John J. Tharp, Jr., United States District Judge
In late 2012, a hacker launched a cyber-attack on the South Carolina Department of Revenue ("SCDOR"). In their initial disclosure of the attack, state officials announced that approximately 3.6 million Social Security numbers, 387,000 credit and debit card numbers, and tax records for 657,000 businesses had been exposed. Media reports called it potentially "the largest cyber-attack ever on a state government," putting "other states on high alert."
Strautins filed South Carolina tax returns for calendar years 2007 through 2010. Am. Compl. ¶ 12. It is undisputed that in August and September 2012, a hacker cyber-attacked the SCDOR. Am. Compl. ¶¶ 14, 16, 17; Def.'s Mot. to Dismiss (Dkt.30) ("Def.'s Mot.) at 2-3. The parties offer competing versions of how the attacks occurred, but for the most part the disputes are not material to Trustwave's challenges to the complaint and can be briefly summarized. Strautins alleges that hackers gained access to SCDOR data through "an exposed portal" on the SCDOR website. Am. Compl. ¶¶ 16-17. She further alleges that the hackers "stole and compromised" her PII and that of a putative class comprising of taxpayers who have filed South Carolina tax returns since 1998. Am. Compl. ¶¶ 3, 33.
Trustwave acknowledges that it has provided, and continues to provide, products and services to the SCDOR. Def.'s Mot. at 2. It argues, however, that the data breach was not accomplished through an "exposed portal" on SCDOR's website "or other external vulnerability," but rather was accomplished with authorized user credentials obtained from a "phishing" email sent to, and apparently opened by, a SCDOR employee. Id. at 3-4. More significantly, with respect to the issues presented by its motion, Trustwave takes issue with Strautins' claim that all of the data potentially exposed during the attacks was actually "stolen and compromised," arguing that the complaint lacks allegations to support that conclusion, asserting that most of the credit card numbers affected were encrypted, and pointing to media reports suggesting that only tax data of electronic filers was exposed. Id. at 4. Unlike the question of how the attack occurred, the dispute over what actually occurred during the attack matters to the disposition of the defendant's motion and is discussed in greater detail below.
Strautins accuses Trustwave of "fail[ing] to adequately safeguard, protect and monitor SCDOR's computer systems" and of "fail[ing] to discover and timely report" the data breach "even though it allegedly scanned SCDOR's computer systems on September 14, 2012, and on October 14, 2012." Am. Compl. ¶¶ 25-26. She maintains that Trustwave's actions "and/or inaction" as well as the data breach have placed the other class members and her at an "imminent, immediate and continuing increased risk of identity theft and identity fraud," and that they "will now be required to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives...." Id. ¶¶ 7, 33. On behalf of a putative class comprising "all individuals and businesses who filed... a South Carolina tax return for any year from 1998 through and including 2011," id. ¶ 44, Strautins asserts claims against Trustwave for: (1) willful violation of the Fair Credit Reporting Act (Count I); (2) negligent violation of the Fair Credit Reporting Act (Count II); (3) negligence (Count III); (4) invasion of privacy by public disclosure of private facts (Count IV); and (5) breach of contract — third party beneficiary (Count V). Id. ¶¶ 55-88.
Trustwave moves to dismiss Strautins' First Amended Complaint for lack of standing pursuant to Federal Rule of Civil Procedure 12(b)(1). Alternatively, it moves for dismissal pursuant to Rule 12(b)(1) for failure to state a claim.
"In essence the question of standing is whether [Strautins] is entitled to have the court decide the merits of the dispute or particular issues." See Apex Digital, Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 443 (7th Cir.2009) (citations and quotations omitted). It is Strautins' burden to show that the requirements of
To establish standing, Strautins must show: (1) that she suffered an injury in fact; (2) that the injury is fairly traceable to Trustwave's actions; and (3) that the injury will likely be redressed with a favorable decision. See Kathrein, 636 F.3d at 914 (citation and quotations omitted). As the Supreme Court recently explained in Clapper v. Amnesty International, to convey standing, the injury alleged "must `be concrete, particularized, and actual or imminent....'" Clapper v. Amnesty Int'l USA, ___ U.S. ___, 133 S.Ct. 1138, 185 L.Ed.2d 264 (2013) (quoting Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 130 S.Ct. 2743, 2752, 177 L.Ed.2d 461 (2010)). The Court added, "Although imminence is concededly a somewhat elastic concept, it cannot be stretched beyond its purpose, which is to ensure that the alleged injury is not too speculative for Article III purposes — that the injury is certainly impending." Id. (emphasis in original) (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 565 n. 2, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992)). "[A]llegations of possible future injury are not sufficient." Id. (emphasis in original) (citations and quotations omitted) (holding that there was no Article III standing where chain of speculative possibilities did not establish that injury based on potential future action was "certainly impending").
