On August 1, 2017, the D.C. Circuit handed down its decision in the data breach class action Attias v. CareFirst. In doing so, it became the latest federal appellate court to recognize that individual victims of a breach have standing to bring claims based on the risk of future harm that they may suffer. Importantly, in reaching this conclusion, the three-judge panel unanimously emphasized that the breach—which compromised plaintiffs’ social security and credit card numbers—could create a “substantial risk” of injury, thereby determining that the plaintiffs could proceed with their case beyond the pleading stage. By overturning a lower court decision to dismiss the case and allowing the plaintiffs to proceed with their claims, CareFirst builds on multi-circuit precedent establishing the viability of civil suits stemming from data breaches. Companies should be aware of this precedent and prepare themselves as a growing number of courts demonstrate a willingness to open the door to civil liability following a cyber incident.