In a decision that amplifies a circuit court split regarding standing in data breach lawsuits, the D.C. Circuit allowed a case to move forward against CareFirst BlueCross BlueShield (CareFirst) despite a lack of alleged actual identity theft by the plaintiffs2. This case joins a growing body of standing cases involving data breaches in the wake of the U.S. Supreme Court’s holding in Spokeo v. Robins.
The complaint arose out of a data breach experienced by CareFirst in June 2014, in which hackers accessed personal information of CareFirst policyholders, including names, birth dates, email addresses and health insurance policy subscriber numbers. The district court concluded that the complaint did not allege that the hackers accessed the plaintiffs’ Social Security and/or credit card numbers.3 Applying Spokeo, Inc. v. Robins, which requires that the “injury in fact” alleged in the complaint must be “concrete, particularized, and … ‘actual or imminent’ rather than speculative,” the district court found that the increased risk of identity theft due to the breach alleged in the complaint was not “actual or imminent” and dismissed the case.
On appeal, a unanimous three-judge D.C. Circuit panel reinstated the class action, finding that the plaintiffs’ allegation of a substantial risk of identity theft stemming from the breach was sufficient to confer standing. The circuit court concluded that the district court erred in its interpretation of Spokeo v. Robins and noted that, according to guidance under Clapper v. Amnesty International USA, an injury may be sufficiently imminent when there is a “substantial risk” that it will happen.
The circuit court found that the complaint alleged substantial risks of both financial identity theft and medical identity theft. Unlike the district court, the circuit court concluded that the complaint did allege that the hackers gained access to Social Security numbers and credit card information in addition to names, birth dates, email addresses and policy subscriber numbers. The circuit court used “experience and common sense” to find a substantial risk of financial identity theft arising out of the hackers’ access to this information. Importantly, the court did not solely rely on the exposure of Social Security and credit card numbers to reach its conclusion. It also found there to be substantial risk that an impostor could “impersonate the victim and obtain medical services in her name,” even if the impostor had access only to the victim’s non-financial information. These substantial risks of harm exist, according to the circuit court, “simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”
With this decision, the D.C. Circuit joins a group of federal appeals courts, including the Third, Sixth, Ninth and Eleventh Circuits, that have smoothed the path to standing for data breach plaintiffs. The decision adds to the growing body of cases in which allegations of substantial risk of future injury are sufficient to confer standing. However, certain courts, including the Second Circuit and the Fourth Circuit, have refused to confer standing in arguably similar circumstances.