race, gender,
    height, and weight).
    3
    An internal investigation determined that the laptop was likely stolen and that
    Dorn VAMC failed to follow the policies and procedures for utilizing a non-encrypted
    laptop to store patient information. Dorn VAMC officials used medical appointment
    records to notify every patient tested using the missing laptop and offered one year of
    free credit monitoring. To date, the laptop has not been recovered.
    Richard Beck and Lakreshia Jeffery (the “Beck plaintiffs”) 1 filed suit on behalf of
    a putative class of the approximately 7,400 patients whose information was stored on the
    missing laptop. Relevant to this appeal, the Beck plaintiffs sought declaratory relief and
    monetary damages under the Privacy Act, alleging that the “Defendants’ failures” and
    “violations” of the Privacy Act “caused Plaintiffs . . . embarrassment, inconvenience,
    unfairness, mental distress, and the threat of current and future substantial harm from
    identity theft and other misuse of their Personal Information.” J.A. 12. They further
    allege that the “threat of identity theft” required them to frequently monitor their “credit
    reports, bank statements, health insurance reports, and other similar information,
    purchas[e] credit watch services, and [shift] financial accounts.” J.A. 12.
    In addition to their Privacy Act claims, the Beck plaintiffs sought broad injunctive
    relief under the APA, requiring the VA to account for all Privacy Act records in the
    possession of Dorn VAMC and to recover and permanently destroy any improperly
    maintained records.    The Beck plaintiffs also sought to enjoin the Defendants from
    transferring patient information from computer systems to any portable device “until and
    1
    The Beck plaintiffs later amended their complaint to add as named plaintiffs
    Beverly Watson, Cheryl Gajadhar, and Jeffery Willhite.
    4
    unless Defendants demonstrate to the Court that adequate information security has been
    established.”   J.A. 23.    Finally, the Beck plaintiffs alleged separate common-law
    negligence claims.
    The Defendants moved to dismiss for lack of subject-matter jurisdiction or, in the
    alternative, for failure to state a claim. The district court granted the motion as to the
    common-law negligence claims, but declined to dismiss the Privacy Act and APA claims.
    Following extensive discovery, the Plaintiffs moved for partial summary judgment
    and for class certification.    The Defendants renewed their motion to dismiss the
    Plaintiffs’ claims for lack of subject-matter jurisdiction and, in the alternative, moved for
    summary judgment.       The district court granted the Defendants’ motion to dismiss,
    holding, pursuant to Clapper v. Amnesty International USA, 
    133 S. Ct. 1138
    , 1155
    (2013), that the Beck plaintiffs lacked standing under the Privacy Act because they had
    “not submitted evidence sufficient to create a genuine issue of material fact as to whether
    they face a ‘certainly impending’ risk of identity theft.” J.A. 1059.
    The Beck plaintiffs’ fear of harm from future identity theft, said the district court,
    was too speculative to confer standing because it was “contingent on a chain of
    attenuated hypothetical events and actions by third parties independent of the
    defendants.” J.A. 1059 (citing 
    Clapper, 113 S. Ct. at 1148
    ). The Beck plaintiffs also
    failed to satisfy the “lesser standard” of “substantial risk” of future harm referenced in
    Clapper: The plaintiffs’ calculations that 33% of those affected by the laptop theft would
    have their identities stolen and that all affected would be 9.5 times more likely to
    5
    experience identity theft “d[id] not suffice to show a substantial risk of identity theft.”
    J.A. 1060.
    The district court also rejected the Beck plaintiffs’ attempt to “create standing by
    choosing to purchase credit monitoring services or taking any other steps designed to
    mitigate the speculative harm of future identity theft.” J.A. 1061. These measures,
    according to the court, did not amount to an injury-in-fact because they were taken solely
    “to mitigate a speculative future harm.” J.A. 1061.
    Turning to the Beck plaintiffs’ request for injunctive relief under the APA, the
    district court acknowledged that the claim that “there have been at least seventeen data
    breaches at Dorn [VAMC] during the course of th[e] [Beck] litigation” was “undoubtedly
    concerning.” J.A. 1064. Nonetheless, the court concluded that Dorn VAMC’s “past
    Privacy Act violations are insufficient to establish Plaintiffs’ standing to seek injunctive
    relief” where it was “no more than speculation for Plaintiffs to assert that their personal
    information will again be compromised by a future Privacy Act violation and that they
    will be injured as a result.” J.A. 1064.
    The district court ruled in the alternative that the Defendants were entitled to
    summary judgment on the merits, because: (1) the Beck plaintiffs had not suffered “actual
    damages” as required to recover damages under the Privacy Act, and (2) the APA could
    not be read to “provide for the broad judicial oversight” of the VA’s entire privacy
    program sought by the Plaintiffs. J.A. 1067–68.
    6
    B.
    The Watson case arises from Dorn VAMC’s July 2014 discovery that four boxes
    of pathology reports headed for long-term storage had been misplaced or stolen. The
    reports contain identifying information of over 2,000 patients, including names, social
    security numbers, and medical diagnoses. Dorn VAMC officials alerted those affected
    and, as they did following the laptop’s disappearance, offered each of them one year of
    free credit monitoring. The boxes have not been recovered.
    While the Beck litigation was pending, Beverly Watson 2 brought a putative class-
    action lawsuit on behalf of the over 2,000 individuals whose pathology reports had gone
    missing. Watson sought money damages and declaratory and injunctive relief, alleging
    the same harm as did the Beck plaintiffs.          The Defendants moved to dismiss the
    complaint for lack of subject-matter jurisdiction and for failure to state a claim.
    The district court granted the Defendants’ motion to dismiss for lack of subject-
    matter jurisdiction, relying on Clapper to hold that Watson lacked Article III standing
    under the Privacy Act because she “ha[d] not alleged that there ha[d] been any actual or
    attempted misuse of her personal information,” thus rendering her allegation that her
    information “will eventually be misused as a result of the disappearance of the boxes . . .
    speculative.” J.A. 1091.
    According to the district court, for Watson to suffer the injury she feared, the court
    would have to assume that: (1) the boxes were stolen by someone bent on misusing the
    2
    Ms. Watson is also a named plaintiff in Beck.
    7
    personal information in the pathology reports; (2) the thief would select Watson’s report
    from the over 3,600 reports in the missing boxes; (3) the thief would then attempt to use
    or sell to others Watson’s personal information; and (4) the thief or purchaser of
    Watson’s information would successfully use the information in the report to steal
    Watson’s identity.     This “attenuated chain of possibilities” did not satisfy Watson’s
    burden to show that her threatened injury was “certainly impending.” J.A. 1092. As it
    did in Beck, the district court rejected Watson’s allegations that any costs incurred to fend
    off future identity theft constituted an injury-in-fact.
    Turning to Watson’s claim for injunctive relief under the APA, the district court
    concluded that her allegations, based on Dorn VAMC’s “historic inability or
    unwillingness to protect Plaintiff’s personal information” were insufficient to show that,
    absent injunctive relief, she would be “in real and immediate danger of sustaining a direct
    injury as a result of some official conduct.” J.A. 1096.
    All Plaintiffs appeal the district court’s ruling as to Article III standing. 3 The Beck
    plaintiffs also appeal the district court’s alternative ruling that the Defendants are entitled
    to summary judgment on the Privacy Act and APA claims. Because we find that the
    Plaintiffs do not have Article III standing, we do not address the merits.
    3
    We granted an unopposed motion to consolidate the cases.
    8
    II.
    We review de novo the district court’s decision to dismiss for lack of standing.
    24th Senatorial Dist. Republican Comm. v. Alcorn, 
    820 F.3d 624
    , 628 (4th Cir. 2016).
    Article III of the U.S. Constitution limits the jurisdiction of federal courts to
    “Cases” and “Controversies.” U.S. Const. art. III, § 2. “One element of the case-or-
    controversy requirement is that plaintiffs must establish that they have standing to sue.”
    
