The U.S. Supreme Court recently declined to review CareFirst Inc. v. Attias, a data breach standing case. For those hoping for resolution of a notable circuit split over what constitutes Article III standing at the pleading stage, the wait continues.
In CareFirst Inc. v. Attias, the Supreme Court’s rejection leaves intact a decision by the District of Columbia Circuit Court of Appeals. Plaintiffs asserted that a data breach suffered by their health insurer exposed their personal information and created risk of harm to them. The federal district court dismissed the putative class action, holding that the plaintiffs’ allegations were “too speculative to establish injury in fact.” In August 2017, the D.C. Circuit reversed, chiding the lower court for “an unduly narrow reading” of the law and holding that plaintiffs had “cleared the low bar to establish their standing at the pleading stage.” According to the appellate decision, “all [of the] plaintiffs … have standing to sue CareFirst based on their heightened risk of future identity theft ….” The opinion also stated that the court had “little difficulty concluding that their injury in fact is fairly traceable to CareFirst.”
The CareFirst appellate decision – recognizing Article III standing from a substantial risk of future injury – joins similar outcomes from several other circuits. One such very recent decision came from the Ninth Circuit Court of Appeals in In re: Zappos.com, Inc., Customer Data Security Data Security Breach Litigation. The court reversed the lower court’s dismissal of plaintiffs’ action and stated that plaintiffs had “sufficiently alleged standing based on the risk of identity theft.”
The competing position from other circuits is illustrated by the Eighth Circuit Court of Appeals. In In re: SuperValu, Inc., Customer Data Security Breach Litigation, various plaintiffs sued several supermarket defendants following the theft of credit and debit card information from defendants’ systems. In August 2017, the Eighth Circuit affirmed the lower court’s dismissal of a class action for all but one specific plaintiff. The court held that the plaintiffs’ complaint did not “adequately allege that plaintiffs face a ‘certainly impending’ or ‘substantial risk’ of identity theft as a result of the data breaches purportedly caused by defendants’ deficient security practices.” As noted by the court, “a mere possibility [of injury] is not enough for standing.” On March 7, 2018, the lower court on remand dismissed the action as to the lone plaintiff remaining after the appellate decision.
Absent guidance from the U.S. Supreme Court, divergent decisions are likely to continue to emerge from the various circuits. It remains to be seen whether plaintiffs will engage in forum shopping to seek out the jurisdictions that are more likely to hold that the risk of future harm satisfies standing requirements. Uncertainty may also arise where circuits that have tended to one position or the other on the future harm issue may rule differently based on the facts of a particular case. The decisions will continue to be influenced by the specific details of a breach, the information affected, and the allegations about harm and risk of harm. Further, it bears watching whether there is a case that will one day pique the U.S. Supreme Court’s interest. Finally, it is worth remembering that this debate over standing is just one step of the litigation journey. Even if or when cases survive standing challenges, there will still be disputes over motions to dismiss and motions for summary judgment and battles over proof at trial.