Where a customer’s personally identifiable information, or PII, was compromised during a data breach, but there were no facts sufficient to show a substantial risk of harm, he has not suffered an injury in fact and therefore does not have standing to sue.
Artur Podroykin purchased a life insurance policy from American Armed Forces Mutual Aid Association, or AAFMAA. To do so, he provided defendant with PII which defendant kept on its servers.
In January 2021, a group known as “DarkSide” executed a ransomware attack on defendant’s computer. DarkSide demanded a ransom in exchange for decryption keys which defendant declined to pay. Plaintiff alleges, on information and belief, that DarkSide, as it has done before, employed a double extortion scheme whereby DarkSide not only encrypted defendant’s data locally on defendant’s computer, but also extracted the data to place on the dark web. Notably, the amended complaint acknowledges that DarkSide no longer maintains websites that are accessible to the public.
AAFMAA argues that plaintiff has not suffered an injury in fact and therefore does not have standing to sue.
Although the Fourth Circuit has not issued an opinion regarding standing in a case with facts identical to those presented here, two recent Fourth Circuit decisions are instructive and indeed dispositive here. Those decisions are Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), and Hutton v. Nat’l Bd. Of Exam’rs in Optometry, Inc., 892 F.3d 613 (4th Cir. 2018).
Here, as in Beck, the allegations are insufficient to confer standing upon plaintiff because (i) plaintiff has not alleged misuse of his PII or facts demonstrating that plaintiff’s PII was the target of the DarkSide’s attack; (ii) plaintiff has not alleged facts sufficient to show a substantial risk of harm (and, in fact, plaintiff’s PII is no longer on the dark web, even if it once was) and (iii) plaintiff’s costs related to the “cost of measures to guard against identity theft, including the costs of credit monitoring services,” are “self-imposed harms” plaintiff “incurred in response to a speculative threat.”
The conclusion that plaintiff lacks standing is supported by the Fourth Circuit’s decision in Hutton, which found standing because the Hutton plaintiffs had demonstrated actual misuse. Specifically, the Hutton plaintiffs alleged that they had “already suffered actual harm in the form of identity theft and credit card fraud” because their personal information had been used “to open Chase Amazon Visa credit card accounts without their knowledge or approval.”
Thus, in Hutton, there was no need to speculate on whether substantial harm will befall the plaintiffs because substantial harm had already occurred. Unlike in Hutton, plaintiff here does not allege that he “already suffered actual harm in the form of identity theft and credit card fraud” due to fraudulent credit lines or any other form of actual misuse. Thus, plaintiff here, unlike in Hutton, is “speculat[ing] on whether substantial harm will befall.”
Plaintiff nevertheless argues that he has experienced significant emotional distress sufficient to confer standing. But plaintiff has not demonstrated any substantial risk of identity theft that could plausibly lead to emotional distress.
Second, plaintiff alleges that one component of defendant’s services is the explicit and implicit promise to protect PII, and that had plaintiff known that defendant could not protect plaintiff’s PII, plaintiff would have paid less for services. But the Fourth Circuit has never held that an overpayment or benefit-of-the-bargain theory in a data breach context is sufficient to confer standing.
Finally, plaintiff argues that his PII’s value has been diminished, thereby conferring standing. To begin with, many courts have “routinely rejected the proposition that an individual’s personal identifying information has an independent monetary value.” And in any event, even courts that are willing to consider diminution in the value of PII as a basis for standing do so when there are allegations of some concrete injury, such as “lower credit scores” or “fraudulent accounts and tax returns . . . filed in [plaintiff’s] name[.]” Here, of course, plaintiff cannot even allege that his PII has been misused, and so plaintiff here cannot argue that the value of his PII has been diminished.
Defendant’s motion to dismiss granted.
Podroykin v. American Armed Forces Mutual Aid Association, Case No. 1:21-cv-588, Oct. 11, 2022. EDVA at Alexandria (Ellis). VLW 022-3-466. 10 pp.