    Clapper, 133 S. Ct. at 1146
    (internal citations and quotation marks omitted). To invoke
    federal jurisdiction, a plaintiff bears the burden of establishing the three “irreducible
    minimum requirements” of Article III standing:
    (1) an injury-in-fact (i.e., a concrete and particularized invasion of a legally
    protected interest); (2) causation (i.e., a fairly traceable connection between
    the alleged injury in fact and the alleged conduct of the defendant); and
    (3) redressability (i.e., it is likely and not merely speculative that the
    plaintiff’s injury will be remedied by the relief plaintiff seeks in bringing
    suit).
    David v. Alphin, 
    704 F.3d 327
    , 333 (4th Cir. 2013) (internal alterations and quotation
    marks omitted).
    In a class action, we analyze standing based on the allegations of personal injury
    made by the named plaintiffs. See Doe v. Obama, 
    631 F.3d 157
    , 160 (4th Cir. 2011)
    (citing Warth v. Seldin, 
    422 U.S. 490
    , 501 (1975)). “Without a sufficient allegation of
    harm to the named plaintiff in particular, plaintiffs cannot meet their burden of
    establishing standing.” 
    Id. A defendant
    may challenge subject-matter jurisdiction in one of two ways: facially
    or factually. See Kerns v. United States, 
    585 F.3d 187
    , 192 (4th Cir. 2009). In a facial
    9
    challenge, the defendant contends “that a complaint simply fails to allege facts upon
    which subject matter jurisdiction can be based.” 
    Id. (quoting Adams
    v. Bain, 
    697 F.2d 1213
    , 1219 (4th Cir. 1982)). Accordingly, the plaintiff is “afforded the same procedural
    protection as she would receive under a Rule 12(b)(6) consideration,” wherein “the facts
    alleged in the complaint are taken as true,” and the defendant’s challenge “must be
    denied if the complaint alleges sufficient facts to invoke subject matter jurisdiction.” 
    Id. In a
    factual challenge, the defendant argues “that the jurisdictional allegations of
    the complaint [are] not true,” providing the trial court the discretion to “go beyond the
    allegations of the complaint and in an evidentiary hearing determine if there are facts to
    support the jurisdictional allegations.” 
    Id. (first alteration
    in original) (quoting 
    Adams, 697 F.2d at 1219
    ). In this posture, “the presumption of truthfulness normally accorded a
    complaint’s allegations does not apply.” 
    Id. Critically, the
    procedural posture of the case dictates the plaintiff’s burden as to
    standing. Lujan v. Defs. of Wildlife, 
    504 U.S. 555
    , 561 (1992) (“[E]ach element [of
    standing] must be supported in the same way as any other matter on which the plaintiff
    bears the burden of proof, i.e., with the manner and degree of evidence required at the
    successive stages of the litigation.”). Here, the district court dismissed Watson on the
    pleadings and Beck at summary judgment.
    “At the pleading stage, general factual allegations of injury resulting from the
    defendant’s conduct may suffice, for on a motion to dismiss we presume that general
    allegations embrace those specific facts that are necessary to support the claim.” 
    Id. (internal citations
    omitted). As such, we accept as true Watson’s allegations for which
    10
    there is sufficient “factual matter” to render them “plausible on [their] face.”         See
    Ashcroft v. Iqbal, 
    566 U.S. 662
    , 678 (2009) (internal citations omitted). We do not,
    however, apply the same presumption of truth to “conclusory statements” and “legal
    conclusions” contained in Watson’s complaint. See id.; Bell Atl. Corp. v. Twombly, 
    550 U.S. 544
    , 555–56 (2007).
    By contrast, having developed through discovery a summary judgment record, the
    Beck plaintiffs are not entitled to “rest on such mere allegations, but must set forth by
    affidavit or other evidence specific facts, which for purposes of the summary judgment
    motion will be taken to be true.” 
    Lujan, 504 U.S. at 561
    (citing Fed. R. Civ. P. 56)
    (internal quotations omitted).
    III.
    A.
    We focus our inquiry on the first element of Article III standing: injury-in-fact.
    “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a
    legally protected interest’ that is ‘concrete and particularized’ and ‘actual or imminent,
    not conjectural or hypothetical.’” Spokeo, Inc. v. Robins, 
    136 S. Ct. 1540
    , 1548 (2016)
    (quoting 
    Lujan, 504 U.S. at 560
    ). 4 And while it is true “that threatened rather than actual
    4
    In Spokeo, the Supreme Court suggested that some violations of the Fair Credit
    Reporting Act (“FCRA”), though “intangible” harms, may still be sufficiently “concrete”
    to establish an Article III 
    injury-in-fact. 136 S. Ct. at 1549
    –50. In Spokeo’s aftermath,
    some plaintiffs have attempted to establish Article III standing by alleging that the
    violation of a privacy statute, in and of itself, is sufficiently “concrete” to establish an
    (Continued)
    11
    injury can satisfy Article III standing requirements,” Friends of the Earth, Inc. v. Gaston
    Copper Recycling Corp., 
    204 F.3d 149
    , 160 (4th Cir. 2000) (en banc), not all threatened
    injuries constitute an injury-in-fact. Rather, as the Supreme Court has “emphasized
    repeatedly,” an injury-in-fact “must be concrete in both a qualitative and temporal sense.”
    Whitmore v. Arkansas, 
    495 U.S. 149
    , 155 (1990). “The complainant must allege an
    injury to himself that is distinct and palpable, as opposed to merely abstract.”         
    Id. (internal citations
    and quotations omitted).     “Although ‘imminence’ is concededly a
    somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure
    that the alleged injury is not too speculative for Article III purposes.” 
    Lujan, 504 U.S. at 564
    –65, n. 2.
    The Court recently explored the “threatened injury” theory of Article III standing
    in Clapper v. Amnesty International USA. That case involved a constitutional challenge
    to section 1881a of the Foreign Intelligence Surveillance Act of 1978 (“FISA”), which,
    “upon the issuance of an order from the Foreign Intelligence Surveillance Court,”
    authorizes “for a period of up to 1 year” the Attorney General and the Director of
    “injury-in-fact,” to varying result. Compare In re Horizon Healthcare Servs. Inc. Data
    Breach Litig., No. 15-2309, 
    2017 WL 242554
    , at *11 (3d Cir. Jan. 20, 2017) (“[T]he
    unauthorized dissemination of . . . private information—the very injury that FCRA is
    intended to prevent . . . [is] a de facto injury that satisfies the concreteness requirement
