Last week, the D.C. Circuit joined an increasing number of federal courts applying a broad interpretation of the degree of harm required to satisfy Article III standing and expanding the holding of last summer’s Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016).
In Attias v. CareFirst Inc., No. 16-7108, 2017 U.S. App. LEXIS 13913 (D.C. Cir. Aug. 1, 2017), the Court of Appeals reversed the district court’s dismissal of a putative class action alleging injury stemming from a 2014 cyberattack on health insurer CareFirst. While the district court acknowledged that plaintiffs alleged a heightened risk of identity theft, it ultimately found this risk to fall short of the requirement that plaintiffs’ injury be “actual or imminent.”
Reversing the district court’s decision, the D.C. Circuit stated that the complaint alleged two independent sets of allegations sufficient to pass muster under Article III standing. First, the complaint alleged that the breach had exposed customers’ social security and credit card numbers. Second, the customers also alleged that hackers stole members’ names, birthdates, email addresses, and subscriber identification numbers. The Court went on to say that this latter allegation “would make up, at the very least, a plausible allegation that plaintiffs face a substantial risk of identity fraud, even if their social security numbers were never exposed to the data thief.” Attias, 2017 U.S. App. LEXIS 13913 at *16.
The Attias Court creates a broader circuit split on Article III standing in the context of data breaches. The Third Circuit (see In re Horizon Healthcare Servs. Data Breach Litig., 2017 U.S. App. LEXIS 1019 (3d Cir. Jan. 20, 2017)), Sixth Circuit (see Galaria v. Nationwide Mut. Ins., 663 Fed. Appx. 384 (6th Cir. 2016)), and Seventh Circuit (see Lewart v. P.F. Chang’s China Bistro, Inc. 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015)) have all taken similar positions to the D.C. Circuit.
The Second Circuit (see Whalen v. Michaels Stores, Nos. 16-260, 16-352, 2017 U.S. App. LEXIS 7717 (2nd Cir. May 2, 2017), and Fourth Circuit (see Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017)) have rejected this potential future harm as failing to allege cognizable, impending injury.
The growing circuit split cautions the plaintiffs’ bar and companies alike to keep a watchful eye on the Supreme Court—it is only a matter of time before it weighs back in on the application of Spokeo in cybersecurity litigation.
A link to the D.C. Circuit opinion can be found here.
KMK Legal Alerts and Blog Posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
© 2019 Keating Muething & Klekamp PLL. All Rights Reserved
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Cyber Insurance
- Privacy Laws
- Data Breach
- Class Action Litigation
- General Data Protection Regulation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Can’t We All Get Along in the Cyber Sandbox?
- California's New Privacy Law is Coming - Are You Ready?
- Gearing up for National Cybersecurity Awareness Month: KMK Hosts Third Annual Cybersecurity & Privacy Seminar
- Ohio Data Protection Act - Safe Harbor for Businesses in Ohio
- Ohio’s Data Protection Act: What You Need to Know
- September 2018 Was a Busy Month for Data Privacy
- GDPR - 90 Days Later
- GDPR: What We're Learned So Far and What to Expect
- GDPR: Less Than 100 Day and Counting to "G-Day" - Here's What You Need to Know
- SEC Issues Guidance on Cybersecurity Disclosures