The U.S. Court of Appeals for the D.C. Circuit has now weighed in on whether plaintiffs can bring a putative class action arising from an alleged data breach in lieu of allegations of actual misuse of compromised data. Emphasizing the “low bar to establish [] standing at the pleading stage,” the D.C. Circuit reversed a ruling that the alleged theft of personally identifying policyholder information alone without any specific allegations of harm did not satisfy Article III’s standing requirements. In Attias v. CareFirst, Inc., a group of CareFirst customers alleged that a 2014 cyberattack compromised their personal information and thus increased their risk of identity theft from compromised social security numbers and financial information, and also their risk of medical identity theft from compromised health insurance subscriber ID numbers. The district court dismissed their claims, finding that the plaintiffs failed to allege “facts demonstrating a substantial risk that stolen data has been or will be misused in a harmful manner.” Applying the “substantial risk” standard discussed in the Supreme Court’s Clapper v. Amnesty International and Susan B. Anthony List v. Driehaus decisions, the D.C. Circuit reversed.
The D.C. Circuit noted that identify theft is a sufficiently concrete and particularized injury for Article III purposes, so the only issue before the court was whether the allegations showed “that the plaintiffs now face a substantial risk of identity theft” as a result of the alleged breach. Echoing the Seventh Circuit’s 2015 decision addressing the Neiman Marcus data breach, the D.C. Circuit inferred that the alleged attacker(s) had the intent and ability to misuse the data because the purpose of a data breach is, presumably, to make fraudulent charges or commit identity theft. In light of this presumption, the D.C. Circuit reasoned that the alleged theft of either type of information—even before misuse—presented a substantial risk of future injury, which constituted the “actual or imminent” harm necessary for Article III standing. As to the other standing requirements, the court found the alleged harm fairly traceable to CareFirst’s alleged failure to properly secure policyholder information, and that the policyholders’ risk-mitigation expenses satisfied Article III’s redressability requirement.
The D.C. Circuit’s conclusion furthers a circuit split on standing that has deepened since the Supreme Court’s 2016 Spokeo v. Robins decision. In Spokeo, the Supreme Court noted that a bare procedural violation did not necessarily constitute “concrete” harm, and that the Ninth Circuit failed to address whether the alleged harm presented “a degree of risk sufficient to meet the concreteness requirement” of Article III. Even though Spokeo is the Supreme Court’s most recent decision regarding Article III standing, the CareFirst decision relied upon Clapper as the basis for its reversal. It should, be noted that these two cases arose from different fact patterns and addressed wholly different statutes and allegations of harm. Nonetheless, there remains disagreement over what meets Article III’s “concreteness” requirement for standing in the privacy class action realm. The D.C. Circuit’s decision seems to align with the Third, Sixth, Seventh, and Eleventh circuits, each of which has permitted consumer data breach suits on the basis of possible future misuse. The Second and Fourth circuits, however, have reached different conclusions in 2017. This split may ultimately increase potential costs of litigations if data breach plaintiffs begin concentrating class action filings in the more “friendly” jurisdictions and avoid courts that do not align with the D.C. and Seventh circuits.