Hutton v. Nat'l Bd. of Examiners in Optometry, Inc.
892 F.3d 613
4th Cir.2018Background
- In July–August 2016 multiple optometrists discovered fraudulent Chase Amazon Visa account applications opened using their personal data (SSNs, DOBs, maiden/former names). Plaintiffs: Hutton, Kaeochinda, Mizrahi.
- Plaintiffs alleged the NBEO collected and stored the only common source of that sensitive data (SSNs, historic names) and that NBEO systems were likely breached; NBEO initially denied, then said it was investigating.
- Plaintiffs filed putative class actions in D. Md. alleging negligence, breach of (implied) contract, unjust enrichment, and sought damages, restitution, injunctive relief.
- District court dismissed both complaints under Fed. R. Civ. P. 12(b)(1) for lack of Article III standing, finding injuries speculative and not fairly traceable to NBEO; relied on Beck v. McDonald.
- Fourth Circuit reviewed de novo and held plaintiffs alleged concrete harms (fraudulent credit-card applications, credit-score drop, mitigation expenses and time) and pleaded sufficient facts linking NBEO as a plausible source of the leaked data.
- Judgment vacated and remanded for further proceedings; redressability was uncontested.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Injury-in-fact: whether plaintiffs pleaded a concrete, particularized, actual or imminent injury | Plaintiffs: receipt/attempts to open fraudulent credit accounts, credit-score drop, mitigation costs and time constitute concrete injuries or imminent harm | NBEO: mere data compromise and mitigation expenses are speculative absent actual misuse; analogous to Beck where no misuse occurred | Held: Plaintiffs pleaded actual misuse (fraudulent applications, credit impacts) and mitigation costs tied to real risk — injury-in-fact satisfied |
| Traceability: whether plaintiffs linked their injuries to NBEO conduct | Plaintiffs: alleged temporal clustering among optometrists, NBEO was only common holder of SSNs and historic names, others didn’t store SSNs or confirmed no breach | NBEO: allegations rest on Facebook chatter and inference; plaintiffs fail to plausibly show NBEO was the source | Held: Complaints contained sufficient factual matter to plausibly trace injuries to NBEO; traceability satisfied |
| Reliance on Beck precedent: whether Beck bars standing here | Plaintiffs: Beck is distinguishable because Beck involved no misuse; here plaintiffs allege actual misuse and concrete effects | NBEO: urges strict application of Beck to deny standing for data-breach claims | Held: Court distinguished Beck — presence of actual fraudulent use separates this case and supports standing |
| Pleading standard at Rule 12(b)(1) for standing: whether district court impermissibly made factual findings | Plaintiffs: district court improperly resolved disputed factual inferences at pleading stage | NBEO: characterizes attack as facial challenge to sufficiency of allegations | Held: Court reviewed de novo, accepted plaintiffs’ factual allegations as true for facial challenge and found them sufficient |
Key Cases Cited
- Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017) (data-breach standing analysis; threat-only harms insufficient where no misuse alleged)
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (injury-in-fact must be concrete and particularized)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (Article III standing elements)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (pleading standards: labels and conclusions insufficient)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013) (imminence and substantial risk in standing context)
- Allen v. Wright, 468 U.S. 737 (1984) (injury must be fairly traceable to defendant’s conduct)
- Students Challenging Regulatory Agency Procedures v. United States, 412 U.S. 669 (1973) (standing not limited to economic harms)
- Friends of the Earth, Inc. v. Gaston Copper Recycling Corp., 204 F.3d 149 (4th Cir. 2000) (fairly traceable standard not equivalent to tort causation)