In an overwhelmingly digital age, individuals are put at risk of serious injuries such as identity theft, fraud, and even personal embarrassment if their data is exposed to malicious third parties.1 Victims of such data breaches have often turned to litigation to seek remedy against companies that allegedly failed to secure consumers’ private data.2 Courts seeking to provide legal recourse to these plaintiffs have grappled with the difficulty of applying established legal doctrines, such as standing to bring suit, to novel fact patterns created by new technologies.3 For example, the circuit courts have split over one such legal issue: whether plaintiffs who have yet to actually suffer theft or fraud as a result of a data breach have standing to sue at all.4 Recently, in In re U.S. Office of Personnel Management Data Security Breach Litigation5 (In re OPM), the D.C. Circuit weighed in on the debate by allowing the plaintiffs to proceed on the theory that they had suffered an injury of exposure to increased risk of future harm.6 In re OPM is the most recent case in a pattern of lower courts struggling to reconcile Supreme Court guidance with a theory of future injury, and it emphasizes the need for novel legal theories better suited to data breach litigation.
The U.S. Office of Personnel Management (OPM) maintains a large volume of sensitive private information about federal government employees.7 OPM employs a private firm, KeyPoint Government Solutions, Inc. (KeyPoint), to help with internal investigations, which necessitates granting KeyPoint access to the OPM database.8 As early as 2007, OPM’s Inspector General had warned the agency about “major information security deficiencies” in its network, but OPM did not address these concerns.9 Between November 2013 and November 2014, unidentified cyberattackers stole the sensitive data of over twenty-one million people from OPM’s network using stolen KeyPoint credentials.10 The impacted individuals brought suit against both OPM and KeyPoint for negligence and violation of federal statutes, including the Privacy Act of 1974.11 A few of these plaintiffs alleged that they had already experienced fraud and identity theft since the data breach.12 The suits were transferred to the U.S. District Court for the District of Columbia for pretrial proceedings.13
In the district court, OPM and KeyPoint moved to dismiss the complaints.14 The court granted their motions on two grounds. First, the plaintiffs failed to meet two out of three of the requirements for standing to litigate15: an injury in fact and causation linked to the defendants’ misconduct.16 Relying on Spokeo, Inc. v. Robins,17 the district court rejected both of the plaintiffs’ theories of injury — the loss of data itself and the heightened risk of future injury.18 In addition, even those plaintiffs who had suffered actual injury failed to allege a substantial causal connection between OPM’s negligence and any fraudulent activity.19 Furthermore, the plaintiffs’ claims either were barred by sovereign immunity or failed to state a claim.20
The D.C. Circuit affirmed in part and reversed in part.21 The panel’s per curiam opinion found that the plaintiffs had alleged facts sufficient to meet the “low bar to establish . . . standing at the pleading stage.”22 The D.C. Circuit first analyzed the plaintiffs’ theory of an injury in fact, which must be both “concrete and particularized[,] and actual or imminent.”23 According to the plaintiffs, the data breach had injured them by exposing them to increased risk of future harms such as identity theft.24 To determine whether this injury was more than “merely conjectural,”25 and therefore actual or imminent, the court considered whether the plaintiffs had plausibly alleged that the OPM hackers had “both the intent and the ability to use [the plaintiffs’] data for ill.”26 Here, the plaintiffs had alleged that some of them had “already experienced various types of identity theft,” all of which could have been accomplished with the stolen information.27 The nature of these previous attacks indicated both that the hackers were “sophisticated and apparently quite patient” and that the plaintiffs still faced “a substantial risk of future identity theft” arising from the breach.28 Thus, the plaintiffs had successfully alleged an injury in fact.
