New D.C. Circuit Ruling Finds Substantial Risk of Harm Inherent to Data Breach

Last week, the D.C. Circuit joined an increasing number of federal courts applying a broad interpretation of the degree of harm required to satisfy Article III standing and expanding the holding of last summer’s Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016).

In Attias v. CareFirst Inc., No. 16-7108, 2017 U.S. App. LEXIS 13913 (D.C. Cir. Aug. 1, 2017), the Court of Appeals reversed the district court’s dismissal of a putative class action alleging injury stemming from a 2014 cyberattack on health insurer CareFirst.  While the district court acknowledged that plaintiffs alleged a heightened risk of identity theft, it ultimately found this risk to fall short of the requirement that plaintiffs’ injury be “actual or imminent.”

Reversing the district court’s decision, the D.C. Circuit stated that the complaint alleged two independent sets of allegations sufficient to pass muster under Article III standing. First, the complaint alleged that the breach had exposed customers’ social security and credit card numbers.  Second, the customers also alleged that hackers stole members’ names, birthdates, email addresses, and subscriber identification numbers.  The Court went on to say that this latter allegation “would make up, at the very least, a plausible allegation that plaintiffs face a substantial risk of identity fraud, even if their social security numbers were never exposed to the data thief.” Attias, 2017 U.S. App. LEXIS 13913 at *16.

The Attias Court creates a broader circuit split on Article III standing in the context of data breaches.  The Third Circuit (see In re Horizon Healthcare Servs. Data Breach Litig., 2017 U.S. App. LEXIS 1019 (3d Cir. Jan. 20, 2017)), Sixth Circuit (see Galaria v. Nationwide Mut. Ins., 663 Fed. Appx. 384 (6th Cir. 2016)), and Seventh Circuit (see Lewart v. P.F. Chang’s China Bistro, Inc. 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015)) have all taken similar positions to the D.C. Circuit.

The Second Circuit (see Whalen v. Michaels Stores, Nos. 16-260, 16-352, 2017 U.S. App. LEXIS 7717 (2nd Cir. May 2, 2017), and Fourth Circuit (see Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017)) have rejected this potential future harm as failing to allege cognizable, impending injury.

The growing circuit split cautions the plaintiffs’ bar and companies alike to keep a watchful eye on the Supreme Court—it is only a matter of time before it weighs back in on the application of Spokeo in cybersecurity litigation.

A link to the D.C. Circuit opinion can be found here.

KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.


© 2024 Keating Muething & Klekamp PLL. All Rights Reserved


Jump to Page