Hutton v. Nat'l Bd. of Examiners in Optometry, Inc.

• Decision Date: 12 June 2018
• Docket Number: No. 17-1508,No. 17-1506,17-1506
• Citation: 892 F.3d 613
• Parties: Rhonda L. HUTTON, O.D.; Tawny P. Kaeochinda, O.D. on behalf of themselves and all others similarly situated, Plaintiffs–Appellants, v. NATIONAL BOARD OF EXAMINERS IN OPTOMETRY, INC., Defendant–Appellee. Nicole Mizrahi, individually and on behalf of all others similarly situated, Plaintiff–Appellant, v. National Board of Examiners in Optometry, Inc., Defendant–Appellee.
• Court: U.S. Court of Appeals — Fourth Circuit

892 F.3d 613

Rhonda L. HUTTON, O.D.; Tawny P. Kaeochinda, O.D. on behalf of themselves and all others similarly situated, Plaintiffs–Appellants,
v.
NATIONAL BOARD OF EXAMINERS IN OPTOMETRY, INC., Defendant–Appellee.

Nicole Mizrahi, individually and on behalf of all others similarly situated, Plaintiff–Appellant,
v.
National Board of Examiners in Optometry, Inc., Defendant–Appellee.

No. 17-1506
No. 17-1508

United States Court of Appeals, Fourth Circuit.

Argued: January 23, 2018
Decided: June 12, 2018

ARGUED: Norman E. Siegel, STUEVE SIEGEL HANSON, LLP, Kansas City, Missouri, for Appellants. Claudia Drennen McCarron, MULLEN COUGHLIN LLC, Wayne, Pennsylvania, for Appellee. ON BRIEF: Barrett J. Vahle, J. Austin Moore, STUEVE SIEGEL HANSON, LLP, Kansas City, Missouri; Hassan A. Zavareei, TYCKO & ZAVEREEI LLP, Washington, D.C., for Appellants Rhonda L. Hutton and Tawny P. Kaeochinda. Michael Liskow, New York, New York, Carl Malmstrom, WOLF HALDENSTEIN ADLER FREEMAN & HERZ, LLP, Chicago, Illinois; Donald J. Enright, LEVI & KORSINSKY LLP, Washington, D.C., for Appellant Nicole Mizrahi.

Before NIEMEYER, KING, and DIAZ, Circuit Judges.

Vacated and remanded by published opinion. Judge King wrote the opinion, in which Judge Niemeyer and Judge Diaz joined.

KING, Circuit Judge:

892 F.3d 616

These consolidated appeals arise from a breach of personal information maintained in a database of the defendant, the National Board of Examiners in Optometry, Inc. (the "NBEO"). Three optometrists, Rhonda L. Hutton, Tawny P. Kaeochinda, and Nicole Mizrahi (the "Plaintiffs"), as representatives of the putative class of victims, specify in two complaints that their personal information and that of the class members was stolen in the NBEO data breach. Hutton and Kaeochinda joined in the initial complaint—which underlies appeal No. 17-1506—that was filed in the District of Maryland in August 2016. It alleges five claims, including negligence, breach of contract, and breach of implied contract. See Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc. , No. 1:16-cv-3025 (D. Md. Aug. 30, 2016), ECF No. 1 (the "Hutton Complaint").¹ The complaint of plaintiff Mizrahi—which underlies appeal No. 17-1508—was filed in that court in September 2016, and alleges claims of negligence, breach of contract, breach of implied contract, and unjust enrichment. See Mizrahi v. Nat'l Bd. of Exam'rs in Optometry, Inc. , No. 1:16-cv-3146 (D. Md. Sept. 13, 2016), ECF No. 1 (the "Mizrahi Complaint").² All the claims arise from the NBEO’s failure to adequately safeguard personal information of the Plaintiffs and the class members.

The district court dismissed the Complaints for lack of subject-matter jurisdiction, based on a failure to establish that the Plaintiffs possessed Article III standing to sue. It reasoned, inter alia, that the Complaints had not sufficiently alleged the necessary injury-in-fact and that, in any event, they failed to sufficiently allege that any injuries suffered by the Plaintiffs were fairly traceable to conduct of the NBEO. See Hutton v. Nat'l Bd. of Exam'rs in Optometry, Inc. , No. 1:16-cv-3025 (D. Md. Mar. 22, 2017), ECF No. 19 (the "Opinion"). The Plaintiffs have appealed the judgments of dismissal and the appeals have been consolidated. As explained below, we are satisfied that the Plaintiffs have standing to sue and therefore vacate and remand.

I.

A.