Strautins claims that she has standing to bring this lawsuit "because she was damaged as a direct and/or proximate result of Defendant's wrongful actions and/or inaction and the resulting Data Breach." Am. Compl. ¶ 6. More specifically, Strautins claims that she and other class members have incurred the following injuries: (1) untimely and/or inadequate notification of the Data Breach; (2) improper disclosure of PII; (3) loss of privacy; (4) out-of-pocket expenses incurred to mitigate the increased risk of identity theft and/or identity fraud pressed upon them by the Data Breach; (5) the value of time spent mitigating identity theft and/or identity fraud and/or the increased risk of identity theft and/or identity fraud; (6) deprivation of the value of PII; and (7) violations of rights under the Fair Credit Reporting Act. Id. ¶ 90. These claims of injury, however, are too speculative to permit the complaint to go forward. To the extent that they are premised on the mere possibility that her PII was stolen and compromised, and a concomitant increase in the risk that she will become a victim of identity theft, Strautins' claim is too speculative to confer Article III standing. And even if that were not so (and concededly, as discussed below, the issue is not beyond doubt), the Court would nevertheless conclude that the complaint fails to state a claim because it does not plausibly establish that Strautins' PII was in fact "stolen and compromised" and so is too speculative to state a plausible claim for relief. Whether viewed as a matter of standing or pleading, the allegations set forth in the plaintiff's present iteration of her complaint do not suffice to permit further adjudication of her claims.
Strautins first claims that she and the other class members were injured by the untimely and/or inadequate notification of the Data Breach by the SCDOR. Am. Compl. ¶ 90. Strautins claims that while the breach occurred in late August and
As explained in Clapper, however, "allegations of possible future injury are not sufficient" to establish standing. 133 S.Ct. at 1147 (emphasis in original). While acknowledging that "imminence is concededly a somewhat elastic concept,
Clapper compels rejection of Strautins' claim that an increased risk of identity theft is sufficient to satisfy the injury-in-fact requirement for standing. See, e.g., In Re Barnes & Noble Pin Pad Litig., No. 12 C 08617, 2013 WL 4759588, at *2 (N.D.Ill. Sept. 3, 2013) (granting motion to dismiss for lack of standing in part because the plaintiffs did not show an injury that was "certainly impending" under Clapper); Galaria v. Nationwide Mut. Ins. Co., No. 13 C 118, 13 C 257, 998 F.Supp.2d 646, 655, 2014 WL 689703, at *6 (S.D.Ohio Feb. 10, 2014) (same); Hammer v. Sam's East, Inc., No. 12 C 2618, 2013 WL 3756573, at *3 (D.Kan. July 16, 2013) (same). Whether Strautins or other class members actually become victims of identity theft as a result of the data breach depends on a number of variables, such as whether their data was actually taken during the breach, whether it was subsequently sold or otherwise transferred, whether anyone who obtained the data attempted to use it, and whether or not they succeeded. Strautins' complaint, filed less than three weeks after the data breach was first announced by the SCDOR, provides no basis to believe that any of these events have come to pass or are imminent. Like the plaintiffs in Clapper, the harm that Strautins fears is contingent on a chain of attenuated hypothetical events and actions by third parties independent of the defendant. 133 S.Ct. at 1148. Although Strautins does not need to show that it is "literally certain" that she will be a victim of identity theft and/or fraud, she has not alleged facts that would plausibly establish an "imminent" or "certainly impending" risk that she will be victimized. Under Clapper, the mere fact that the risk has been increased does not suffice to establish standing.
Strautins maintains that, notwithstanding Clapper, the Seventh Circuit's opinion in Pisciotta v. Old Nat'l Bancorp, 499 F.3d 629 (7th Cir.2007) controls the standing inquiry in this case. In Pisciotta, the Seventh Circuit held that it had jurisdiction to adjudicate claims arising from the hacking of confidential information consumers had submitted through the defendant bank's on-line application process. Id. at 634. Noting that the plaintiffs alleged neither that they had been victims of identity theft nor that they had incurred any direct financial loss as a result of the breach, the Court of Appeals nevertheless held that "a threat of future harm or ... an act which
Clapper does not completely close the door on probabilistic harm as a basis for standing — harm that is "imminent" or "certainly impending" is, by definition, harm that has not occurred. See Brandt v. Village of Winnetka, 612 F.3d 647, 649 (7th Cir.2010) ("Injury need not be certain. Any pre-enforcement suit entails some element of chance...."). Nevertheless, the import of the Supreme Court's decision in Clapper is that, whatever verbal formulation is used to describe it, the threshold of probability for injuries that have not actually occurred is high. While acknowledging that literal certainty is not required, Clapper seems rather plainly to reject the premise, implicit in Pisciotta and fairly explicit in Elk Grove Village, that any marginal increase in risk is sufficient to confer standing. Indeed, Clapper expressly rejected the Second Circuit's "objectively reasonable likelihood" standard as "inconsistent with our requirement that threatened injury must be certainly impending to constitute injury in fact." See 133 S.Ct. at 1147-48 (internal quotation omitted). It is difficult, to say the least, to reconcile that specific holding, and the Court's emphatic reiteration of the "certainly impending" standard, with the Seventh Circuit's seeming view in Pisciotta that any risk of future harm suffices to confer standing.
