Last week, the D.C. Circuit joined an increasing number of federal courts applying a broad interpretation of the degree of harm required to satisfy Article III standing and expanding the holding of last summer’s Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016).
In Attias v. CareFirst Inc., No. 16-7108, 2017 U.S. App. LEXIS 13913 (D.C. Cir. Aug. 1, 2017), the Court of Appeals reversed the district court’s dismissal of a putative class action alleging injury stemming from a 2014 cyberattack on health insurer CareFirst. While the district court acknowledged that plaintiffs alleged a heightened risk of identity theft, it ultimately found this risk to fall short of the requirement that plaintiffs’ injury be “actual or imminent.”
Reversing the district court’s decision, the D.C. Circuit stated that the complaint alleged two independent sets of allegations sufficient to pass muster under Article III standing. First, the complaint alleged that the breach had exposed customers’ social security and credit card numbers. Second, the customers also alleged that hackers stole members’ names, birthdates, email addresses, and subscriber identification numbers. The Court went on to say that this latter allegation “would make up, at the very least, a plausible allegation that plaintiffs face a substantial risk of identity fraud, even if their social security numbers were never exposed to the data thief.” Attias, 2017 U.S. App. LEXIS 13913 at *16.
The Attias Court creates a broader circuit split on Article III standing in the context of data breaches. The Third Circuit (see In re Horizon Healthcare Servs. Data Breach Litig., 2017 U.S. App. LEXIS 1019 (3d Cir. Jan. 20, 2017)), Sixth Circuit (see Galaria v. Nationwide Mut. Ins., 663 Fed. Appx. 384 (6th Cir. 2016)), and Seventh Circuit (see Lewart v. P.F. Chang’s China Bistro, Inc. 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015)) have all taken similar positions to the D.C. Circuit.
The Second Circuit (see Whalen v. Michaels Stores, Nos. 16-260, 16-352, 2017 U.S. App. LEXIS 7717 (2nd Cir. May 2, 2017), and Fourth Circuit (see Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017)) have rejected this potential future harm as failing to allege cognizable, impending injury.
The growing circuit split cautions the plaintiffs’ bar and companies alike to keep a watchful eye on the Supreme Court—it is only a matter of time before it weighs back in on the application of Spokeo in cybersecurity litigation.
A link to the D.C. Circuit opinion can be found here.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
ADVERTISING MATERIAL.
© 2021 Keating Muething & Klekamp PLL. All Rights Reserved
- Partner
Joe Callow helps clients manage and reduce litigation risk and litigation costs. When litigation arises, he handles and coordinates cases on a national, regional, and local basis.
Joe primarily works on class action and complex ...
Blog Contact: Joseph Callow, Litigation Partner
jcallow@kmklaw.com or 513.579.6419
Topics/Tags
Select- Class Action Litigation
- Coronavirus
- Litigation
- Cybersecurity and Privacy Law
- Data Breach
- Securities Law
- Supreme Court
- E-Discovery
- Intellectual Property
- Social Media
- Trademark
- Trademark Litigation
- Sixth Circuit
- Initial Coin Offering
- Antitrust
- Federal Rules of Civil Procedure
- Bet-the-Company Litigation
- E-Discovery Case Law
- Electronic Data Discovery
- Employment Law
- Workplace Accommodations
- ESI
- GDPR
- General Data Protection Regulation
- Employer Policies
- Labor & Employment Law
- Labor Law
- Cryptocurrency
- SEC
- Securities Litigation
- Technology
- ERISA
- Stock Drop
- Ascertainability
- Drug Enforcement Agency
- Medical Marijuana
- Ohio Foreclosure Reform
- Craft Brewing
- Cybersecurity Regulation
- Copyright Law
- Environmental Law
- Fair Housing Act
- Health Care Act
- Healthcare Reform
- Pregnancy Discrimination
- Religion Discrimination
- Seventh Circuit
- Electronically Stored Information
- Proportionality
- Accommodation
- Americans with Disabilities Act
- Cyber Insurance
- EEOC
- FLSA
- Telecommuting
- Lenders
- Receivership Statute
- Business Process Improvement
- Employment Litigation
- Employer Handbook
- Employer Rules
- National Labor Relations Act
- National Labor Relations Board
- NLRB
- Unions
- E-Discovery Project Plan
- Predictive Coding
- TAR ( Technology Assisted Review)
- Evidence
- Quality Representation
- Subpoena
- Arbitration
- CAFA
- Land Use & Zoning
- Construction Litigation
- Privacy
- Statute of Limitations
- Taxation
- Federal Rule
Recent Posts
- Questioning the Questionnaires: New PPP-Related Litigation Raises Issues for Borrowers
- "You Don't Have to Go Home But You Can't Stay Here": Updates to Ohio and Kentucky’s COVID-19 Orders Impacting Bars & Restaurants
- Kentucky Restaurants Begin Opening with Limited Capacity Amid COVID-19 Epidemic
- Ohio Restaurants and Bars Begin Soft Openings for Diners Amid COVID-19 Epidemic
- Supreme Court Sidesteps “Cy Pres” Challenge
- Golfers, New and Old - Be Careful!
- "Aloha Poke": Social Media and Consumer Perception are Part of the Trademark Enforcement Equation
- GDPR: Less Than 100 Day and Counting to "G-Day" - Here's What You Need to Know
- Rapid SEC Action Against AriseBank Reveals New Playbook For Allegedly Fraudulent ICOs
- Giga Watt ICO Faces Tezos-like Securities Litigation Challenge