With cyberattacks seemingly happening with greater frequency, the risk of identity theft for many individuals has grown significantly. However, is the risk of identity theft (as opposed to actually identity theft) after a cyberattack sufficient to sustain a lawsuit for damages? In Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), the United States Court of Appeals for the District of Columbia Circuit ruled that the threat of identity theft may be sufficient to establish standing and sustain a lawsuit for damages against the company that was hacked in the cyberattack.
CareFirst and its subsidiaries provide health insurance coverage to approximately 1 million individuals in the District of Columbia, Maryland, and Virginia. In June 2014, a hacker breached 22 CareFirst computers and accessed a database containing personal information of CareFirst customers, including customer names, addresses, subscriber identification numbers, and social security numbers. CareFirst did not discover the breach until April 2015 and did not disclose it to its customers until May 2015. Seven CareFirst customers filed a class action complaint against CareFirst and its subsidiaries in federal court in the District of Columbia alleging breach of contract, negligence, and violations of various state consumer protection statutes, among other claims. The district court dismissed the lawsuit for lack of standing, finding that the alleged injury – increased risk of identity theft resulting from the data breach – was too speculative. The plaintiffs appealed.
After addressing some procedural issues, the appellate court turned to the question of whether the plaintiffs had alleged a sufficient injury to satisfy the “injury-in-fact” requirement for standing under Article III of the Constitution. To this end, a plaintiff must show that he/she has suffered an “injury-in-fact” that is “fairly traceable” to the defendant’s actions and that is “likely to be redressed” by the relief the plaintiff seeks. After reviewing some prior decisions by the United States Supreme Court, the D.C. Circuit explained that a plaintiff may establish standing by satisfying either the “certainly impending” test or the “substantial risk” test. The court then focused on the “substantial risk” test and cited a number of its previous decisions where it ruled that plaintiffs had alleged a “substantial risk” of future injury sufficient to establish standing. The “proper way to analyze an increased-risk-of-harm claim [in the D.C. Circuit] is to consider the ultimate alleged harm . . . as the concrete and particularized injury and then to determine whether the increased risk of such harm makes injury to an individual citizen sufficiently ‘imminent’ for standing purposes.” The court stated that there is no doubt that identify theft constitutes a concrete and particularized injury, but the question before it was whether the plaintiffs alleged that they faced a substantial risk of identity theft as a result of CareFirst’s alleged negligence in connection with the cyberattack.
The court noted that the plaintiffs had alleged CareFirst collected and stored personal identifying information, including personal health information and other sensitive information such as patient credit card and social security numbers, and this information was accessed during the cyberattack on CareFirst. The plaintiffs further alleged that identity thieves could use the information they obtained from CareFirst to open new financial accounts, incur charges in another person’s name, and commit various other acts of financial misconduct. Other potential harm described in the complaint included “medical identity theft,” which can lead to improper medical care, depletion of insurance, ineligibility of health or life insurance, and disqualification from certain jobs. Based on these and other related allegations, the court found that the complaint “plausibly alleges that the CareFirst data breach exposed customers’ social security and credit card numbers.” The court further noted that, based on “experience and common sense,” the plaintiffs “face a substantial risk of identity theft if their social security numbers and credit card numbers were accessed by a network intruder.” Citing to a decision by the United States Court of Appeals for the Seventh Circuit, the court further found that the risk of harm was substantial in that “[w]hy else would hackers break into a . . . database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
The court then noted that simply alleging an injury alone is not enough to establish standing; the plaintiffs must allege a “fairly traceable [injury] to the challenged conduct of the defendant.” CareFirst argued that the plaintiffs’ injuries were “fairly traceable” only to the identity thieves, which the court acknowledged was somewhat correct and that CareFirst’s failure to secure its customers’ data was one step removed from the causal chain. The D.C. Circuit explained, however, that “Article III standing does not require that the defendant be the most immediate cause, or even a proximate cause, of the plaintiffs’ injuries; it requires only that those injuries be ‘fairly traceable’ to the defendant.” The court then “assume[d], for purposes of the standing analysis, that [the] plaintiffs will prevail on the merits of their claim that CareFirst failed to properly secure their data and thereby subjected them to a substantial risk of identity theft . . . [and, thus, it had] little difficulty concluding that [the plaintiffs’] injury in fact is fairly traceable to CareFirst.”
Lastly, the court found that the plaintiffs satisfied the last element for standing, which is that their injury must likely be redressed with a favorable decision by the court. To this end, the plaintiffs alleged that they had incurred costs to mitigate or avoid the harm of identity theft, such as identity theft protection and monitoring and conducting damage assessments. Thus, the plaintiffs could potentially recoup monetary damages.
With increasing reports of cyberattacks, including the recent report of such an attack on Experian, we are likely to see more and more lawsuits filed against companies that have been hacked. The decision in Attias illustrates how such claims can survive early dismissal from challenges to Article III standing. Companies face substantial exposure to these claims and, thus, should be taking appropriate technological, insurance, and legal precautions to prevent and mitigate against these risks.