CYBER RISK CLIENT ALERT: The Circuit Split Continues When It Comes to Standing in Cybersecurity Litigation

by

U.S. Supreme Court Denies Cert in Recent Case in Which The D.C. Circuit Concluded That “Risk of Future Harm” Is Sufficient to Prove Standing

Federal Circuit Courts will remain split on what constitutes a “concrete injury” sufficient to establish standing in cybersecurity litigation after the Supreme Court recently denied certification of an appeal from the D.C. Circuit Court of Appeals in Attias v. CareFirst, Inc. On August 1, 2017, a three-judge panel in the D.C. Circuit issued a unanimous decision stating that the risk of future harm is sufficient to establish Article III standing in data breach cases. This decision serves as the latest ruling in a continued split among circuit courts across the nation.  The District Court’s holding is now final, as the U.S. Supreme Court denied certification on February 20, 2018.

At least for the time being, Circuit Courts across the country will remain split on what constitutes a sufficient “concrete injury” that will establish Article III standing as required by the U.S. Supreme Court’s Spokeo decision. For example, the 2d and 4th Circuits have issued opinions that plaintiffs cannot establish standing without first demonstrating that their stolen information resulted in actual use of the information or harm, such as fraudulent credit card charges. Alternatively, the D.C. Circuit has now joined a group of circuit courts, including the 3d, 6th, 7th and 11th Circuits, which have concluded that the mere exposure of consumer data is sufficient to establish standing.

In the underlying case in Attias, policyholders brought a putative class action against CareFirst BlueCross BlueShield after a 2014 data breach in which 1.1 million members of the Maryland-based health insurer had their personal medical information stolen by hackers. The original claim was dismissed in August 2016 when a U.S. District Judge determined that the policyholders lacked subject matter jurisdiction because they could not trace the data breach to a particular injury, and instead relied solely on a violation of various state consumer protection statutes, including Virginia and Maryland, along with other state law causes of action. Policyholders asked the D.C. Circuit to review the case in January 2017, arguing that the District Court misapplied the U.S. Supreme Court decision in Spokeo Inc. v. Robins.

The D.C. Circuit, relying on the Seventh Circuit decision in Hilary Remijas, et al. v. Neiman Marcus Group, LLC, held that the CareFirst policyholders “cleared the low bar to establish their standing at the pleading stage” by alleging that there was a substantial risk that their stolen personal information could be used for identity theft or medical harm (such as interference with medical devices or implants), even if the actual misuse had not yet occurred. The D.C. Circuit cited to the Seventh Circuit’s reasoning in Neiman Marcus, where the court explained that harm was likely to come from the data breach because hackers do not infiltrate databases and steal personal information for any purpose other than to eventually make fraudulent charges or assume the consumer’s identity. The D.C. Circuit's decision is yet another important development in the area of cybersecurity litigation, signaling that the courts are trending towards an easier standard that will allow plaintiffs to survive motions to dismiss, and pursue legal claims against organizations that have suffered a cybersecurity event. 

Implications Beyond The D.C. Circuit’s Decision

The D.C. Circuit’s opinion will significantly impact cybersecurity litigation. 

First, the D.C. Circuit’s opinion indicates that defendant companies can no longer rely on the defense that stolen information is unlikely to result in an actual injury. As the Supreme Court has declined to hear CareFirst’s appeal, the D.C. Circuit's decision stands as good law, and therefore the risk of harm is sufficient to establish standing in that jurisdiction. Defendants were originally successful in defeating data breach lawsuits by arguing that the combination of data that was stolen could not possibly be used for fraud or identity theft. This defense was particularly effective when the stolen data involved credit card or social security numbers. However, the three-judge D.C. Circuit panel held that even the leak of patients’ names, birthdates, email addresses and policy numbers alone constitutes a sufficient injury.

Second, this holding will continue to encourage forum shopping in cybersecurity litigation, given the split among circuit courts. In CareFirst, the putative class was made up of policy holds from Maryland and Virginia, two states that fall within the 4th Circuit. As noted above, the 4th Circuit has held that, without evidence that stolen information was actually used for fraud or identity theft, the claims are too speculative in nature to support a finding that a plaintiff suffered actual harm, yet this matter was litigated within the D.C. Circuit’s jurisdiction. The D.C. Circuit’s opinion has rejected this rationale from the 4th Circuit as well as other courts, and this decision will continue to encourage forum shopping by the plaintiffs’ bar.

Get Updates By Email

Blog Contributors