Consistent with a growing trend among courts nationwide, the D.C. Circuit Court unanimously held that a group of plaintiffs had cleared a “low bar” to establish constitutional standing for their claims in a data breach case against health insurer CareFirst by alleging potential future harm as a result of the breach. The plaintiffs alleged that there was a substantial risk that their personal information could be used for medical identity theft after a breach of CareFirst’s systems. Despite the fact that (i) no actual misuse of the information had yet occurred and (ii) the breach involved medical information, rather than financial or other sensitive information typically involved in successful data breach claims, the D.C. Circuit Court held that the plaintiffs had established standing and their claims could move forward.
In 2016, the U.S. Supreme Court held in Spokeo v. Robins that plaintiffs must allege an actual or imminent injury, not hypothetical harm, to establish standing and proceed past the pleadings stage. The Supreme Court found that plaintiffs cannot rely on statutory violations for standing and remanded the case for the lower court to identify a “concrete injury.” Even after the Supreme Court’s decision, appellate courts have split on how to interpret the standard in data breach cases and whether to find standing based on a risk of harm, and courts are increasingly sympathetic to data breach claims.
The D.C. Circuit Court joins several other circuit courts that have interpreted the pleading standard liberally and in favor of data breach victims. As a result, more claims in these jurisdictions will survive past the pleading stage based on a risk of injury to the individuals affected by a breach. These rulings are largely based on an assumption that the perpetuators of information theft intend to misuse the information, indicating that the bar to claims at the pleading stage would require proof that the breached information could not or would not be used for fraud or identity theft.
Significantly, the D.C. Circuit’s ruling focused on the risk of harm from breaches of information other than financial information and social security numbers, which typically form the basis for data breach claims. The D.C. Circuit noted that there was a substantial risk to the plaintiffs of medical identify theft based on a breach of information such as names, birthdates, email addresses, and health insurance policy numbers. In addition to an overall increase in data breach claims based on potential harm, this type of ruling could expand the success of claims based in negligence or other state law doctrines arising out of breaches of health information.
It is likely that the Supreme Court will eventually weigh in on whether plaintiffs have standing in claims arising out of data breaches based on the potential for harm. In the meantime, individuals and entities who maintain personal information, whether financial or medical, should be aware that individuals affected by data breaches are increasingly likely to get their day in court.