    for Article III standing.”) with Gubala v. Time Warner Cable, Inc., No. 16-2613, 
    2017 WL 243343
    , at *4 (7th Cir. Jan. 20, 2017) (plaintiff’s failure to allege or provide
    evidence of any concrete injury inflicted or likely to be inflicted on the plaintiff as a
    consequence of Time Warner's continued retention of his personal information in
    violation of the Cable Communications Policy Act insufficient to confer Article III
    standing). Spokeo is not controlling here, as the Plaintiffs do not allege that Dorn
    VAMC’s violations of the Privacy Act alone constitute an Article III injury-in-fact.
    12
    National Intelligence to target for surveillance “persons reasonably believed to be located
    outside the United States to acquire foreign intelligence 
    information.” 133 S. Ct. at 1144
    (quoting 50 U.S.C. § 1881a).
    The respondents—attorneys and human-rights, labor, legal, and media
    organizations whose work required them to communicate via telephone and e-mail with
    individuals located abroad-—sought a declaration that the provision was facially
    unconstitutional and a permanent injunction against its use. 
    Id. at 1146.
    The respondents
    alleged two injuries: (1) that § 1881a curtailed their ability to “locate witnesses, cultivate
    sources, obtain information, and communicate confidential information,” and (2) that
    they had implemented “costly and burdensome measures,” including traveling abroad to
    have in-person conversations, to protect the confidentiality of their sensitive
    communications from FISA surveillance. 
    Id. at 1145–46.
    The district court ruled that the respondents lacked standing. 
    Id. at 1146.
    On
    appeal, the Second Circuit reversed, holding that the “objectively reasonable likelihood”
    that the respondents’ communications would be intercepted at some future time and their
    allegation that they suffered economic and professional harm as a result were sufficient to
    confer standing. 
    Id. The Supreme
    Court rejected the Second Circuit’s use of an “objectively
    reasonable likelihood” standard for Article III standing as inconsistent with the Court’s
    long-established requirement that “threatened injury must be certainly impending to
    constitute injury in fact.”     
    Id. at 1147–48
    (listing cases).        Addressing first the
    respondents’ allegation that the Government would target their private communications,
    13
    the Court catalogued the series of hypothetical events that would have to occur to
    establish an “imminent” injury-in-fact: namely, the speculative possibility that the
    Government, pursuant to § 1881a’s “many safeguards,” would successfully target and
    intercept the communications of those foreigners with whom the respondents worked. 
    Id. at 1148–50.
    The respondents’ theory of standing, premised on this “highly attenuated
    chain of possibilities” could not “satisfy the requirement that threatened injury must be
    certainly impending.” 
    Id. at 1148.
    The respondents’ second theory of injury, premised on the “costly and
    burdensome” measures they had undertaken to protect the confidentiality of their
    communications, also failed to confer standing. 
    Id. at 1150–51.
    The Court reasoned that
    the respondents’ attempts to minimize e-mail and phone conversations, to speak “in
    generalities rather than specifics,” and to travel abroad to have in-person conversations,
    were all costs “incurred in response to a speculative threat.” 
    Id. at 1151.
    The Court
    declined to “water[] down the fundamental requirements of Article III” by allowing
    respondents to “manufacture standing merely by inflicting harm on themselves based on
    their fears of hypothetical future harm that is not certainly impending.” 
    Id. Clapper’s discussion
    of when a threatened injury constitutes an Article III injury-
    in-fact is controlling here. Before explaining why, we address the Plaintiffs’ contention
    that the district court misread Clapper to require a new, heightened burden for proving an
    Article III injury-in-fact. To the contrary, Clapper’s iteration of the well-established
    tenet that a threatened injury must be “certainly impending” to constitute an injury-in-fact
    is hardly novel. E.g., DaimlerChrysler Corp. v. Cuno, 
    547 U.S. 332
    , 345 (2006) (an
    14
    asserted injury is “imminent” when it is “certainly impending”); 
    Lujan, 504 U.S. at 564
    –
    65, n.2 (same); 
    Whitmore, 495 U.S. at 158
    (“A threatened injury must be ‘certainly
    impending’ to constitute injury in fact.”).
    We also reject the Plaintiffs’ claim that “emotional upset” and “fear [of] identity
    theft and financial fraud” resulting from the data breaches are “adverse effects” sufficient
    to confer Article III standing. Appellants’ Br. at 22 (citing 5 U.S.C. § 552a(e)(10)). That
    assertion reflects a misunderstanding of the Privacy Act and is an overextension of Doe v.
    Chao, 
    540 U.S. 614
    (2004).
    The sole issue in Chao was whether a Privacy Act plaintiff must prove actual
    damages to qualify for the minimum statutory award of 
    $1,000. 540 U.S. at 616
    . There,
    a black-lung claimant brought suit under the Privacy Act against the Department of Labor
    for improperly disclosing his social security number. 
    Id. at 617.
    This court held that the
    Department was entitled to summary judgment, concluding that the claimant had failed to
    raise a triable issue of fact about actual damages because he had submitted no
    corroboration for his claim of emotional distress. 
    Id. The Supreme
    Court affirmed,
    reasoning that “a straightforward textual analysis” of the Privacy Act required a plaintiff
    to prove actual damages from an intentional or willful violation of the Act to qualify for
    the award. 
    Id. at 620.
    As the Court explained in Chao, “the reference in [the Privacy Act] to ‘adverse
    effect’ [is] a term of art identifying a potential plaintiff who satisfies the injury-in-fact
    and causation requirements of Article III 
    standing.” 540 U.S. at 624
    (emphasis added).
    We decline to interpret dicta in Chao discussing the plaintiff’s “conclusory allegations”
    15
    that he was “torn . . . all to pieces” by the unauthorized disclosure of his social security
    number as support for the proposition that bare assertions of emotional injury are
    sufficient to confer Article III standing. 
    Id. at 617,
    624–25. This court is “bound by
    holdings” of the Supreme Court, not its “unwritten assumptions.” Fernandez v. Keisler,
    