In July 2016, optometrists across the United States noticed that Chase Amazon Visa credit card accounts had been fraudulently opened in their names. See Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 2.³

892 F.3d 617

The creation of those fraudulent accounts—which required the use of an applicant’s correct social security number and date of birth—convinced several of the victims that data containing their personal information had been stolen. See Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 21. The victims discussed the thefts among themselves in Facebook groups dedicated to optometrists, including, for example, a group called "ODs on Facebook." See Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 2. The optometrists determined that the only common source amongst them and to which they had all given their personal information—including social security numbers, names, dates of birth, addresses, and credit card information—was the NBEO, where every graduating optometry student had to submit their personal information to sit for board-certifying exams. See Hutton Compl. ¶ 2; see also Mizrahi Compl. ¶ 3. Although the victim optometrists identified other possible sources for the data breach—for example, the American Optometric Association, the American Academy of Optometry, and the Association of Schools and Colleges of Optometry—those organizations had not collected or stored social security numbers, or they confirmed that their databases had never been breached. See Hutton Compl. ¶ 16; see also Mizrahi Compl. ¶ 23.

The NBEO soon became aware of the concerns and suspicions of the victim optometrists. On August 2, 2016, the NBEO released a statement on its Facebook page asserting that, "[a]fter a thorough investigation and extensive discussions with involved parties," the NBEO had determined that its "information systems [had] NOT been compromised." See Mizrahi Compl. ¶ 4, 25. Two days later, however, the NBEO revised that view, posting a second statement on Facebook asserting that it had decided to further "investigate whether personal data was stolen from [its] information systems to support the perpetrators' fraud on individuals and Chase." See Hutton Compl. ¶¶ 3, 17; see also Mizrahi Compl. ¶¶ 5, 26. Three weeks later, on August 25, 2016, the NBEO revised its earlier announcements "with a cryptic message stating its internal review was still ongoing and that it may take a number of additional weeks to complete." See Hutton Compl. ¶ 17. The NBEO also advised the victims to "remain vigilant in checking their credit." Id.

On August 30, 2016, Hutton and Kaeochinda initiated their civil action in the District of Maryland, pursuant to codified provisions of the Class Action Fairness Act. See 28 U.S.C. § 1332(d)(2). Two weeks later, Mizrahi initiated her own civil action in the same court. Hutton, Kaeochinda, and Mizrahi alleged that their personal information, and that of the class members, had been compromised in a breach of the NBEO’s database. The Plaintiffs—on behalf of themselves and the putative class—sought damages, restitution, and injunctive relief. See Hutton Compl. ¶ 4; see also Mizrahi Compl. ¶ 8.

Hutton, a resident of Kansas, had submitted her personal information to the NBEO in 1998 when she registered to take a professional optometry licensure examination. Eighteen years later, on August 5, 2016, Hutton received by mail a Chase Amazon Visa credit card for which she had not applied. See Hutton Compl. ¶ 5. Although "Hutton" was her married name in 2016, the Chase credit card account was opened in her maiden name, which she had used in 1998 in registering with the NBEO. Id. Hutton alleges that, as a result of her personal information being compromised, she faces an increased risk of identity theft and fraud. Id. Hutton also alleges that she has spent "time and money putting credit freezes in place with the credit

892 F.3d 618

reporting agencies Experian, TransUnion, and Equifax." Id.

Kaeochinda, Hutton’s co-plaintiff, is a resident of California. She submitted her personal information to the NBEO between 2006 and 2008—under an earlier married name—in connection with an optometry licensure examination. See Hutton Compl. ¶ 6. On August 1, 2016, Kaeochinda learned that someone had fraudulently applied for a Chase Amazon Visa credit card account using, among other personal information, her earlier married name. Id. Like Hutton, Kaeochinda alleges that she faces an imminent threat of future harm from identity theft and fraud. Id. Kaeochinda also maintains that she has spent time and money putting credit freezes in place, and by "filing reports with the FTC, FBI, IRS, and her local police department." Id.

Plaintiff Mizrahi alleges that, after learning of the NBEO data breach, she began monitoring her credit score and alerted the credit reporting agency TransUnion to the potential fraudulent use of her personal information. See Mizrahi Compl. ¶ 32. Mizrahi also alleges that, on about August 27, 2016, a credit monitoring service advised her that her credit score had fallen by eleven points due to a credit card application filed under her name just one day earlier. Id. On about September 2, 2016, Mizrahi received a letter from Chase bank advising her of steps to be taken to protect her personal information that may have been compromised, but not specifically stating that any such compromise had occurred. Id. at ¶ 33. When Mizrahi contacted Chase about the letter, a bank representative advised her that a credit card application had been submitted on August 26, 2016, seeking to open a Chase Amazon Visa credit card. The application had used Mizrahi’s address, social security number, and her mother’s maiden name. Id . at ¶ 34. The Mizrahi Complaint alleges that the Chase bank representative informed Mizrahi that the decrease in her credit score was only temporary, but could not be reversed for approximately sixty days. Id. Mizrahi alleges that she thereafter...