We have previously reported on the evolving circuit split over standing in data breach class actions. On August 1st, a three judge panel for the District of Columbia Circuit became the latest to weigh in on the issue. In Attias v. CareFirst, the DC Circuit panel joined the Sixth, Seventh, and Ninth Circuits in finding that fear of future identity theft in the wake of a data breach satisfied the injury in fact requirement for standing under Article III of the United States Constitution. Reversing the lower court, the panel described plaintiffs’ burden to establish standing at the pleading stage as a “low bar,” and criticized the lower court for adopting an “unduly narrow reading” of plaintiffs’ complaint. Citing the Supreme Court’s decision on standing in Susan B. Anthony List v. Driehaus, the panel stated that plaintiffs need only allege a “substantial risk” of identity theft as a result of a data breach; the panel found this requirement met where the personal information allegedly stored by defendant – and potentially compromised in the breach – purportedly included social security numbers and / or insurance subscriber numbers. The panel declined to address whether plaintiffs independently satisfied Article III’s standing requirement based on allegations of past identity theft as a result of the breach, and also declined to address the question of whether the defendant’s alleged violation of state consumer protection statutes was in itself sufficient to meet the standing hurdle. Although plaintiffs won the standing battle, their case remains vulnerable to dismissal on other jurisdictional grounds and on the merits. The panel remanded the case to the lower court to determine whether the requirements for diversity jurisdiction under 28 U.S.C. § 1332 and the Class Action Fairness Act were met, and, if so, whether the case survived defendant insurers’ motion to dismiss for failure to state a claim.
Given the current circuit split over standing in data breach cases, plaintiffs’ choice of forum can make or break their case. For example, the Attias plaintiffs sought to represent a putative class of District of Columbia, Maryland, and Virginia insureds. Had the lawsuit been brought in federal district courts in neighboring Maryland or Virginia, the result would likely have been different. Indeed, a Maryland federal district court previously dismissed putative data breach class action claims against the same insurer defendants for lack of standing. And the Fourth Circuit has since joined circuits finding that the alleged enhanced risk of future identity theft in the wake of a data breach case is “too speculative” to satisfy Article III’s standing requirement. The Fourth Circuit reasoned that the “substantial risk” requirement for standing was not met where the majority of those whose information was stolen in the VA hospital data breach would not suffer identity theft; the court further emphasized that a defendant’s mere offering of credit monitoring services or plaintiffs’ alleged expenditure of resources to avoid identity theft were insufficient to establish standing. On June 26th, the Supreme Court denied a petition for writ of certiorari to review the Fourth Circuit’s ruling. Query whether the defendant in Attias will also seek Supreme Court review to resolve the circuit split. Should the Court choose to address the issue, we’ll be watching to see if Justice Gorsuch – portrayed as a conservative in the mold of Justice Scalia – shares the views of his predecessor on issues central to class action jurisprudence.
Attias v. CareFirst, No. 16-7108 (Aug. 1, 2017).