Supreme Court Rejection of CareFirst Review Prolongs Data Breach Standing Circuit Split

On Feb. 21, the U.S. Supreme Court declined to grant certiorari in CareFirst, Inc. v. Attias, No. 17-641, in which the U.S. Court of Appeals for the District of Co­lumbia Circuit held that data breach victims could—at the pleading stage—establish standing to sue under Ar­ticle III of the U.S. Constitution based solely on the risk of future identity theft. Last month, the Court denied re­view in a similar data security case from the Ninth Cir­cuit, Robins v. Spokeo, Inc., 867 F.3d 1108 (9th Cir. 2017), which found that, as a matter of pleading, the “concrete injury”requirement for standing could po­tentially be satisfied based on a future injury related to false background information published by a website.