The U.S. Court of Appeals for the D.C. Circuit has held that allegations of a heightened risk of future identity theft resulting from a data breach established a concrete injury at the pleading stage. The Aug. 1 ruling places the D.C. Circuit in the middle of a circuit split and squarely on the side of those circuits which hold that the increased risk of identity fraud from a data breach is an “actual or imminent” injury constitutionally sufficient to create standing to bring a data breach action.
CareFirst Inc. and its subsidiaries are a group of health insurance companies. When customers purchase CareFirst’s policies, they provide their personal information to the company, including their names, birthdates, email addresses, social security numbers and credit card information. CareFirst then assigns each customer a subscriber identification number.
In June 2014, an unknown hacker accessed a CareFirst database containing personal information of its customers. CareFirst did not discover the breach until April 2015 and notified its customers in May 2015. Seven CareFirst customers brought a putative class action against CareFirst and its subsidiaries, alleging 11 different state causes of action, including breach of contract, negligence and violations of various state consumer protection statutes.
The district court dismissed the plaintiffs’ complaint without prejudice, holding that the plaintiffs lacked standing because they had alleged neither a present injury nor a high enough likelihood of future injury. It found the plaintiffs’ allegations that they suffered an increased risk of identity theft from the data breach was too speculative. The district court also found that the complaint had not alleged the theft of social security numbers or credit card numbers and that the plaintiffs had not demonstrated how identity theft could occur without this information.
The D.C. Circuit reversed the district court’s dismissal, concluding that the district court had given the complaint an “unduly narrow reading.” See Attias v. CareFirst (D.C. Cir. Aug. 1, 2017). The D.C. court began by examining the issue of whether the district court’s decision constituted a final order over which the appellate court had jurisdiction. Observing that “the district court in this case dismissed for lack of subject-matter jurisdiction without expressly inviting the plaintiffs to amend their complaint or giving some other equally clear signal that it intended the action to continue,” the D.C. Circuit held that the district court’s decision “ended the district court action, and was thus final and appealable.”
The D.C. Circuit then addressed the issue of whether the plaintiffs had satisfied the injury-in-fact requirement. Citing Spokeo v. Robins (2016), the D.C. Circuit explained that an injury in fact must be “concrete, particularized, and, . . . ‘actual or imminent,’ rather than speculative.” In examining whether the risk of future harm as alleged in this case was concrete and imminent enough to create Article III standing, the D.C. Circuit looked to Clapper v. Amnesty International USA (2013), where the plaintiffs had challenged a provision of the Foreign Intelligence Surveillance Act that permitted surveillance of foreign nationals outside the United States. The Clapper plaintiffs were not foreign nationals but argued that they had standing to challenge FISA because it was “an objectively reasonable likelihood” that their communications with overseas contacts would be intercepted (citing Clapper). The Supreme Court observed that “threatened injury must be certainly impending to constitute injury in fact,” but in some case standing could also be established “based on a ‘substantial risk’ that the harm [would] occur.” Noting that the Clapper plaintiffs’ argument rested on “a highly attenuated chain of possibilities,” the Supreme Court held that the injury that the plaintiffs feared was too “speculative” to qualify as an injury in fact (citing Clapper).
Turning to the complaint, the D.C. Circuit held that it had adequately alleged that social security numbers and credit card information were involved in the breach, citing the complaint’s allegations that CareFirst collected and stored “PII/PHI/Sensitive Information,” which included “credit card and social security numbers; that PII, PHI, and sensitive information were stolen in the breach; and that the data ‘accessed on Defendants’ servers’ place plaintiffs at a high risk of financial fraud.” The D.C. Circuit further held that, even if the complaint did not allege that social security numbers or credit card information was stolen, the complaint alleged sufficient facts to conclude that there was an increased risk of identity fraud because the loss of names, birth dates, email addresses and subscriber identification numbers in combination could lead to “a fraudster impersonat[ing] the victim and obtain[ing] medical services in her name.”
In discussing whether the theft of such personal information created a “substantial risk” that harm would occur, the D.C. Circuit observed that where “an unauthorized party accessed personally identifying data on CareFirst’s servers . . . [,] it is much less speculative – at the very least, it is plausible- to infer that this party has both the intent and the ability to use that data for ill.” Unlike the plaintiffs in Clapper whose alleged injury depended upon “a series of independent actors . . . exercis[ing] their independent judgment in a specific way,” the D.C. Circuit found that “[n]o long sequence of uncertain contingencies involving independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.” Therefore, the D.C. Circuit held that the plaintiffs’ allegations that their personal information was stolen in the breach resulting in a heightened risk of identity theft established a concrete and imminent injury sufficient to confer standing.
In completing the standing analysis, the D.C. Circuit found that the plaintiff’s injury was “fairly traceable” to CareFirst’s failure to secure its customers’ data, noting that Article III did not require that the defendant be either the “most immediate cause, or even a proximate cause, of the plaintiffs’ injuries; it requires only that those injuries by ‘fairly traceable’ to defendant.” CareFirst. The D.C. Circuit also found that the plaintiffs’ injury was “likely to be redressed by a favorable judicial decision” as “[t]he fact that plaintiff[s] have reasonably spent money to protect themselves against a substantial risk [by acquiring identity theft protection and monitoring] creates the potential for them to be made whole by monetary damages.”
The implications of CareFirst are twofold. First, CareFirst expands the types of information that could give rise to an increased risk of identity fraud in data breach cases. Plaintiffs typically allege that the theft of social security numbers, payment card information or financial account information results in a heightened risk of identity theft. In CareFirst, however, the D.C. Circuit found that allegations that other categories of personally identifying information, such as names, birth dates, email addresses and subscriber identification numbers in combination could also lead to a heightened risk of identity theft and were sufficient to establish a concrete injury and Article III standing. In doing so, the D.C. Circuit may have opened the doors for plaintiffs to bring data breach actions involving non-traditional categories of personal information.
Second, the D.C. Circuit has weighed in on the ongoing circuit split concerning what allegations are sufficient to establish Article III standing in data breach class actions. Given the D.C. Circuit’s status as the second most influential court in the United States, CareFirst increases the likelihood that the Supreme Court will eventually take up the issue of what allegations are sufficient to establish standing in data breach cases and hopefully offer more definitive guidance. The D.C. Circuit has joined with the Sixth Circuit in Galaria v. Nationwide Mut. Insur. Co. (6th Cir. Sept. 12, 2016), and the Seventh Circuit in Remijas v. Neiman Marcus (7th Cir. 2015) and Lewert v. P.F. Chang’s China Bistro (7th Cir. 2016), in expanding standing at the pleading stage to bring data breach cases. These three circuits have held that allegations that the personal information of the plaintiffs was stolen resulting in an increased risk of future identity theft establish an injury in fact sufficient to satisfy Article III. In contrast, the Second Circuit in Whalen v. Michaels Stores (2d Cir. May 2, 2017) and the Fourth Circuit in Beck v. McDonald (4th Cir. 2017) have raised the pleading requirements for standing in data breach cases. Plaintiffs in the Second and Fourth circuits cannot simply rely on general allegations of increased risk of identity theft from stolen personal information to establish an injury in fact. Instead, they must allege actual injuries, such as successful fraud charges based on stolen personal information that creates liability, to survive a motion to dismiss for lack of standing. This circuit split is not likely to be resolved until and if the Supreme Court weighs in.