In the latest decision in which class action consumer data breach claimants have been successful in establishing the requisite standing to pursue their claims, on August 1, 2017, the D.C. Circuit held that the claimants’ risk of future harm is sufficient to meet Article III standing requirements. This decision is the latest in a growing number of federal circuit decisions finding that data breach claimants have satisfied standing requirements, but it also deepens a circuit split that could mean eventual U.S. Supreme Court review of the issue. The D.C. Circuit’s August 1 opinion in the Attias v. Care First case can be found here.
Background Regarding Standing Issues
For many years, defendants in data breach suits were successful in having claims dismissed based on their argument that the plaintiffs has not alleged a sufficient injury in fact to satisfy the standing requirements under Article III of the U.S. Constitution. The defendants’ ability to assert this defense hit a substantial setback in the Seventh Circuit’s July 2015 decision in the Neiman Marcus case, when the appellate court held that the plaintiffs’ fear of future harm from the breach was sufficient to establish standing to pursue their claims, as discussed here.
The defendants’ ability to raise the standing defense appeared to receive a substantial boost with the U.S. Supreme Court’s May 2016 decision Spokeo, Inc. v. Robins, in which, as discussed here, the Court held that in order to establish Article III standing, a plaintiff must show that he or she has suffered “an invasion of a legally protected interest” that is “concrete and particularized” and “actual or imminent, not conjectural or hypothetical.”
In the wake of these decisions, litigants have been engaged in a substantial debate about what plaintiffs must allege in order to satisfy the standing requirements. The D.C. Circuit’s decision in the CareFirst case is latest in a series of federal appellate court rulings in which the courts have held that fear of future harm is sufficient for consumer data breach claimants to establish standing.
The D.C. Circuit’s Opinion in CareFirst
CareFirst is a health insurer that suffered a data breach in June 2014. Several CareFirst customers filed a data breach-related class action asserting eleven different state-law causes of action, including breach of contract, negligence, and violation of various state-consumer protection statutes. The defendants filed a motion to dismiss, alleging among other things that the plaintiffs had failed to sufficiently establish their standing to assert their claims owing to a lack of sufficiently concrete injury allegation. The district court agreed, ruling among other things that the claimants’ allegations of risk of future identify theft is too speculative, concluding that the plaintiffs had failed to suggest how the CareFirst hackers could steal their identities based on the information that had been accessed. The plaintiffs appealed.
In an August 1, 2017 opinion written by Judge Thomas B. Griffith for a unanimous three-judge panel, the D.C. Circuit reversed the district court, holding that the plaintiffs “have cleared the low bar to establish standing at the pleading stage.”
In reaching this decision, the appellate court said that “nobody doubts that identify theft, should it befall one of these plaintiffs, would be constitute a concrete and particularize injury. The remaining question, the court said, was “whether the complaint plausibly alleges that the plaintiffs now face a substantial risk of identity theft as a result of CareFirst’s alleged negligence.”
The district court’s conclusion that plaintiffs had not met these requirements, the appellate court said, rested on an “incorrect premise” that the complaint did not allege the theft of social security or credit card numbers that would facilitate identity theft. The appellate court, reviewing the record, concluded that the complaint alleged theft of categories of information that include social security and credit card information, and the combination of information that the plaintiffs had alleged had been stolen “make up, at the very least, a plausible allegation that plaintiffs face a substantial risk of identify fraud, even if their social security numbers were never exposed.”
The Court added that it is “it is much less speculative – at the very least, it is plausible – to infer that [the hacker] has both the intent and ability to use that data for ill.” In that regard, the court cited the Seventh Circuit’s decision in the Neiman Marcus case to the effect that “Why else would hackers break into a … database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later to make fraudulent charges or assume those customers’ identity.”
Growing Circuit Split
In reaching its conclusion, the D.C. Circuit joined a growing number of federal appellate courts that have concluded that alleged risk of future harm is sufficient to establish standing in consumer data breach lawsuits. These other appellate courts include the Seventh Circuit, which court’s decision in the Neiman Marcus case the D.C. Circuit cited with approval, as well as the Sixth Circuit, which reached a similar conclusion in its September 2016 decision in Galaria v. Nationwide Mutual Insurance Company (here). Other federal appellate courts that have reached a similar conclusion include the Third Circuit’s January 2017 decision in the Horizon Healthcare Services data breach litigation (here) and the Eleventh Circuit’s decision in Resnick v. Avmed (here).
One reason that many courts are proving receptive to these arguments may be that judges are becoming more familiar with the consequences that may follow after a data breach has occurred. As discussed in an August 3, 2017 Law 360 article analyzing the D.C. Circuit’s opinion in the CareFirst case (here, subscription required), courts initially may have been reluctant to allow these kinds of cases to go forward, but that seems to be shifting based on the judges’ “growing familiarity with how such intrusions play out.” Judges, commentators quoted in the article suggest “are becoming more knowledgeable about how [data breaches] unfold and what risks may arise from their theft of consumer data.”
According to one commentator cited in the Law 360 article, “both the bench and the plaintiffs’ bar have evolved their understanding of data breaches and the harms they potentially cause.” Many courts seem to recognize the suggestion raised in the Neiman Marcus case that the entire reason the hackers are trying to steal the personal information is to try to accomplish an identity theft and that sooner or later hackers with access to the information will try.
However, these views about the likelihood of future harm and their sufficiency to establish standing are not uniform. In May 2, 2017, in the Whelan v. Michaels Stores decision (here), the Second Circuit rejected the claimants’ argument that the threat of future harm was sufficient to establish standing. Similarly, in February 2017, the Fourth Circuit held in the Veterans’ data breach case, Beck v. McDonald, here, that the claimants’ allegations of potential future harm were insufficient to establish standing.
Consequences of Circuit Split
This split of authority on a critical threshold pleading issue clearly sets up the context for forum selection. Plaintiffs have obvious incentives to file their suit in a federal circuit where the appellate court has proven to be receptive to the standing arguments.
The split within the circuits and the likelihood of forum shopping are the very kinds of things that often trigger the U.S. Supreme Court’s willingness to take up an issue. Indeed, as the Law 360 article notes, with the D.C. Circuit’s recent decision deepening the circuit split, “it’s likely only a matter of time before the Supreme Court weighs in on the issue of whether a substantial likelihood of harm is adequate to establish standing in data breach class actions, or if more substantial harm is necessary.” A commentator quoted in the article adds that “This is one of those fundamental, philosophical, jurisprudential questions that the Supreme Court was designed to resolve.”
These developments on standing issues are only one of several ways in which plaintiffs’ efforts to pursue consumer data breach actions are gaining momentum. The June 2017 announcement that Aetna would pay $115 million to settle the consumer data breach class action that had been filed against the company following a cyberattack clearly underscores that this type of litigation represents a significant cyber security exposure that companies face. These developments underscore how important it now is for all organizations to consider carefully their privacy and network security insurance options.