    502 F.3d 337
    , 343–44, n.2 (4th Cir. 2007).
    Accordingly, with Clapper’s tenets firmly in tow, we address the two grounds for
    Article III standing pressed by the Plaintiffs for their Privacy Act claims:           (1) the
    increased risk of future identity theft, and (2) the costs of protecting against the same.
    Increased Risk of Future Identity Theft
    Our sister circuits are divided on whether a plaintiff may establish an Article III
    injury-in-fact based on an increased risk of future identity theft. The Sixth, Seventh, and
    Ninth Circuits have all recognized, at the pleading stage, that plaintiffs can establish an
    injury-in-fact based on this threatened injury. See Galaria v. Nationwide Mut. Ins. Co.,
    No. 15-3386, 
    2016 WL 4728027
    , at *3 (6th Cir. Sept. 12, 2016) (plaintiff-customers’
    increased risk of future identity theft theory established injury-in-fact after hackers
    breached Nationwide Mutual Insurance Company’s computer network and stole their
    sensitive personal information, because “[t]here is no need for speculation where
    Plaintiffs allege that their data has already been stolen and is now in the hands of ill-
    intentioned criminals”); Remijas v. Neiman Marcus Grp., LLC, 
    794 F.3d 688
    , 692, 694–
    95 (7th Cir. 2015) (plaintiff-customers’ increased risk of future fraudulent charges and
    identity theft theory established “certainly impending” injury-in-fact and “substantial risk
    of harm” after hackers attacked Neiman Marcus with malware to steal credit card
    16
    numbers, because “[p]resumably, the purpose of the hack is, sooner or later, to make
    fraudulent charges or assume those consumers' identities”); Krottner v. Starbucks Corp.,
    
