In our 2016 Privacy Year in Review, we wrote that there was confusion heading into 2017 as to whether data breach-related lawsuits will be dismissed based on findings that no harm has been done. Since then, circuits have continued to split on the Article III standing issue. Some circuits, including the Second, Fourth, and Eighth, have required evidence of actual harm. In the data breach context, harm typically means proof that the plaintiffs have actually suffered fraudulent charges or identity theft. Other circuits, including the Sixth, Seventh, and Ninth, have held that increased risk of harm alone is enough to meet standing requirements.
In Chantal Attias et al. v. CareFirst Inc., the D.C. Circuit weighed in on the debate, holding that standing was sufficient based on the allegedly heightened risk of identity theft and medical fraud resulting from a data breach of a medical insurance company. The Court drew a distinction between this case and Clapper v. Amnesty International USA, where the Supreme Court found that in order for plaintiffs to be considered injured, a number of speculative events would have had to occur. According to the D.C. Circuit, fraudulent claims in CareFirst were at least plausible, as opposed to speculative, because of the type of information that had been stolen in the breach. The plaintiffs alleged stolen information included social security numbers, credit card numbers, email, names, birthdates, and subscriber numbers.
Unsatisfied with the holding, CareFirst petitioned the Court to stay its decision while it appeals to the Supreme Court. In its petition, the company urges the Court to adopt a standard that would require plaintiffs to demonstrate actual harm, rather than merely relying on the unknown intentions of data thieves.
Tip: Until the Supreme Court resolves the split, companies should be aware that class action standing for data breaches that have not yet resulted in actual harm varies from circuit to circuit. As CareFirst demonstrates, a number of circuits are finding standing even before hackers have used the stolen data for fraudulent purposes.