On August 1, 2017, the U.S. Court of Appeals for the D.C. Circuit revived a data breach class action that was dismissed for lack of standing, holding that the district court improperly applied the Article III injury-in-fact standing requirement articulated by the U.S. Supreme Court in Clapper v. Amnesty Int’l USA, 568 U.S. 398 (2013). The Attias v. CareFirst, Inc. decision places the D.C. Circuit on one side of a widening circuit split over the issue of whether individuals whose sensitive personal information is lost, stolen, or otherwise compromised as a result of a data breach can satisfy the Article III injury requirement based solely on allegations of risk of potential future injury, such as the possibility of future identity theft.

The Attias case stems from a 2014 data breach by unknown hackers who infiltrated 22 CareFirst computers, compromising the unencrypted, sensitive, personal information of more than one million CareFirst policyholders in the District of Columbia, Maryland, and Virginia. CareFirst discovered the data breach in April 2015, and notified its customers of the breach in May 2015. At that time, CareFirst offered its customers two years of free credit monitoring and identity theft protection to mitigate the risk of future identity theft or other issues.

Shortly thereafter, seven individuals filed a putative class action on behalf of all policyholders from D.C. , Maryland, and Virginia against CareFirst, alleging various state law claims relating to the hack of the CareFirst computers. According to the D.C. Circuit, the complaint alleged that the hack exposed the plaintiffs’ names, birthdates, email addresses, social security numbers, and credit card information. As to injury, the circuit court, citing the complaint, found that the plaintiffs alleged that the cyber-attack allowed access to sensitive information that could be used in the future by identity thieves to “‘open new financial account[s], incur charges in another person’s name,’ and commit various other financial misdeeds. ”  The D.C. Circuit held that such allegations were sufficient to establish Article III standing.

The district court had dismissed the complaint at the pleading stage for lack of constitutional standing, holding that the plaintiffs’ alleged injury—increased risk of identity theft—was insufficient. The district court found that the future harm alleged was not sufficiently concrete and particularized, but rather was too speculative to satisfy constitutional standing and the standard set forth in Clapper. In reversing the dismissal, the D.C. Circuit held that the plaintiffs’ allegation of potential future injury was sufficient for Article III standing, relying in part on its conclusion that the district court misunderstood the allegations of injury contained in the complaint when it found that the complaint did not assert exposure of the plaintiffs’ credit card and social security numbers. Citing the Supreme Court’s opinion in Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016), the circuit court further held that the plaintiffs’ alleged injury was “fairly traceable” to the defendant’s actions and that it was “likely to be redressed” by the relief sought.

The circuit court left open the question of whether the complaint fails to state a claim for which relief can be granted under Federal Rule of Civil Procedure 12(b)(6), as well as the antecedent question of “whether plaintiffs properly invoked the district court’s diversity jurisdiction under 28 U.S.C. § 1332,” finding it inappropriate to “reach beyond the standing question. ”

As noted, the D.C. Circuit’s decision places it on one side of a growing circuit split regarding the sufficiency of allegations of potential future injury to satisfy constitutional standing requirements. The Sixth, Seventh, and Ninth Circuits have held that such injury is sufficient for standing. The Second and Fourth Circuits have held to the contrary. The Eighth Circuit heard argument in May of 2017 in Alleruzzo v. Supervalu, No. 16-2378/16-2528. Arguably, the Fourth Circuit’s decision in Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied sub. nom. Beck v. Shulkin, 137 S. Ct. 2307 (2017), can be distinguished factually, and in such a way that could be significant to the court’s ultimate conclusion on standing. The D.C. Circuit, quoting the Seventh Circuit’s decision in Remijas v. Neiman Marcus Group, 794 F.3d 688, 698 (7th Cir. 2015), queried: “‘Why else would hackers break into a . . . database and steal consumers’ private information?’  Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumer’s identities. ”  In Beck, however, patient and consumer information was not compromised by a hack of a system or database, but was compromised when a laptop computer was stolen or misplaced. Both cases, however, involved databases containing sensitive information that lacked certain data security measures, such as encryption. We previously reported on the Fourth Circuit’s decision in Beck here.

The D.C. Circuit’s decision could significantly impact future data breach litigation. After the Supreme Court’s opinion in Spokeo, the lower courts have struggled to consistently define what constitutes a “concrete and particularized” injury for purposes of constitutional standing in data breach and privacy litigation. Arguably, the Attias case strengthens a data breach plaintiff’s likely argument that potential future injury, standing alone, can qualify as concrete and particularized injury-in-fact, particularly as it relates to intentional hacking by third parties of systems or database containing unencrypted, sensitive consumer information.

A copy of the D.C. Circuit’s opinion can be found here.