    628 F.3d 1139
    , 1142–43 (9th Cir. 2010) (plaintiff-employees’ increased risk of future
    identity theft theory a “credible threat of harm” for Article III purposes after theft of a
    laptop containing the unencrypted names, addresses, and social security numbers of
    97,000 Starbucks employees); Pisciotta v. Old Nat’l Bancorp, 
    499 F.3d 629
    , 632–34 (7th
    Cir. 2007) (banking services applicants’ increased risk of harm theory satisfied Article III
    injury-in-fact requirement after “sophisticated, intentional and malicious” security breach
    of bank website compromised their information).
    By contrast, the First and Third Circuits have rejected such allegations. See Katz
    v. Pershing, LLC, 
    672 F.3d 64
    , 80 (1st Cir. 2012) (brokerage account-holder’s increased
    risk of unauthorized access and identity theft theory insufficient to constitute “actual or
    impending injury” after defendant failed to properly maintain an electronic platform
    containing her account information, because plaintiff failed to “identify any incident in
    which her data has ever been accessed by an unauthorized person”); Reilly v. Ceridian
    Corp., 
    664 F.3d 38
    , 40, 44 (3d Cir. 2011) (plaintiff-employees’ increased risk of identity
    theft theory too hypothetical and speculative to establish “certainly impending” injury-in-
    fact after unknown hacker penetrated payroll system firewall, because it was “not known
    whether the hacker read, copied, or understood” the system’s information and no
    evidence suggested past or future misuse of employee data or that the “intrusion was
    intentional or malicious”).
    17
    The Plaintiffs say that our sister circuits’ decisions in Krottner, Pisciotta, and
    Remijas support their allegations of standing based on threatened injury of future identity
    theft. 5       To the contrary, these cases demonstrate why the Plaintiffs’ theory is too
    speculative to constitute an injury-in-fact.
    Underlying the cases are common allegations that sufficed to push the threatened
    injury of future identity theft beyond the speculative to the sufficiently imminent. In
    Galaria, Remijas, and Pisciotta, for example, the data thief intentionally targeted the
    personal information compromised in the data breaches. Galaria, 
    2016 WL 4728027
    , at
    *1 (“[H]ackers broke into Nationwide's computer network and stole the personal
    information of Plaintiffs and 1.1 million others.”); 
    Remijas, 794 F.3d at 694
    (“Why else
    would hackers break into a store's database and steal consumers’ private information?”);
    
