Injury premised upon an “if” is not “certainly impending.”
On February 11, 2015, the Southern District of Texas, in Peters v. St. Joseph Services Corporation, answered a question of first impression in the Fifth Circuit: “whether the heightened risk of future identity theft/fraud posed by a data security breach confers Article III standing on persons whose information may have been accessed.” No. 4:14-CV-2872, 2015 WL 589561, at *1 (S.D. Tex. Feb. 11, 2015). The court concluded that the answer to this question is a resounding no, dismissing the federal class action against St. Joseph for lack of subject matter jurisdiction. Peters provided St. Joseph with significant personal information while she was a patient there. Such information included her social security number, bank account information, medical records, Discover card information, and address. Between December 16, 2013 and December 18, 2013, St. Joseph was subject to a data security breach. Peters alleged that her information was disclosed during this data breach, and therefore, she was subsequently harmed. Specifically, Peters alleged that she received fraud alerts on her Discover card (although she was able to decline approval of any unauthorized transactions and close her account). Additionally, Peters alleged that she and her family members received numerous spam emails, multiple telephone solicitations, and other marketing materials. Finally, Peters asserted that she and other class members were “vulnerable to future attacks by thieves who may seek to commit any number of identity theft-related crimes.” To secure standing, Peters was required to plead facts demonstrating an actual or imminent concrete and particularized injury that was fairly traceable to St. Joseph’s conduct. With respect to her imminent injury, Peters posited an increased risk that she could be victimized by identity thieves. The Southern District of Texas, however, found that such speculation does not “transform that assertion into a cognizable injury.” Likewise, with regard to whether such harm was fairly traceable to St. Joseph, Peters linked this harm to potential identity thieves, unknown non-parties to the litigation. Concluding that Peters could not establish an imminent injury that was fairly traceable to St. Joseph’s conduct, the Southern District of Texas dismissed Peters’s federal claims for lack of subject matter jurisdiction. The Southern District of Texas’s ruling is consistent with analogous Supreme Court precedent. In Clapper v. Amnesty International USA, the United States Supreme Court held that plaintiffs did not have Article III standing to challenge the Foreign Intelligence Surveillance Act of 1978, where they argued that there was a reasonable likelihood that their communications would be acquired in the future. 133 S. Ct. 1138, 1142 (2013). Clapper largely resolved a prior split among the circuit courts of appeals about whether standing could be acquired merely by asserting an increased risk of harm after a data security breach. The impact of Clapper is more fully discussed in this prior blog post. Although courts in the Fifth Circuit have analyzed Clapper for standing purposes, until the decision in Peters, no federal court in the Fifth Circuit had applied Clapper to a data breach security case or analyzed the prior circuit split on standing in data breach cases. The Southern District of Texas’s ruling in Peters, however, now provides additional comfort to Fifth Circuit practitioners relying on Clapper and its progeny to defend against data breach class actions.