Is an increased risk of harm sufficient to establish standing in a data breach case? Most courts have avoided an absolute answer, instead weighing the characteristics of the data breach. A recent New York case illustrates the difficulties courts have had with the question, while the Supreme Court considers an opportunity to clarify the answer.
Fero v. Excellus Health Plan
Just weeks ago, the U.S. District Court for the Western District of New York took a U-turn on risk of harm standing. In Fero v. Excellus Health Plan, Inc., the court granted a motion for reconsideration and then denied defendants’ motion to dismiss, which it had previously granted for lack of standing.
Fero involves a healthcare provider, Excellus Health Plan. Plaintiffs allege that hackers gained access in 2013 to Excellus’s computer systems and accessed names, birth dates, social security numbers, mailing addresses, phone numbers, and other medical insurance information. Excellus moved to dismiss for lack of standing. On February 22, 2017, the court concluded that certain plaintiffs “who did not allege that they had suffered any misuse of their personally identifiable information” failed to “allege an injury-in-fact based on the alleged harm of increased risk of identity theft.” The court thus granted the motion to dismiss as to those specific plaintiffs.
Those plaintiffs then moved for reconsideration of the decision as to their claims and cited the Second Circuit’s recent decision in Whalen v. Michaels Stores, Inc., as an intervening change in controlling law that supported reconsideration. In Whalen, the Second Circuit had affirmed an order of the district court which found that a plaintiff failed to allege a cognizable injury resulting from the exposure of her credit card information after a data breach at a Michaels store. The Second Circuit agreed that the plaintiff failed to establish the “threat of future fraud” because her credit card was promptly cancelled and no other personally identifying information was allegedly stolen. The Fero court concluded that the “implication” of the Second Circuit’s language was that “had [the plaintiff] alleged the theft of personally identifying information, she would have had standing based on a threat of future fraud.” While concluding that Whalen “strongly implie[d]” that the Second Circuit would have found standing, it also reasoned that Whalen did not amount to a “change of controlling law” that would justify reconsideration under Rule 60(b). Instead the court concluded that reconsideration of its dismissal order was warranted, in an exercise of its discretion, to avoid “manifest injustice.”
In the end, the Fero court reasoned that the Second Circuit would deem the theft of personally identifying information, such as social security numbers or birth dates, sufficient to confer standing on a risk of harm theory.
Whether this is an accurate prediction of how the Second Circuit would calibrate risk of harm standing is, of course, speculative, but the Fero court is not alone in finding the question a challenging one. At the time of this writing, the Sixth, Seventh, Ninth, and D.C. Circuits have found standing based on the increased risk of identity theft while the Third, Fourth, and Eighth Circuits have not. In most of these cases, however, the specific facts of each breach determine whether a risk of harm is real enough to confer standing. And the cases do not necessarily assess the facts in the same way. For example, some courts have taken into account costs incurred to avoid future harm, while others, including the Eighth Circuit, have ruled out this fact as a basis for establishing injury in fact.
Attias v. CareFirst
On February 16, 2018, the Supreme Court will decide whether to grant cert in Attias v. CareFirst, another case concerning the question of risk of harm standing. If cert is granted, the Supreme Court will have the opportunity to provide clarity to litigants that seek to bring suit in the wake of data breaches that compromise their personal identifying information.
The Attias case stems from a 2014 data breach in which an unknown hacker gained access to CareFirst’s, a health insurer, servers and stole names, birth dates, email addresses, and subscriber identification information for over one million policyholders. These policyholders brought a proposed class action against CareFirst in the D.C. District Court alleging that CareFirst violated state laws and legal duties by failing to protect their personal information and exposing them to the risk of identity theft.
The District Court held in favor of CareFirst and dismissed the complaint for lack of standing. The court reasoned that the alleged injury was too speculative and that the mere fact that one’s personal information was stolen in a data breach was insufficient to establish standing absent additional facts demonstrating a “sufficiently substantial risk of future harm.”
On appeal, the D.C. Circuit reversed and held that the plaintiffs had plausibly alleged a risk of future injury that was substantial enough to confer Article III standing. The D.C. Circuit explained that “the proper way to analyze an increased-risk-of-harm claim is to consider the ultimate alleged harm”—there, identity theft—“as the concrete and particularized injury and then to determine whether the increased risk of such harm makes injury to an individual citizen sufficiently ‘imminent’ for standing purposes.” Following this reversal, CareFirst petitioned the Supreme Court for certiorari.
CareFirst argues in its cert petition that the D.C. Circuit erroneously held plaintiffs to a “plausibility standard” and incorrectly interpreted the Supreme Court’s “substantial risks” standard and related standing jurisprudence. CareFirst also argues that the Court should grant cert to resolve the deepening circuit split over the issue.
In opposition to the cert petition, Attias argues that a circuit split does not actually exist and that the differing outcomes in the circuit-level decisions can be explained by the substance of the underlying allegations in each case. By way of example, Attias highlights the Eighth Circuit’s decision in SuperValu, which rejected standing based largely on the fact that no personally identifying information such as social security numbers, birth dates, or driver’s license numbers was stolen in the data breach. In contrast, Attias argues, the D.C. Circuit was faced with differing factual allegations and a far more extensive loss of personal identifying information. According to Attias, the courts are simply applying the same law to different factual allegations and there is nothing the Supreme Court need resolve. Attias also contends that the D.C. Circuit correctly applied settled Supreme Court precedent regarding “imminent” injury.
We will know soon whether the Supreme Court takes the opportunity to weigh in.