D.C. Circuit Widens the Split on Standing in Data Breach Cases After Spokeo

The D.C. Circuit recently widened a significant circuit split regarding standing in data breach cases by overturning a district court’s dismissal of a complaint for lack of standing. See Attias v. CareFirst, Inc., D.C. Cir. No. 16-7108.

Courts have long been occupied by the question of whether the mere fact of having personal information subject to unauthorized acquisition is, in itself, an injury sufficient for standing. Hopes were high that the Supreme Court would resolve the issue in Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016).  In that case, the Supreme Court held that plaintiffs who allege violations of statutes that contain a private right of action and statutory damages must establish not only “invasion of a legally protected interest,” but also that they suffered a “concrete and particularized” harm, in order to satisfy Article III’s standing requirement.  Defense counsel were cheered by the restatement of the law of standing, but plaintiffs have argued that Spokeo opened the door for even the most minor of statutory violations even in the absence of quantifiable damage.  The Spokeo ruling has had substantial but unpredictable implications for data breach litigation. Federal courts of appeals have subsequently reached different conclusions about how Spokeo applies to allegations of an increased risk of identity theft following a data breach with several circuits overtly splitting over the issue.

The recent D.C. Circuit case involves CareFirst, a health insurance company serving customers in the District of Columbia, Maryland, and Virginia, which suffered a cyber attack in June 2014.  In that incident, a hacker allegedly penetrated a database containing the personal information of approximately 1 million CareFirst customers.  CareFirst discovered the breach in April 2015 and notified its customers in May 2015, offering two years of free credit monitoring and identity theft protection.

Shortly thereafter, seven CareFirst customers brought a class action complaint in federal district court, alleging various state law causes of action.  The district court dismissed the complaint for lack of standing under Article III, rejecting the plaintiffs’ argument that they suffered an increased risk of identity theft as a result of the data breach.

On appeal, the D.C. Circuit reversed, concluding that the plaintiffs “plausibly alleged a risk of future injury that is substantial enough to create Article III standing.”  CareFirst, at *5.  Judge Thomas Griffith, writing for the three-judge panel, explained that “[n]obody doubts that identity theft, should it befall one of these plaintiffs, would constitute a concrete and particularized injury,” emphasizing that the remaining question was whether the complaint “plausibly alleges that the plaintiffs now face a substantial risk of identity theft as a result of CareFirst’s alleged negligence in the data breach.”  Id. at *6.

The circuit court’s decision relied heavily on its view that the district court mischaracterized the allegations contained in the complaint.  The district court dismissed the complaint in part because it determined that the plaintiffs had “not suggested, let alone demonstrated, how the CareFirst hackers could steal their identities without access to their social security or credit card numbers.”  Id. at *6.  But according to the circuit court, the complaint did allege the theft of social security and credit card numbers by including them in its definition of PII, PHI, and ePHI, and explained that “CareFirst does not seriously dispute that plaintiffs would face a substantial risk of identity theft if their social security and credit card numbers were accessed by a network intruder, and, drawing on ‘experience and common sense,’ we agree.” Id. at *7.  Citing similar reasoning from the Seventh Circuit in Remijas v. Neiman Marcus Grp., 794 F.3d 688, 693, the D.C. Circuit stated that in this case “it is much less speculative—at the very least, it is plausible—to infer that [the hacker] has both the intent and the ability to use that data for ill.”  Id.

Significantly, the circuit court’s decision did not rely exclusively on the fact that social security numbers and credit card numbers were exposed.  The panel also suggested that the risk of “medical identity theft” (i.e., impersonation of a victim to obtain medical services in her name) using only the plaintiff’s health insurance subscriber identification number would constitute a “plausible allegation that plaintiffs face a substantial risk of identity fraud, even if their social security numbers were never exposed to the data thief.”  Id. at *7.

Finally, the court rounded out is analysis of Article III standing by stating that the injury is “fairly traceable” to CareFirst, assuming for purposes of its analysis that the plaintiffs would prevail on the merits of the claim that CareFirst failed to properly secure their data.  Id. at *8.  Notably, the circuit court also held that the plaintiffs met the redressability requirement because where there is a “substantial risk” that a harm will occur, and the risk may prompt plaintiffs to reasonably incur costs to mitigate or avoid the harm.  Id. at *8 (citing Clapper v. Amnesty International USA, 568 U.S. 398, at 414 n.5 (2013).  The circuit court distinctly elevated the “substantial risk” analysis, originally included as a footnote in the Supreme Court’s decision in Clapper v. Amnesty International USA, to be a key test in future data breach cases, explaining:  “No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”  Id. at 5.  As a consequence, the court reversed the district court’s dismissal of the complaint for lack of standing and remanded for further proceedings.

The D.C. Circuit’s decision may have significant implications for future data breach litigation, and in particular, litigation over data breaches involving insurance information.  In the wake of Spokeo, courts have struggled to identify what constitutes a “concrete and particularized” injury with respect to privacy. The decision of the D.C. Circuit amplifies the circuit split by strengthening the hand of potential class action litigants, and it may signal a potential turning of the tide on the issue of standing when the data breach involves intentional hacking.  In contrast, however, the U.S. Court of Appeals for the Second Circuit reached the opposite result in Whalen v. Michael Stores Inc., Nos. 16-260 & 16-352 (2d Cir. 2017), affirming the district court’s ruling that standing does not exist based on the mere fact of a reportable data breach involving credit card numbers.

Ultimately, whether data breach plaintiffs can survive a motion to dismiss for lack of standing will continue to be a key issue. The split in the circuit courts will heighten the cost of litigation for all and increases the potential risk of liability for companies facing class action suits based on allegations of increased risk of identity theft after a data breach.