On August 1, 2017, a unanimous three-judge panel for the D.C. Circuit reversed the dismissal of a putative data breach class action against health insurer CareFirst, Attias v. CareFirst, Inc., No. 16-7108, slip op. (D.C. Cir. Aug. 1, 2017), finding the risk of future injury was not too speculative to establish injury in fact under Article III.

The litigation arose from a 2014 data breach involving various types of identifying data. However, the parties disagreed about whether the complaint only alleged the theft of information such as customer names, addresses, and subscriber ID numbers, or whether Social Security numbers and certain payment card information also were exposed. The court found that the complaint did in fact allege the theft of Social Security numbers and payment card information.

Rule 12(b)(1) standing arguments decided on risk of future injury – Declining to decide whether actual fraud had yet occurred, the court nevertheless concluded that the plaintiffs had plausibly alleged a risk of future injury. This future injury was substantial enough to satisfy Article III standing based on, among other things, the data elements actually accessed by hackers on the defendants’ servers, such as Social Security numbers and payment card information. The court’s opinion also identified allegations of “medical identity theft” that was possible with the theft of health insurance subscriber ID numbers alone. According to the court, such allegations “at the very least” created “a plausible allegation that plaintiffs face a substantial risk of identity fraud, even if their [S]ocial [S]ecurity numbers were never exposed.”

Further, and distinguishing the Supreme Court of the United States’ opinion in Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013), the appellate court found the risk of future harm in the instant case was more substantial because hackers already had accessed customer information and had “both the intent and ability to use that data for ill.” The court also stated that the failure to properly secure customer data, thus subjecting those customers to a substantial risk of identity theft, was “fairly traceable” to the defendants, and that mitigation costs in response to a substantial risk of harm could be redressed with monetary damages.

While the case has been remanded to the district court for further proceedings, it signals that data breach litigants are more likely to weather a standing challenge in specific federal circuits, now including the D.C. Circuit, based solely on allegations of future harm in certain types of data breach cases.