According to the court, the plaintiffs’ claims also satisfied the remaining standing requirements: causation and redressability.29 The “relatively modest”30 standard for proving causation at the pleading stage required only that the plaintiffs show the defendants’ behavior was “fairly traceable” to the injury.31 The plaintiffs had met this burden by alleging that OPM’s and KeyPoint’s data security practices were substantial contributing factors to the breach and that the information stolen was sufficient to enable identity theft.32 Finally, money damages for expenses spent on protective services provided a clear way to redress the plaintiffs if they were to obtain a favorable decision.33
The court of appeals also held that sovereign immunity did not bar the court from taking jurisdiction.34 By “plausibly alleg[ing]” the three elements of a Privacy Act claim, the plaintiffs had “unlock[ed]” the statute’s waiver of sovereign immunity over OPM.35 KeyPoint, OPM’s private contractor, was also not immune because it could not acquire derivative sovereign immunity from an entity (OPM) that was itself not immune, and KeyPoint had failed to demonstrate that its problematic security practices were “authorized and directed by” a government agency.36
The opinion concluded by dismissing the plaintiffs’ constitutional claims.37 Although the court did not rule directly that a constitutional right to information privacy does not exist, it reasoned that, even assuming the existence of this right, only intentional disclosures — and not accidental breaches — would violate the right.38 The court also rejected the plaintiffs’ due process claim by denying any affirmative duty for the government to safeguard data where the affected parties (employees) voluntarily disclosed personal information.39
Judge Williams dissented from the majority’s finding on standing and concurred with the remaining rulings.40 On standing, Judge Williams found the plaintiffs had not met the Twombly and Iqbal standard for pleadings, which requires plaintiffs to allege facts that could negate “obvious alternative explanation[s].”41 Judge Williams emphasized the fact that “a government system” was hacked to steal information about “government employees,” so the “obvious” alternate explanation for the hack — espionage — nullified any likelihood of future identity theft caused by the breach.42 He also suggested that the allegations were made even less plausible by the passage of two years since the original attacks without widespread identity theft among the plaintiffs.43 According to Judge Williams, only those plaintiffs who actually suffered theft prior to the litigation could have standing.44
In In re OPM, the D.C. Circuit validated the plaintiffs’ legal theory that exposure to an increased risk of future harm constitutes the “injury” necessary to confer standing on data breach victims. But the court’s recognition of this injury stretched existing Supreme Court standing doctrine. Two important Supreme Court cases fleshed out the two injury-in-fact requirements that plaintiffs must meet to bring suit: Clapper v. Amnesty International USA45 on imminence, and Spokeo on concreteness. The In re OPM opinion improperly applied this guidance when analyzing both requirements, however, revealing the incompatibility of the Court’s injury-in-fact precedent with a “future injury” theory in the data breach context. This analytical difficulty has stymied other lower courts as well, and the ensuing incoherence of standing doctrine in the data breach context illustrates the need for novel, more fitting legal theories.
By relying on speculation about the hackers’ future actions to find imminent injury, the D.C. Circuit did not faithfully apply Clapper’s imminence test. In Clapper, the Supreme Court held that a “substantial risk” of injury could render it imminent,46 but severely cabined this theory by disfavoring speculation about a “chain of possibilities” that rested on “the decisions of independent actors.”47 The Clapper plaintiffs had claimed that a statute authorizing government surveillance of certain foreigners created a risk of future injury, namely that the government might overhear the plaintiffs’ sensitive communications with those foreigners.48 The Clapper Court dismissed this claim, refusing to assess the likelihood that the government would make particular choices — the choice to surveil a specific individual, for example — in future, hypothetical surveillance decisions.49 In In re OPM, however, the court did speculate about the decisionmaking of independent, third-party actors — the cyberattackers.50 More specifically, to evaluate imminence, the majority made multiple inferences about what was likely to be true about the hackers: they did not conduct the attack for espionage purposes, and they had both the ability and intent to use the stolen data for future identity theft and fraud.51 This chain of speculative inferences about independent actors resembled the Clapper dissent’s musings on the history of government surveillance52 far more closely than it did the Clapper majority’s desire to reduce judicial guessing.53 The D.C. Circuit’s imminence analysis thus did not comply with the Supreme Court’s holding in Clapper.
