The U.S. Court of Appeals for the D.C. Circuit, emphasizing the “low bar to establish [] standing at the pleading stage,” ruled that the theft of personally identifying policyholder information presented a substantial risk of harm to class plaintiffs. In Attias v. CareFirst, Inc., a group of CareFirst customers alleged that a 2014 cyberattack compromised their personal information and thus increased their risk of identity theft from compromised social security numbers and financial information, and also their risk of medical identity theft from compromised health insurance subscriber ID numbers. Echoing the Seventh Circuit’s 2015 decision regarding the Neiman Marcus data breach, the D.C. Circuit inferred that the attacker(s) had the intent and ability to misuse the data because the purpose of a data breach is, presumably, to make fraudulent charges or commit identity theft. The D.C. Circuit reasoned that the theft of either type of information—even before misuse—presented a substantial risk of material harm, and that this “substantial” risk constituted the “actual or imminent” harm necessary for Article III standing, as required by the Supreme Court’s Spokeo v. Robins decision.

The D.C. Circuit’s discussion of “actual or imminent harm” represents one of the less restrictive applications of Spokeo and may lead to more claims surviving motions to dismiss. As to the other standing requirements, the court found the alleged harm fairly traceable to CareFirst’s alleged failure to properly secure policyholder information, and that the policyholders’ risk-mitigation expenses satisfied Article III’s redressability requirement.