What about standing when a hack is only theoretical?

Federal circuit courts are split on whether a plaintiff can sufficiently establish injury-in-fact for Article III standing purposes when a data breach has occurred, with the Supreme Court recently denying certiorari in a case raising the issue. But what about Article III standing in data privacy and cybersecurity cases where a breach or hack is only theoretical, or has only occurred during a controlled experiment?

Cases involving no real world breach or hack are likely to become increasingly prevalent, as more consumers purchase products controlled by computers or linked to the internet, such as self-driving cars. These cases will push the outer bounds of Article III jurisprudence, highlight the need to analyze standing on a claim-by-claim basis and likely increase the use of a relatively underutilized tool of civil procedure: a factual attack on standing under Rule 12(b)(1). Two cases receiving attention lately and reaching different results are illustrative.

In Diggins v. Mercy Health, 3:16-cv-1938 (N.D. Ohio Dec. 6, 2018), a plaintiff alleged that defendant's use of software operating on an outdated Java-based computer server "caused private and protected patient information," including "treatment records and lab results," to be "exposed to unauthorized third parties." Plaintiff alleged that "[i]t is just a matter of time until a hacker discovers [defendant's] vulnerable system and further exposes patients' private medical information." The district court dismissed the complaint for failing to allege injury-in-fact, concluding that plaintiff "only alleged that his personal information might be accessed improperly, not that it actually was."

The court also rejected plaintiff's overpayment theory, namely that a portion of his payments for health care services were "for data security measures" that defendant failed to undertake. The court reasoned that, "[e]ven if Defendant's approach to data security was clumsy, it also was harmless," since no beach had occurred. While plaintiff could allege that defendant "did not take a specific action" to safeguard the data, plaintiff could not plausibly allege that defendant "failed to take sufficient action" without a real-world breach.

In Flynn v. FCA US, LLC, No. 15-cv-0855 (S.D. Ill. Sept. 23, 2016), plaintiffs alleged that vulnerabilities in a computer control system turned cars "into rolling deathtraps" because hackers could "take remote control of the vehicle's functions, including the vehicle's steering and brakes." Plaintiffs asserted injury-in-fact on the grounds that they had overpaid for their vehicles initially, their vehicles had diminished resale value, and they feared injury and death. The Flynn court concluded that initial overpayment and diminished resale value sufficiently alleged injury-in-fact even without a real-world hack because "safety- and access-related vulnerabilities" could result in a reduction in value. The court conditioned its conclusion on plaintiffs proving that a recall of the allegedly defective cars "didn't fix all of the defects" and that ongoing vulnerabilities in fact reduced their vehicles' resale values.

Fear of injury and death did not suffice to establish injury-in-fact under the alleged factual circumstances, however. The court reasoned that the only evidence of a hack was the one committed on "a willing subject in a quasi-laboratory setting" and that subject "suffered no injury." Furthermore, the implemented recall reduced the chances of a real-world hack. Thus, the court concluded that a "substantial risk of harm to plaintiffs" did not exist, saying that "[t]his isn't like a data breach case where cybercriminals who have stolen credit data will likely use the data in the future even if they haven't at the start of a suit."

Mercy Health and Flynn highlight the importance of analyzing standing on a claim-by-claim basis. As the Supreme Court has urged, standing cannot be "dispensed in gross." Indeed, whether a plaintiff can successfully allege standing where no real-world beach or hack has occurred may depend on whether the particular "injury" has been mooted by a product recall sufficiently addressing all of the alleged vulnerabilities. It could also depend on whether the alleged defect in fact caused a reduction in the product's resale value, which might require an analysis of whether similar products available in the marketplace were all equally vulnerable to the potential hack.

Even if a company had a duty to take reasonable, ongoing cybersecurity measures with respect to its products or services, the absence of a real-world breach or hack may be enough to defeat standing. Without such evidence, it may be difficult to establish that a company's security measures were too lax, unless the company had no security whatsoever. Standing may therefore turn on what "security" the plaintiff purchased at the point of sale. But in the purchase of internet-of-things products, cybersecurity vulnerabilities and how to prevent them are only now beginning to enter the discourse. It would behoove companies to set forth explicitly in their purchase contracts, or terms of use, whether the agreed-upon price reflects payment of ongoing "security guard" services and the level of security to be provided.

Given the fact-intensive nature of the inquiry, litigants should remember that a standing challenge attacks a court's subject matter jurisdiction under Rule 12(b)(1). Unlike a Rule 12(b)(6) motion to dismiss, where the court must accept the allegations as true, draw all reasonable inferences in the plaintiff's favor, and may not consider evidence contradicting the plaintiff's allegations, a factual attack under Rule 12(b)(1) does not have such restrictions. A defendant may introduce evidence outside the pleadings, request jurisdictional discovery and seek an evidentiary hearing to resolve factual disputes. Use of Rule 12(b)(1) factual attacks are likely to increase in cases without a real-world breach or hack, such as ones in which the sufficiency of implemented recalls is disputed. In addition, if plaintiffs have brought suit merely based on a vulnerability discovered by an expert or controlled laboratory experiments, defendants should consider countering at the pleading stage with expert evidence of their own.

Potentially complicating matters is that states may pass laws enabling a party to sue a business for not implementing "reasonable security procedures" regardless of a real-world breach or hack. For example, the California Consumer Privacy Act, which will become effective Jan. 1, 2020, seemingly allows suit merely if personal information is "subject to" being improperly accessed. If a plaintiff attempts to invoke such a state statute in federal court, the mere statutory violation may not be enough to satisfy Article III's injury-in-fact requirement.

On Jan. 7, the Supreme Court declined certiorari in Flynn to review the district court's grant of class certification and with it whether injury-in-fact can exist without a real-world breach or hack. Until the Supreme Court intervenes, lower courts will likely split on the issue, as they have in cases involving actual breaches or hacks, and factual attacks to standing under Rule 12(b)(1) will likely become the norm, not the exception.