The D.C. Circuit also did not adequately evaluate whether the plaintiffs’ theory of injury — risk of future injury — was concrete under the Supreme Court’s Spokeo analysis. Instead, the court relied on its own precedent that identity theft itself is a concrete injury. In Spokeo, the Supreme Court acknowledged that “risk of real harm” could satisfy the concreteness requirement if the alleged injury (1) paralleled injuries rooted in the common law, or (2) violated a right expressly protected by statute.54 In explicitly delineating how risk of harm might satisfy its test,55 Spokeo implied that the concreteness of the risk should be analyzed when risk stands in for the actual injury. Although this analysis extends to all cases that involve injury in fact, the In re OPM opinion referenced Spokeo in just one paragraph, and only cursorily to quote blanket statements about the three basic elements of Article III standing.56 The resolution of the concreteness requirement consisted of a conclusory citation to the D.C. Circuit’s previous ruling in Attias v. CareFirst, Inc.,57 where it established that “identity theft . . . constitute[s] a concrete . . . injury,”58 but the court did not engage further with Spokeo’s concreteness requirement. This analytical move elided the actual question that Spokeo suggested should be answered here: whether the plaintiff’s theory of injury — substituting risk of future injury for actual injury (identity theft) — was sufficiently concrete. The court thus sidestepped the more contentious question of whether the risk of future injury alleged by these plaintiffs was sufficiently concrete.
These inconsistencies between the reasoning of the D.C. Circuit and that of the Supreme Court demonstrate the difficulty of wrestling the square peg of risk of future injury into the round hole of injury-in-fact analysis. As previously acknowledged, both Clapper and Spokeo did suggest that “substantial risk” could theoretically meet the requirements for injury in fact. However, the imminence and concreteness tests actually articulated by the Supreme Court have created a tricky conundrum for lower courts. Analyzing a theory of future injury forces courts to speculate about the future: after all, any activity, no matter how innocuous, will always create some risk of future injury, so courts must have some way to evaluate how imminent a risk actually is. This challenge is especially acute in the context of a data breach where no plaintiffs have yet suffered actual injury, as the motives and future actions of independent actors are always difficult to know with certainty. Clapper thus seems to actually prohibit a “substantial risk” from constituting an injury in fact in data breach cases, because assessing the gravity of the risk necessarily involves conjecture about the actions of third-party hackers. Similarly, to engage properly with Spokeo, lower courts would have to answer an oddly abstract question: What does it mean for risk of future injury to be “concrete”? Although both the common law59 and statutes60 have protected against the loss of privacy itself, it is less clear that either has expressly classified the exposure of individuals to the possibility of identity theft as a concrete injury. Supreme Court precedent thus placed the In re OPM court in the unenviable position of attempting to vindicate plaintiffs’ claims by reference to a restrictive injury-in-fact doctrine.
This doctrinal difficulty has helped fuel the circuit split61 — and general lack of coherence among federal courts — over what data breach plaintiffs are required to prove to have standing to bring suit. The D.C. Circuit’s In re OPM opinion thus continued the pattern of lower court confusion over how Clapper and Spokeo apply to data breaches. In the absence of clear guidance on how much speculation is really allowed in the imminence analysis, lower courts have interpreted Clapper with varying degrees of strictness.62 Some, like the D.C. Circuit in In re OPM, have used inferences about the intentions and abilities of the hackers as proxies for imminence,63 whereas others have rejected the future injury theory entirely because “future injuries stem from conjectural conduct of a third party . . . and are therefore inadequate to confer standing.”64 Similarly, many lower courts have struggled with Spokeo. Like the D.C. Circuit, most have essentially ignored the Spokeo test in data breach litigation, instead focusing only on imminence and engaging in a cursory concreteness analysis.65 The In re OPM opinion — while ultimately plaintiff-friendly — did not help clarify how lower courts should evaluate whether data breach plaintiffs have standing in the future.
The inconsistency of the D.C. Circuit’s In re OPM analysis with Supreme Court guidance reflects the difficulty of adapting older legal standards to the newer data breach context, especially where plaintiffs allege injury in the form of risk of future harm, a theory that inherently clashes with Supreme Court guidance on standing. Scholars have proposed at least one other theory for injury that might better meet the Court’s standards and thereby alleviate the difficulties faced by lower courts: framing the loss of privacy itself at the moment of the data breach as an injury.66 Although this theory may not be the best or only one that could remedy the analytical deficiencies displayed in In re OPM, it is increasingly important to think more critically about the theories courts adopt to evaluate individuals’ rights and data collectors’ obligations in data privacy.