Last week, the D.C. Circuit joined an increasing number of federal courts applying a broad interpretation of the degree of harm required to satisfy Article III standing and expanding the holding of last summer’s Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016).
In Attias v. CareFirst Inc., No. 16-7108, 2017 U.S. App. LEXIS 13913 (D.C. Cir. Aug. 1, 2017), the Court of Appeals reversed the district court’s dismissal of a putative class action alleging injury stemming from a 2014 cyberattack on health insurer CareFirst. While the district court acknowledged that plaintiffs alleged a heightened risk of identity theft, it ultimately found this risk to fall short of the requirement that plaintiffs’ injury be “actual or imminent.”
Reversing the district court’s decision, the D.C. Circuit stated that the complaint alleged two independent sets of allegations sufficient to pass muster under Article III standing. First, the complaint alleged that the breach had exposed customers’ social security and credit card numbers. Second, the customers also alleged that hackers stole members’ names, birthdates, email addresses, and subscriber identification numbers. The Court went on to say that this latter allegation “would make up, at the very least, a plausible allegation that plaintiffs face a substantial risk of identity fraud, even if their social security numbers were never exposed to the data thief.” Attias, 2017 U.S. App. LEXIS 13913 at *16.
The Attias Court creates a broader circuit split on Article III standing in the context of data breaches. The Third Circuit (see In re Horizon Healthcare Servs. Data Breach Litig., 2017 U.S. App. LEXIS 1019 (3d Cir. Jan. 20, 2017)), Sixth Circuit (see Galaria v. Nationwide Mut. Ins., 663 Fed. Appx. 384 (6th Cir. 2016)), and Seventh Circuit (see Lewart v. P.F. Chang’s China Bistro, Inc. 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015)) have all taken similar positions to the D.C. Circuit.
The Second Circuit (see Whalen v. Michaels Stores, Nos. 16-260, 16-352, 2017 U.S. App. LEXIS 7717 (2nd Cir. May 2, 2017), and Fourth Circuit (see Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017)) have rejected this potential future harm as failing to allege cognizable, impending injury.
The growing circuit split cautions the plaintiffs’ bar and companies alike to keep a watchful eye on the Supreme Court—it is only a matter of time before it weighs back in on the application of Spokeo in cybersecurity litigation.
A link to the D.C. Circuit opinion can be found here.
KMK Legal Alerts and Blog Posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. Please consult with counsel of your choice regarding any specific questions you may have.
© 2019 Keating Muething & Klekamp PLL. All Rights Reserved
- Cybersecurity and Privacy Law
- Cybersecurity Regulation
- Data Breach
- Privacy Laws
- Class Action Litigation
- General Data Protection Regulation
- Mergers & Acquisitions
- Incident Response Plan
- Information Governance
- Corporate Law
- Federal Trade Commission
- Seventh Circuit
- Department of Justice
- Cyber Insurance
- September 2018 Was a Busy Month for Data Privacy
- GDPR - 90 Days Later
- GDPR: Less Than 100 Day and Counting to "G-Day" - Here's What You Need to Know
- SEC Issues Guidance on Cybersecurity Disclosures
- New D.C. Circuit Ruling Finds Substantial Risk of Harm Inherent to Data Breach
- Target Class Action Settlement Temporarily Upended
- Spokeo Continues to Divide the Lower Courts in Cybersecurity Litigation
- Cyber Breach Incident Notification Guidelines Ahead
- CyberSecurity News: Spokeo, Galaria and Braitberg
- Privacy Class Action Dismissed Under Spokeo