The D.C. Circuit recently ruled that alleged victims of a data breach have standing to pursue claims, notwithstanding that they have not yet suffered any actual harm as a result of the breach. This ruling adds to the prior circuit court rulings that have reached differing results when addressing the standing issue in data breach cases.
Attias v. CareFirst, Inc., presented a regrettably familiar fact pattern: Plaintiffs were the victims of an alleged data breach at health insurer CareFirst, which exposed their personal and medical data. Plaintiffs filed a class action against CareFirst raising eleven state law causes of action on behalf of a class of all CareFirst customers in Maryland, Virginia, and Washington, D.C.
The District Court concluded that Plaintiffs lacked standing and granted a motion to dismiss based on a defense that has become common in data breach cases: a lack of injury as a result of the breach. In other words, the District Court concluded that Plaintiffs’ personal information had not yet been used to their detriment, and the Complaint did not allege facts to support an inference that it was likely to be so used in the future.
The D.C. Circuit rejected this conclusion and reversed the dismissal. In short, the D.C. Circuit disagreed with the District Court’s conclusion that Plaintiffs did not allege a high likelihood of future injury. To reach this conclusion, the D.C. Circuit adopted the straightforward reasoning of the Seventh Circuit finding standing in a prior data breach case: “Why else would hackers break into a … database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
By finding standing and reversing the grant of the motion to dismiss, the D.C. Circuit joined the Third, Sixth, Seventh, and Eleventh Circuits in finding standing in a data breach base based solely on the likelihood of future harm. This consensus is not universal, however, as both the Second and Fourth Circuits have refused to find standing in data breach cases based on a risk of theft or misuse alone.
This circuit split will persist, if not grow, as data breaches and the litigation they spawn continue and other circuit courts weigh in. This split of authority, coupled with the growing sophistication, scope, and significance of data breaches, makes this issue a prime candidate for review by the Supreme Court in the near future.
For now, defendants facing a data breach case should be cognizant that the forum may make all the difference and would be well-advised to explore all avenues for transfer to one of the more defendant friendly circuits before making their first appearance. And, as always, stay tuned to this space for updates on this evolving area of the law.