    Pisciotta, 499 F.3d at 632
    (“scope and manner” of intrusion into banking website’s
    hosting facility was “sophisticated, intentional and malicious”). And, in Remijas and
    Krottner, at least one named plaintiff alleged misuse or access of that personal
    information by the thief. 
    Remijas, 794 F.3d at 690
    (9,200 of the 350,000 credit cards
    5
    The Plaintiffs also rely on the environmental law cases of Friends of the Earth,
    Inc. v Laidlaw Environmental Services, 
    528 U.S. 167
    (2000) and Friends of the Earth,
    Inc. v. Gaston Copper Recycling Corp., 
    629 F.3d 387
    , 394 (4th Cir. 2011) (en banc) to
    support their view that a “reasonable concern” of harm is sufficient to confer Article III
    standing. Appellants’ Br. at 23. “In the environmental litigation context, [however], the
    standing requirements are not onerous.” Am. Canoe Ass'n v. Murphy Farms, Inc., 
    326 F.3d 505
    , 517 (4th Cir. 2003). This is so because “[t]he extinction of a species, the
    destruction of a wilderness habitat, or the fouling of air and water are harms that are
    frequently difficult or impossible to remedy” by monetary compensation. Cent. Delta
    Water Agency v. United States, 
    306 F.3d 938
    , 950 (9th Cir. 2002). By contrast, in data-
    breach cases, “there is no reason to believe that monetary compensation will not return
    plaintiffs to their original position completely.” 
    Reilly, 664 F.3d at 45
    .
    18
    potentially exposed to malware “were known to have been used fraudulently”); 
    Krottner, 628 F.3d at 1141
    (named plaintiff alleged that, two months after theft of laptop
    containing his social security number, someone attempted to open a new account using
    his social security number).
    Here, the Plaintiffs make no such claims. This in turn renders their contention of
    an enhanced risk of future identity theft too speculative. On this point, the data breaches
    in Beck and Watson occurred in February 2013 and July 2014, respectively. Yet, even
    after extensive discovery, the Beck plaintiffs have uncovered no evidence that the
    information contained on the stolen laptop has been accessed or misused or that they have
    suffered identity theft, nor, for that matter, that the thief stole the laptop with the intent to
    steal their private information. 6 Watson’s complaint suffers from the same deficiency
    with regard to the four missing boxes of pathology reports. Moreover, “as the breaches
    fade further into the past,” the Plaintiffs’ threatened injuries become more and more
    speculative. See Chambliss v. Carefirst, Inc., No. 15-2288, 
    2016 WL 3055299
    , at *4 (D.
    Md. May 27, 2016); In re Zappos.com, 
    108 F. Supp. 3d 949
    , 958 (D. Nev. 2015) (“[T]he
    passage of time without a single report from Plaintiffs that they in fact suffered the harm
    they fear must mean something.”).
    The Plaintiffs counter that there is “no need to speculate” here because they have
    alleged-and in the Beck case the VA’s investigation concluded—that the laptop and
    6
    Ms. Gajadhar, a named Beck plaintiff, testified to three unauthorized credit card
    charges, later reimbursed by her bank. However, she failed to attribute those charges to
    the 2013 laptop theft. Nor could she, given that the data on the stolen laptop did not
    contain any credit card or bank account information.
    19
    pathology reports had been stolen. See J.A. 824. We of course accept this allegation as
    true. But the mere theft of these items, without more, cannot confer Article III standing.
    See Randolph v. ING Life Ins. & Annuity Co., 
    486 F. Supp. 2d 1
    , 7–8 (D.D.C. 2007)
    (deeming as speculative plaintiffs’ allegations “that at some unspecified point in the
    indefinite future they will be the victims of identity theft” where, although plaintiffs
    clearly alleged their information was stolen by a burglar, they did “not allege that the
    burglar who stole the laptop did so in order to access their [i]nformation, or that their
    [i]nformation ha[d] actually been accessed since the laptop was stolen”).
    Indeed, for the Plaintiffs to suffer the harm of identity theft that they fear, we must
    engage with the same “attenuated chain of possibilities” rejected by the Court in 
    Clapper. 133 S. Ct. at 1147
    –48. In both cases, we must assume that the thief targeted the stolen
    items for the personal information they contained. And in both cases, the thieves must
    then select, from thousands of others, the personal information of the named plaintiffs
    and attempt successfully to use that information to steal their identities. This “attenuated
    chain” cannot confer standing.
    The Plaintiffs insist that the district court required them to show “concrete
    evidence that [their] personal information had already been misused,” thus forcing
    someone in their position “‘to wait for the threatened harm to materialize in order to
    sue.’” Appellants’ Br. at 28 (quoting 
    Remijas, 794 F.3d at 694
    ). We disagree. The
    district court sought only to hold the Plaintiffs to their respective burdens to either
    “plausibly plead” factual allegations or “set forth particular evidence” sufficient to show
    20
    that the threatened harm of future identity theft was “certainly impending.” This they
    failed to do.
    Nonetheless, our inquiry on standing is not at an end, for we may also find
    standing based on a “substantial risk” that the harm will occur, which in turn may prompt
    a party to reasonably incur costs to mitigate or avoid that harm. 
    Clapper, 133 S. Ct. at 1150
    n.5. But here too the Plaintiffs fall short of their burden.
    The Plaintiffs allege that: (1) 33% of health-related data breaches result in identity
    theft; (2) the Defendants expend millions of dollars trying to avoid and mitigate those
    risks; and (3) by offering the Plaintiffs free credit monitoring, the VA effectively
    conceded that the theft of the laptop and pathology reports constituted a “reasonable risk
    of harm to those victimized” by the data breaches. Appellants’ Br. at 31 (citing 38 C.F.R.
    § 75.116 (authorizing Secretary of Veterans Affairs to offer credit protection services for
    mitigative purposes upon finding that “reasonable risk exists” for “potential misuse of
    sensitive personal information” compromised in a data breach)).
    These allegations are insufficient to establish a “substantial risk” of harm. 7 Even
    if we credit the Plaintiffs’ allegation that 33% of those affected by Dorn VAMC data
    breaches will become victims of identity theft, it follows that over 66% of veterans
    affected will suffer no harm. This statistic falls far short of establishing a “substantial
    7
    The Plaintiffs’ claim that data-breach victims are 9.5 times more likely than the
    average person to suffer identity theft does not alter our conclusion. As the Defendants
    point out, this general statistic says nothing about the risk arising out of any particular
    incident, nor does it address the particular facts of this case.
    21
    risk” of harm. E.g., Khan v. Children’s Nat’l Health Sys., 
    188 F. Supp. 3d 524
    , 533 (D.
    Md. 2016) (“general allegations . . . that data breach victims are 9.5 times more likely to
    suffer identity theft and that 19 percent of data breach victims become victims of identity
    theft” insufficient to establish “substantial risk” of harm); In re Sci. Applications Int'l
    Corp. (SAIC) Backup Tape Data Theft Litig., 
    45 F. Supp. 3d 14
    , 26 (D.D.C. 2014) (no
    “substantial risk” of harm where “[b]y Plaintiff's own calculations, then, injury is likely
    not impending for over 80% of victims”).
    The Plaintiffs’ other allegations fare no better. Contrary to some of our sister
    circuits, we decline to infer a substantial risk of harm of future identity theft from an
    organization’s offer to provide free credit monitoring services to affected individuals. 8
    To adopt such a presumption would surely discourage organizations from offering these
    services to data-breach victims, lest their extension of goodwill render them subject to
    suit.
    Further, we read Clapper’s rejection of the Second Circuit’s attempt to import an
    “objectively reasonable likelihood” standard into Article III standing to express the
    common-sense notion that a threatened event can be “reasonabl[y] likel[y]” to occur but
    still be insufficiently “imminent” to constitute an injury-in-fact. 
    See 133 S. Ct. at 1147
    –
    48.     Accordingly, neither the VA’s finding that a “reasonable risk exists” for the
    8
    See, e.g., Galaria, 
    2016 WL 4728027
    , at *3 (“Indeed, Nationwide seems to
    recognize the severity of the risk, given its offer to provide credit-monitoring and
    identity-theft protection for a full year.”); 
    Remijas, 794 F.3d at 694
    (“It is telling . . . that
    Neiman Marcus offered one year of credit monitoring and identity-theft protection to all
    [potentially affected] customers. It is unlikely that it did so because the risk is so
    ephemeral that it can safely be disregarded.”).
    22
    “potential misuse of sensitive personal information” following the data breaches, nor its
    decision to pay for credit monitoring to guard against it is enough to show that the
    Defendants subjected the Plaintiffs to a “substantial risk” of harm.
    Cost of Mitigative Measures
    Next, we turn to the Plaintiffs’ allegation that they have suffered an injury-in-fact
    because they have incurred or will in the future incur the cost of measures to guard
    against identity theft, including the costs of credit monitoring services. All Plaintiffs
    allege that they wish to enroll in, are enrolled in, or have purchased credit monitoring
    services. They also say that, as a consequence of the breaches, they have incurred the
    burden of monitoring their financial and credit information.            Even accepting these
    allegations as true, they do not constitute an injury-in-fact.
    As was the case in Clapper, the Plaintiffs here seek “to bring this action based on
    costs they incurred in response to a speculative threat,” i.e. their fear of future identity
    theft based on the breaches at Dorn VAMC. 
    Id. at 1151.
    But this allegation is merely “a
    repackaged version of [Plaintiffs’] first failed theory of standing.” 
    Id. Simply put,
    these
    self-imposed harms cannot confer standing.            See, e.g., 
    Remijas, 794 F.3d at 694
    (“Mitigation expenses do not qualify as actual injuries where the harm is not imminent.”);
    
