Please ensure Javascript is enabled for purposes of website accessibility
Home / Opinion Digests / Business Law / 4th Cir.: Data breach victims have standing for contract claims

4th Cir.: Data breach victims have standing for contract claims

After credit cards were fraudulently opened in their names, a class of optometrists alleged an injury in fact traceable to their professional organization.


In July 2016, optometrists across the nation noticed that Chase Amazon Visa credit card accounts had been fraudulently opened in their names. The creation of those accounts — which required the use of an applicant’s correct social security number and date of birth — convinced several of the victims that data containing their personal information had been stolen. The optometrists determined that the only common source to which they had all given their personal information — including social security numbers, names, dates of birth, addresses, and credit card information — was the National Board of Examiners in Optometry, where every graduating optometry student had to submit this information to sit for board-certifying exams.

The Board released multiple statements to the effect that it was investigating whether personal data was stolen from its information systems, advising victims to “remain vigilant in checking their credit.”

The Plaintiffs filed class-action lawsuits against the Board, later consolidated, asserting claims of negligence, breach of contract, and breach of implied contract. The district court granted the Board’s motion to dismiss on grounds that the Plaintiffs lacked standing to sue. The Plaintiffs have appealed.


At a minimum, the Plaintiffs have sufficiently alleged an imminent threat of injury to satisfy Article III standing, in stark contrast to Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017).

The Plaintiffs allege that they have already suffered actual harm in the form of identity theft and credit card fraud. They have been concretely injured by the data breach because the fraudsters used — and attempted to use — the Plaintiffs’ personal information to open Chase Amazon Visa credit accounts without their knowledge or approval.

For example, Plaintiff Mizrahi received an alert that her credit score had decreased 11 points due to a credit application that was fraudulently filed with Chase, using her address, social security number, and mother’s maiden name. She had to spend time and resources to repair her credit. Plaintiffs Hutton and Mizrahi both allege that they incurred out-of-pocket costs. And the Plaintiffs also suffered time lost in seeking to respond to fallout from the NBEO data breach. Indeed, they had to purchase credit monitoring services, and they had to notify credit reporting agencies and the IRS of the data breach of their personal information.

Because the injuries the Plaintiffs allege are not speculative, the costs of mitigating measures to safeguard against future identity theft support the other allegations and together readily show sufficient injury-in-fact to satisfy the first element of the standing analysis.


The complaints contain allegations demonstrating that it is both plausible and likely that a breach of the Board’s database resulted in the fraudulent use of the Plaintiffs’ personal information, resulting in their receipt of unsolicited Chase Amazon Visa credit cards.

The complaints allege that a group of optometrists from around the country began to notice that fraudulent Chase accounts were being opened in their names in July 2016. For example, in August 2016, Plaintiffs Hutton and Kaeochinda received their unsolicited Chase Amazon Visa credit cards. Hutton’s fraudulent credit card was applied for in her maiden name — which she had provided to the Board 18 years earlier. Kaeochinda’s unsolicited Chase credit card was applied for in her former married name, which she had provided to the Board several years earlier. In August 2016, Mizrahi was informed by a credit monitoring service of an effort to open a fraudulent credit card account in her name, using personal information she had previously provided to the Board in registering for a professional examination.

The Plaintiffs allege that, amongst the group of optometrists, the Board is the only common source that collected and continued to store social security numbers that were required to open a credit card account and also stored outdated personal information during the relevant periods. Other organizations either do not gather or store Social Security numbers or have confirmed that their databases have not been breached. Accordingly, the complaints contain sufficient factual matter to render the Plaintiffs’ allegations plausible on their face with respect to traceability.

Accordingly, the district court erred in dismissing the complaints for lack of standing.

Vacated and remanded.

Hutton v. Nat’l Bd. of Examiners in Optometry Inc., Case No. 17-1506, June 12, 2018. 4th Cir. (King), from DMD at Baltimore (Bredar). Norman E. Siegel for Appellants; Claudia Drennen McCarron for Appellee. VLW No. 018-2-120, 19 pp.