Richard Beck v. Robert McDonald
848 F.3d 262
| 4th Cir. | 2017Background
- Two consolidated class actions by veterans after data breaches at Dorn VAMC: a stolen laptop (Feb. 2013) with ~7,400 patients’ unencrypted data (Beck) and four missing pathology-report boxes (July 2014) with ~2,000 patients’ data (Watson).
- Plaintiffs alleged Privacy Act and APA claims, seeking damages, declaratory relief, and broad injunctive relief (e.g., banning transfers to portable devices until security shown).
- VA notified affected patients and offered one year of free credit monitoring; neither the laptop nor the boxes were recovered and plaintiffs alleged risk of future identity theft and mitigation costs.
- District court dismissed both suits for lack of Article III standing: threatened identity theft was speculative and mitigation costs were self-inflicted; it alternatively granted summary judgment on merits in Beck.
- Fourth Circuit affirmed, holding plaintiffs failed to show a concrete, imminent injury-in-fact or a substantial risk justifying standing to pursue Privacy Act damages or APA injunctive relief.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing based on increased risk of future identity theft | Theft of items containing personal data creates a substantial, imminent risk of identity theft | Risk is speculative: no evidence data were accessed or misused and chain of events to harm is attenuated | No standing; risk too speculative under Clapper (no certainly impending injury) |
| Standing based on mitigation costs (credit monitoring, monitoring accounts) | Costs incurred to avoid identity theft are concrete injuries giving standing | Such costs are self-imposed responses to a speculative threat and cannot manufacture standing | No standing; mitigation expenses do not confer injury-in-fact (Clapper) |
| Standing to seek broad injunctive relief under the APA | Past breaches and VA’s remedial offers show ongoing risk and adverse effect warranting injunctive relief | Past violations alone do not show real and immediate threat of future injury needed for injunctive relief | No standing for injunctive relief; past exposure insufficient without substantial likelihood of recurrence (Lyons) |
| Whether statistical or remedial measures (e.g., credit-monitoring offers, breach statistics) establish substantial risk | Plaintiffs: statistics and VA’s offer show substantial risk and reasonable mitigation need | Defendants: statistics are general; offering credit monitoring shouldn't be treated as admission of imminent risk | No; statistics and remedial offers insufficient to show a substantial, particularized risk of imminent harm |
Key Cases Cited
- Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138 (2013) (threatened injury must be "certainly impending"; speculative chains of events insufficient for standing)
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016) (injury-in-fact must be concrete and particularized; statutory violations do not automatically confer Article III injury)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (1992) (standing elements require appropriate evidentiary showing at each litigation stage)
- Whitmore v. Arkansas, 495 U.S. 149 (1990) (threatened injury must be concrete in quality and temporal imminence)
- Doe v. Chao, 540 U.S. 614 (2004) (Privacy Act plaintiffs must prove actual damages to recover; "adverse effect" identifies potential Article III injury but requires proof)
- City of Los Angeles v. Lyons, 461 U.S. 95 (1983) (past exposure to illegal conduct alone does not establish standing for injunctive relief)
- Remijas v. Neiman Marcus Group, LLC, 794 F.3d 688 (7th Cir. 2015) (recognizes standing where data theft was intentional and evidence showed known fraudulent use)
- Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (standing where laptop theft was followed by attempted misuse of a named plaintiff’s SSN)
- Pisciotta v. Old National Bancorp, 499 F.3d 629 (7th Cir. 2007) (standing where breach was sophisticated, intentional, and malicious)