First Circuit Revives Data Breach Class Action Claims in Webb v. Injured Workers Pharmacy, LLC
Courts and class action counsel have been considering what kinds of injuries can confer standing to pursue federal claims following the Supreme Court’s 2021 decision in TransUnion LLC v. Ramirez, which held that the defendants’ alleged actions that “deprived [plaintiffs] of their right to receive information in the format required by statute” was not sufficient to establish a concrete injury necessary to bring a claim. Ever since the TransUnion decision, the question of what is sufficient injury has been reverberating throughout the lower courts and reaching federal courts of appeal.
The First Circuit has now confronted that question on multiple occasions, including its 2022 decision in Laufer v. Acheson (now on appeal to the Supreme Court) that held “dignitary harm” from discrimination was sufficient, along with allegations of “frustration and humiliation” to confer standing on a serial plaintiff who is a website accessibility tester. For more on Laufer, see our previous post.
And now, in Webb v. Injured Workers Pharmacy, LLC, the First Circuit has again demonstrated a willingness to overturn prior dismissals of class actions on the basis of standing, expanding its application of TransUnion beyond the borders drawn by lower courts. In Webb, the District of Massachusetts had dismissed for lack of injury a class action complaint brought by former pharmacy patients alleging that their sensitive personally identifiable information had been exposed in a data breach affecting more than 75,000 customers. For our analysis of the district court decision, see our prior post.
The First Circuit’s Analysis of Standing Based on Actual Misuse and Material Risk of Future Misuse of Personally Identifiable Information Following a Data Breach
The First Circuit’s decision in Webb is especially notable because it parses concrete injury for standing in the context of a data breach that posed threats to the privacy of class members’ personally identifiable information (PII). In privacy and data breach class actions, questions about concrete injury and standing are evolving and critical inflection points in the litigation with broader implications – if the bar is placed too low by the courts, companies will be subjected to an onslaught of costly litigation for victimless technical errors that could bankrupt entrepreneurs and stall innovation; if the bar is placed too high, consumers could be deprived of their opportunity to correct serious wrongs.
In Webb, the First Circuit closely parsed precedent on standing, including the Supreme Court’s TransUnion decision, and reached fundamentally different conclusions from the lower court in analyzing the same complaint. The lower court’s decision was well-reasoned and closely adhered to the TransUnion analysis. While the lower court held Webb had not made a “plausible connection between the data breach and the filing of the [tax] return” filed by an unknown and unauthorized third-party, the First Circuit did not agree, and held “the complaint’s plausible allegations of actual misuse of Webb’s stolen PII to file a fraudulent tax return suffice to state a concrete injury.” The First Circuit drew a bright line that actual misuse of PII is itself a concrete injury, even absent direct harm to the individual (such as monetary damages). Of key importance, the First Circuit also found that “the complaint plausibly alleges a concrete injury in fact based on the material risk of future misuse of Charley’s PII and a concrete harm caused by exposure to this risk.” In this analysis, the First Circuit reached a radically different conclusion from the lower court on the same pleaded facts, first by deciding the plaintiffs plausibly connected an unauthorized tax return to the breach to establish actual misuse, and then that lost professional time expended to monitor accounts to protect from future identity theft is a concrete injury.
What to Watch for in the Aftermath of the Webb Decision
The Webb decision is certain to have ripple effects, both obvious and unintended.
First, despite the First Circuit’s provisos – that it was not expanding what constitutes concrete injury for standing in data breach cases or providing a pathway for plaintiffs to ‘manufacture standing’ – there is a significant possibility this is the unintended result. Because the court clarified exactly what kind of injury allegations it found to meet the bar for standing, and those allegations largely turn on a plaintiff’s choices following a cybersecurity incident (including the amount of time a plaintiff decides to devote to account monitoring), it is reasonable to expect future complaints to include similar pleaded facts. The decision will also likely lead to an uptick in data breach and privacy class actions in the First Circuit even when plaintiffs cannot demonstrate monetary injury, identity theft, or similar tangible harms.
The First Circuit also left open a number of questions that it declined to reach, such as whether emotional distress, diminution of value of personally identifiable information, loss of personal time, or even exposure of PII in a breach alone can establish concrete injury. I expect these four questions will be the subject of significant debate in future cases. I also expect that plaintiffs’ attorneys will attempt to apply the Webb decision as expansively as possible, opening the door for previously unasserted theories to make their way through the courts. While the First Circuit was careful to emphasize how fact-specific its holding was and how non-exhaustive, non-exclusive, and not “necessarily determinative” the factors it considered are, we will no doubt see plaintiffs’ counsel looking to apply that reasoning to other contexts in new ways.
Finally, it is highly likely that the issues addressed in Webb (if not the case itself) will find their way to the Supreme Court in the future. This is likely not the last we have heard on this case, including because the First Circuit remanded for further proceedings the consideration of the Webb defendant’s arguments that the complaint fails to state a claim on which relief may be granted. Because the original complaint was dismissed for lack of standing, and the lower court did not reach other challenges to the sufficiency of the plaintiffs’ allegations, further briefing and a lower court ruling on those questions will likely follow.
Although the First Circuit’s decision in Webb heightens class action risks following data security incidents and will likely invite an increase in litigation beyond that context, defendants should take some comfort that the decision may ultimately be a pyrrhic victory for class action plaintiffs. This is because the type of harm the First Circuit deemed sufficient to confer standing – actual misuse of an individual’s PII and lost professional time – are likely to be highly variable among class members and require individualized inquiries to determine whether and to what degree each class member incurred injury, especially given the large proportion of putative class members who are unlikely to have suffered any injury at all. Under these circumstances, it is unclear how the plaintiffs would be successful in securing class certification under Rule 23, especially given relevant First Circuit precedent.
The First Circuit reversed the certification of a class action in its 2008 decision In re Asacol Antitrust Litigation on the basis that a class cannot be certified when “individual inquiries” necessary to resolve whether each class member has suffered an injury would “overwhelm common issues.” When such inquiries are required, a plaintiff cannot satisfy Rule 23(b)(3)’s predominance requirement. It is difficult to imagine how the kind of injuries sufficient to secure standing as in Webb would also not preclude class certification for the same reasons. I will be watching the lower court proceedings in Webb with interest to see how the plaintiffs attempt to thread this needle and how the court resolves these issues at the class certification stage, should the case reach that threshold.