U.S. Supreme Court Watch: Whether to Resolve Circuit Split on Standing for Data Breach Plaintiffs
At its first conference this month, the U.S. Supreme Court will consider whether to weigh in on a Circuit split over standing to sue in the aftermath of a data breach.
In CareFirst, Inc. v. Attias, No. 17-641, CareFirst is petitioning the Court to review a decision from a federal appeals court in the District of Columbia which held that the healthcare plan’s customers had standing to sue for a data breach. This blog covered the DC Circuit’s decision in August.
To briefly recap, in May 2015, CareFirst, a Blue Cross Blue Shield member company serving about one million customers, announced a data breach. Shortly thereafter, a group of customers sued CareFirst. The district court, however, dismissed their complaint, finding that an increased risk of identity theft was too speculative of an injury to establish standing. On appeal, the DC Circuit reversed, holding that plaintiffs’ complaint demonstrated a substantial risk that harm would occur “simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.” Attias v. CareFirst, Inc., 865 F.3d 620, 629 (D.C. Cir. 2017).
In its cert petition, CareFirst argues that there is a Circuit split over whether an increased risk of future identity theft – in and of itself – is sufficient to establish standing. They contend that the Third, Fourth, and Eighth Circuits have held that the increased risk was not enough to establish standing in the following cases:
- Reilly v. Ceridian Corp., 664 F.3d 38 (3d Cir. 2011);
- Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), covered here by this blog; and
- In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017) (granting standing to one plaintiff based on an instance of actual credit card fraud), covered here by this blog.
In opposition to the cert petition, plaintiffs argue that each of these cases could be distinguished on the facts, and had these Circuits been presented with the allegations in plaintiffs’ complaint, they, too, would have recognized the plaintiffs’ standing to sue.
The DC Circuit is not alone in granting standing to data breach plaintiffs. The Sixth (in an unpublished decision), Seventh, and Ninth Circuits have granted standing to plaintiffs based on an increased risk of future identity theft in the following cases:
- Galaria v. Nationwide Mutual Insurance Co., 663 Fed. Appx. 384 (6th Cir. 2016) (unpublished), covered here by this blog;
- Lewert v. P.F. Chang's China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016), covered here by this blog;
- Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015); and
- Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010).
We’ll continue to watch and report on this evolving issue.