Supreme Court Asked, Again, to Weigh In on Data Breach Standing as Circuit Split Widens

CareFirst, a large health care company involved in a data breach case, has asked the U.S. Supreme Court to weigh in on whether victims can establish Article III standing to sue for the risk of future identity theft. The issue has split the federal appellate courts, with the U.S. Court of Appeals for the District of Columbia recently holding in CareFirst v. Attias that consumers could successfully plead such a claim.

Earlier this year, the high court declined to review another data breach case, Robins v. Spokeo,after the Ninth Circuit found that a plaintiff might be able to plead future injury related to false background information published by a website as an intangible injury sufficient to satisfy the “concrete injury” requirement for standing.

At issue in the CareFirst case is whether consumers can assert claims for the risk of harm due to the potential misuse of information obtained through a data breach. The district court dismissed complaints related to a 2015 breach at the large health care company, finding that increased risk of identity theft was too speculative to establish standing. The D.C. Circuit reversed, holding that plaintiffs demonstrated a substantial risk of future harm “by virtue of the hack and the nature of the data.”