Strautins defends Pisciotta's continuing viability only by arguing (in a single sentence) that because Clapper did not purport to change Article III standing law, Pisciotta must remain in force. Whether Clapper changed the law or merely clarified it, however, this Court is required to attempt to apply its teachings faithfully.
Clapper was decided after the principal briefs in this matter had been submitted. Strautins' principal response to Clapper is retreat. Rather than continue to argue that the speculative risk of identity theft provides standing, she notes that she has alleged "far more than the increased risk of identity theft or identity fraud as the basis for her damages." Dkt. 42 at 3. Specifically, Strautins maintains that because her PII was "stolen and compromised" during the attack, she has already been directly injured in a number of ways, such as her loss of privacy and loss of the ability to sell her PII. Id. Because those claims rest on the adequacy of her claim that her data were, in fact, stolen and compromised, the Court turns next to that issue.
Strautins maintains that Trustwave's actions "caused a substantial unauthorized disclosure of Plaintiff's and the other Class Members' PII." Am. Compl. ¶ 5. As this is a motion to dismiss, Strautins is of course entitled to the reasonable inferences that may be drawn from her complaint. See Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). That said, the Court need not accept as true statements of law or unsupported
Strautins alleges that her PII was "stolen and compromised," Am. Compl. ¶ 3, as a result of the breach of the SCDOR database, but that is a conclusion in need of factual support. Her complaint rests entirely on the assumption that her PII was disclosed because (1) the SCDOR was cyber-attacked and (2) because she filed tax returns in South Carolina. But the fact that hackers gained some access to a SCDOR database does not necessarily mean, or even plausibly suggest, that they obtained access to all of the data in SCDOR's possession, and the complaint provides no basis to infer that the hacker (or hackers) obtained her data.
Strautins points to the SCDOR's press release announcing the data breach as the support for her claim that her data was compromised. In her response brief, she states that "[a]ccording to SCDOR, the Data Breach affected all individuals and businesses that filed, or on whose behalf was filed, a South Carolina tax return for any year from 1998 through and including 2011." Dkt. 35 at 8. She adds, "[A]s the SCDOR website makes clear, any individual who has filed a South Carolina tax return since 1998 is affected." Id. at 8-9. To read Strautins' brief, one would believe that the SCDOR announced that data of all tax filers between 1998 and 2012 had been compromised (and since she was a tax filer, her PII must have been affected too).
But this is not so. The SCDOR makes clear on its website and in its announcements that certain tax filers' PII
The SCDOR offered the one year of free CSID identity protection services to individuals and businesses "whose information was potentially compromised in the security breach ..." and who "may be eligible" if they filed an electronic South Carolina tax return between 1998 and 2012.
Plainly, the data breach did not result in the compromise of data of all taxpayers filing South Carolina returns since 1998 (or, to be more accurate, plainly the SCDOR announcement, on which Strautins relies as the sole support for her claim that her data were compromised, does not support such an inference). Were that the case, there would have been no need to provide a hotline for taxpayers to call to determine whether their data had been exposed. The SCDOR website makes clear that some tax filers may have been affected while others were not, and Strautins' complaint lacks any allegations to plausibly place her into the former group rather than the latter. At most, then, her allegations are "consistent with" the possibility that her data were stolen, but, again, where a complaint pleads facts that are "merely consistent with" a defendant's liability, it "stops short of the line between possibility and plausibility of entitlement to relief."
Accordingly, the complaint fails plausibly to allege that Strautins' PII was stolen and compromised and thus fails in this way too to establish standing to pursue any of her claims. Further, because each of the plaintiff's legal claims are predicated on her inadequate allegations that her data were stolen and compromised,
Finally, a word concerning the plaintiff's assertion of claims against Trustwave under the Fair Credit Reporting Act. Strautins alleges that she and the other class members "suffered (and continue
Even more fundamentally, the FCRA governs only the conduct of "consumer reporting agencies."
For the reasons stated above, the Court concludes that Strautins' claimed injuries are insufficient to establish standing for Article III purposes. Alternatively, in the event that the Court's conclusion about Strautins' standing is in error, the Court concludes that her complaint fails to state a claim for relief. Accordingly, the complaint is dismissed without prejudice. Plaintiff is granted leave to replead within 28 days of the entry of this Order.
15 U.S.C. § 1681a(f).