    Reilly, 664 F.3d at 46
    (“[P]rophylactically spen[ding] money to ease fears of
    [speculative] future third-party criminality . . . is not sufficient to confer standing.”).
    23
    B.
    Finally, we address the Plaintiffs’ request for broad injunctive relief under the
    APA. 9 To establish their standing to seek such relief, the Plaintiffs borrow from the
    statutory language of the Privacy Act, contending that the “substantial harm,”
    “embarrassment,” “inconvenience,” and “unfairness” caused them by the Defendants
    satisfies their Article III burden because they have been “adversely affected” within the
    meaning of the APA. See 5 U.S.C. §§ 552a(e)(10), 702.
    These citations to the Privacy Act’s language are inapposite: The APA’s
    “adversely affected” language does not relieve the Plaintiffs of their burden to prove
    Article III standing. See Match-E-Be-Nash-She-Wish Band of Pottawatomi Indians v.
    Patchak, 
    132 S. Ct. 2199
    , 2210 (“[A] person suing under the APA must satisfy not only
    Article III's standing requirements,” but also the prudential “zone of interests” test)
    (internal quotations omitted). Rather, we agree with the district court that the Plaintiffs
    do not have standing to seek injunctive relief under the APA because allegations of Dorn
    VAMC’s past Privacy Act violations are insufficient to establish an ongoing case or
    controversy. See City of Los Angeles v. Lyons, 
    461 U.S. 95
    , 101–02 (1974) (“[P]ast
    exposure to illegal conduct does not in itself show a present case or controversy regarding
    injunctive relief.”) (internal quotations omitted).
    A plaintiff who seeks . . . to enjoin a future action must demonstrate that he ‘is
    immediately in danger of sustaining some direct injury’ as the result of the challenged
    9
    We assume without deciding that injunctive relief is available in these
    circumstances.
    24
    official conduct.” Lebron v. Rumsfeld, 
    670 F.3d 540
    , 560 (4th Cir. 2012) (quoting 
    Lyons, 461 U.S. at 102
    )). And this “threat of injury must be both ‘real and immediate,’ not
    ‘conjectural’ or ‘hypothetical.’” 
    Id. The Plaintiffs
    say that Dorn VAMC’s “inadequate
    actions and inactions will repeatedly harm every veteran regardless of anything those
    individuals can do” where Dorn VAMC “has never been in compliance with the Privacy
    Act,” and where there is “no factual basis to believe VA will ever achieve compliance
    with safeguards requirements left to its own devices.” Appellants’ Br. at 38–39.
    We acknowledge that the named plaintiffs have been victimized by “at least two
    admitted VA data breaches,” and that Ms. Watson’s information was compromised in
    both the 2013 laptop theft and the 2014 pathology reports theft. Appellants’ Br. at 39.
    But “[a]bsent a sufficient likelihood that [Plaintiffs] will again be wronged in a similar
    way,” 
    Lyons, 461 U.S. at 111
    , these past events, disconcerting as they may be, are not
    sufficient to confer standing to seek injunctive relief. See 
    Lebron, 670 F.3d at 560
    –61
    (affirming dismissal of former enemy combatant detainee’s request for injunction against
    future designation as an enemy combatant because the mere “possibility” of re-
    designation was insufficient to allege a “real” and “immediate” threat). The most that
    can be reasonably inferred from the Plaintiffs’ allegations regarding the likelihood of
    another data breach at Dorn VAMC is that the Plaintiffs could be victimized by a future
    data breach. That alone is not enough.
    25
    IV.
    For the reasons given, the judgments of the district court are
    AFFIRMED.
    26
    

