May 11th, 2021
In January of 2021, a Pennsylvania federal court judge issued a critical decision on consumer rights when companies fail to secure credit card information. In the case of In re Rutter’s Data Security Breach Litigation (2021), customers of Rutter’s convenience stores filed suit after the company disclosed that hackers had accessed customers’ credit card data over a period of nine months. Chief Judge John E. Johns III determined that companies owe a duty to protect their customers’ sensitive payment information or risk liability for negligence and contractual claims.
Critically, the Rutter’s court concluded the plaintiff customers had cleared a fundamental Constitutional hurdle known as Article III standing. In data breach cases, federal courts disagree as to whether a company’s failure to safeguard consumer information amounts to an “actual injury” that Article III of the U.S. Constitution recognizes as redressable. In other words, injuries that clearly satisfy Article III standing involve circumstances where an individual’s money or property is stolen. However, many courts perceive data breaches as giving rise to merely the possible threat of future harm. That is, if someone’s information is never actually misappropriated by a cybercriminal, the individual should not be permitted to seek legal compensation from the company that was hacked.
The Rutter’s decision strayed from the Fourth Circuit’s evaluation of data breaches in Beck v. McDonald(2017). In Beck, over 7,000 patients at a veterans’ hospital brought suit against the medical center for failing to secure their sensitive information following two data breaches. The stolen data included social security numbers, names, birth dates and other personally identifying information that could be misused for identity theft. Notwithstanding, the federal court concluded the claimed injury of “enhanced risk of future identity theft” was “too speculative” and should, therefore, not be remedied by the courts.
In assessing data breach cases, the courts are trying to strike a delicate balance between protecting individuals and imposing reasonable, but not oppressive, standards for businesses that maintain consumer data. Courts are also struggling to define what categories of personal information are sensitive enough to warrant a legal remedy. Where addresses and phone numbers almost certainly won’t pass the threshold, medical history, social security numbers and banking information may give rise to claims depending on the jurisdiction.