***09/06/17 UPDATE***

On Wednesday, September 6, the DC Circuit Court of Appeals granted an unopposed motion to stay its decision that reversed a district court order dismissing a potential class action arising from a 2014 data breach Chantal Attias et al. v. CareFirst Inc. et al., case number 16-7108. The order stays the mandate until December 7, 2017.

***ORIGINAL POST***

Last month, a three-judge panel on the United States Court of Appeals for the District of Columbia unanimously reversed a district court order dismissing a potential class action arising from a 2014 data breach, Chantal Attias et al. v. CareFirst Inc. et al., case number 16-7108. In reversing that order, the court permitted a health insurance company’s customers to proceed against that carrier, CareFirst, which serves one million customers in the District of Columbia, Maryland and Virginia.

In the underlying action, the seven plaintiff/customers attributed the breach to the company’s carelessness and argued that they suffered an increased risk of identity theft as a result. The lower court had ruled that the customers lacked standing because they failed to show a present injury or a likelihood of being injured in the future.

In rejecting that ruling, the appellate court held that the district court gave the complaint an unduly narrow reading:

“The District Court concluded that the plaintiffs had ‘not demonstrated a sufficiently substantial risk of future harm stemming from the breach to establish standing,’ in part because they had ‘not suggested, let alone demonstrated, how the CareFirst hackers could steal their identities without access to their Social Security or credit card numbers.’

“But that conclusion rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach. In fact, the complaint did.”

The appellate court focused on the likelihood of harm that could arise from the alleged access by the hackers to the plaintiffs’ information as stored by CareFirst (i.e., personally identifiable information, personal health information, and electronic personal health information) and other sensitive information (such as insurance account numbers):

“The complaint thus plausibly alleges that the CareFirst data breach exposed customers’ social security and credit card numbers. CareFirst does not seriously dispute that plaintiffs would face a substantial risk of identity theft if their social security and credit card numbers were accessed by a network intruder, and, drawing on ‘experience and common sense,’ we agree.

“The complaint separately alleges that the ‘combination of members’ names, birth dates, email addresses and subscriber identification number[s] alone qualifies as personal information, and the unauthorized access to said combination of information creates a material risk of identity theft.’ This allegation of risk based solely on theft of health insurance subscriber ID numbers is plausible when taken in conjunction with the complaint’s description of a form of ‘medical identity theft’ in which a fraudster impersonates the victim and obtains medical services in her name. That sort of fraud leads to ‘inaccurate entries in [victims’] medical records’ and ‘can potentially cause victims to receive improper medical care, have their insurance depleted, become ineligible for health or life insurance, or become disqualified from some jobs.’ These portions of the complaint would make up, at the very least, a plausible allegation that plaintiffs face a substantial risk of identity fraud, even if their social security numbers were never exposed to the data thief.”

Given that the appellate court found a “substantial risk of identity fraud” stemming from the data breach, it then addressed the issue of redressability to determine whether an “injury in fact” had been alleged. Here, the court found that the expenses incurred (as alleged by the plaintiffs) – “the cost of responding to the data breach, the cost of acquiring identity theft protection and monitoring, [the] cost of conducting a damage assessment, [and] mitigation costs” – did indeed qualify as an injury in fact redressible by monetary damages.

This decision is the latest entry in a hotly contested debate over what exactly plaintiffs need to establish to sustain negligence or similar claims in the wake of a massive data breach in view of the Supreme Court’s recent 2016 decision in Spokeo v. Robins. The D.C. Circuit has now sided with at least four other circuits, holding that there was a substantial risk that their stolen personal information could be used “for ill” — identity theft or medical harm — even though it had yet to be misused, thereby permitting a more generous standard needed to meet Article III standing requirements. Similar rulings have been handed down by the Third Circuit, the Sixth Circuit, the Seventh Circuit and the Eleventh Circuit.

In opposition is the Second Circuit (holding that a Michaels Stores customer lacked standing to continue with her data breach claims because she had not incurred any actual charges on her card or other concrete injuries) and the Fourth Circuit (holding insufficient that class allegations of patient information theft at a South Carolina veterans hospital were too speculative because plaintiffs had failed to point to any evidence that their data had been misused or even stolen).

Thus, it appears that as data breaches have become more ubiquitous in American life, the courts have become more comfortable in allowing consumer privacy class actions based on data breaches to proceed beyond the pleading stage. In particular, it would appear that as judges have become more familiar with data breaches per se, they have become more knowledgeable regarding the risks raised by data breaches and other forms of data theft (along with the potential for actual harm), and thus more willing to grant standing to breach victims.

However, it appears that the D.C. Circuit may have complicated these standing issues further. Note that the CareFirst holding provides that even if credit card numbers and Social Security numbers had not been exposed, the disclosure of only patients’ names, birth dates, email addresses and policy numbers would have alone been sufficient to support a finding of standing for those plaintiffs. This would be a clear expansion of current standing law in the data breach context.

Consequently, it is likely that with the current split of authority between the circuits, this issue will be presented to the Supreme Court in the near future.

On a practical level, the current split of authority will likely incentivize plaintiffs to shop jurisdictions for nationwide breach class actions to seek those jurisdictions with more generous standing standards – namely, those districts in the D.C., Third, Sixth, Seventh and Eleventh Circuits. Moreover, these more favorable jurisdictions at the same time have further restricted the ability of defendants to terminate actions short of discovery and related pre-trial activity. It is therefore logical to expect such class litigation to gravitate into those circuits.