Document Info

Docket Number: 15-1395, 15-1715

Citation Numbers: 848 F.3d 262

Judges: Niemeyer, Diaz, Keeley, Northern, Virginia

Filed Date: 2/6/2017

Precedential Status: Precedential

Modified Date: 10/19/2024

Authorities (21)

central-delta-water-agency-south-delta-water-agency-alexander-hildebrand , 306 F.3d 938 ( 2002 )

Spokeo, Inc. v. Robins , 136 S. Ct. 1540 ( 2016 )

Whitmore Ex Rel. Simmons v. Arkansas , 110 S. Ct. 1717 ( 1990 )

Fernandez v. Keisler , 502 F.3d 337 ( 2007 )

Warth v. Seldin , 95 S. Ct. 2197 ( 1975 )

DaimlerChrysler Corp. v. Cuno , 126 S. Ct. 1854 ( 2006 )

Krottner v. Starbucks Corp. , 628 F.3d 1139 ( 2010 )

Randolph v. ING Life Insurance & Annuity Co. , 486 F. Supp. 2d 1 ( 2007 )

Lujan v. Defenders of Wildlife , 112 S. Ct. 2130 ( 1992 )

Friends of the Earth, Inc. v. Gaston Copper Recycling Corp. , 629 F.3d 387 ( 2011 )

Bell Atlantic Corp. v. Twombly , 127 S. Ct. 1955 ( 2007 )

Doe v. Obama , 631 F.3d 157 ( 2011 )

Friends of the Earth, Inc. v. Laidlaw Environmental ... , 120 S. Ct. 693 ( 2000 )

american-canoe-association-incorporated-professional-paddlesports , 326 F.3d 505 ( 2003 )

friends-of-the-earth-incorporated-citizens-local-environmental-action , 204 F.3d 149 ( 2000 )

Pisciotta v. Old National Bancorp , 499 F.3d 629 ( 2007 )

Reilly Ex Rel. Pluemacher v. Ceridian Corp. , 664 F.3d 38 ( 2011 )

Clapper v. Amnesty International USA , 133 S. Ct. 1138 ( 2013 )

Match-E-Be-Nash-She-Wish Band of Pottawatomi Indians v. ... , 132 S. Ct. 2199 ( 2012 )

Kerns v. United States , 585 F.3d 187 ( 2009 )

View All Authorities »