Attias v. CareFirst: D.C. Court of Appeals Weighs In On Standing for Data Breach Class Actions Attias v. CareFirst: D.C. Court of Appeals Weighs In On Standing for Data Breach Class Actions

Attias v. CareFirst: D.C. Court of Appeals Weighs In On Standing for Data Breach Class Actions

On August 1, the District of Columbia Court of Appeals issued its decision in Attias v. CareFirst, Inc., et al., No. 16-7108 (D.C. Cir. Aug. 1, 2017), weighing in on the circuit split developing across the country regarding whether, following a data breach, a plaintiff’s risk of future injury is enough to establish standing under Article III.

In 2014, health insurer CareFirst was the victim of a cyberattack, during which its customers’ personal information was allegedly stolen. Id., slip op. at 2. Certain of CareFirst’s customers brought a putative class action, blaming the breach on CareFirst’s negligence. Id. Plaintiffs sought to certify a class comprised of all District of Columbia, Maryland, and Virginia customers whose personal information had been hacked. Id., slip. op. at 3. On CareFirst’s motion, the district court dismissed plaintiffs’ complaint for lack of standing, finding the risk of future injury to the plaintiffs was too speculative to establish an “injury in fact,” which is a prerequisite of Article III standing. Id., slip op. at 3-4. Specifically, the district court held that plaintiffs’ alleged increase risk of identity theft was too speculative, finding that plaintiffs had not alleged the hackers actually stole their social security or credit card numbers and concluding “[p]laintiffs have not suggested let alone demonstrated, how the CareFirst hackers could steal their identities without access to their social security or credit card numbers.” Attias v. CareFirst, Inc., 199 F. Supp. 3d 193, 201 (D.D.C. 2016).

On appeal, the D.C. Circuit reversed. Considering the question of “whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create Article III standing,” the Court concluded the plaintiffs had done so. Attias v. CareFirst, Inc., et al., No. 16-7108, slip op. at 9 (D.C. Cir. Aug. 1, 2017). Looking to D.C. Circuit precedent, the Court found that “the proper way to analyze an increased-risk-of-harm claim is to consider the ultimate alleged harm”—here, identity theft—“as the concrete and particularized injury and then to determine whether the increased risk of such harm makes injury to an individual citizen sufficiently ‘imminent’ for standing purposes.” Id., slip op. at 11 (internal citations omitted). The Court opined that should it occur, identity theft “would constitute a concrete and particularized injury” to any of the plaintiffs. Id. The issue in this case was “whether the complaint plausibly alleges that the plaintiffs now face a substantial risk of identity theft as a result of CareFirst’s alleged negligence in the data breach.” Id. (emphasis original). The Court disagreed with the district court’s conclusion that the complaint did not allege the breach resulted in the theft of social security or credit card numbers, finding that the complaint actually contained those allegations. Id., slip op. at 12. Finding that the risk of identity theft in this case was “substantial,” the Court found that plaintiffs had satisfied the requirement of an injury in fact. Id., slip op. at 14.

In doing so, the D.C. Circuit has aligned with the growing majority of circuit courts that have opined actual harm is not required to establish Article III standing. See, e.g., Galaria v. Nationwide Mut. Ins. Co., 663 F. App’x 384, 386 (6th Cir. 2016); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); Remijas v. Nieman Marcus Group, LLC 794 F.3d 688 (7th Cir. 2015); Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010). But see Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017); Reilly v. Ceridian Corp., 664 F.3d 38, 41-42 (3d Cir. 2011), which conclude that the enhanced risk of future identity theft was too speculative to establish standing under Article III. It is likely that at some point in the near future, the Supreme Court will provide needed guidance to resolve this split regarding what constitutes sufficient future harm to confer data breach plaintiffs with standing under Article III. 

This decision illustrates how quickly the legal landscape is changing in the area of data breach litigation. For guidance on responding to data breaches to minimize the risk of litigation and handling such litigation if it occurs, please contact Stephen Reynolds or Jenny Buchheit. Jenny Buchheit is a partner in Ice Miller’s Litigation and Intellectual Property Group who represents clients at both the trial and appellate levels and focuses much of her work on defending companies in both state and national putative class actions. Stephen Reynolds, a former computer programmer and IT analyst, is a partner in Ice Miller’s Litigation and Intellectual Property Group and co-chair of Ice Miller’s Data Security and Privacy Practice.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
View Full Site View Mobile Optimized