As 2017 draws to a close, data breach class actions abound, while questions regarding what suffices for Article III standing in these cases remain—with litigants hoping the Supreme Court will soon weigh in.
Earlier this year, as previously reported, the D.C. Circuit decided Attias v. CareFirst, No. 16-7108 (Aug. 1, 2017), a putative class action filed after the health insurance company suffered a data breach that affected more than one million records. After the D.C. District Court dismissed the case for lack of standing, the D.C. Circuit reversed and joined the Sixth, Seventh, and Ninth Circuits in holding that fear of future identity theft sufficed for Article III standing. Earlier this month, CareFirst filed a petition for certiorari to the Supreme Court. Will the Supreme Court finally agree to hear the standing issue and resolve the circuit split? Stay tuned.
Meanwhile, the question of standing in data breach cases is again before the D.C. Circuit on appeal from the lower court’s decision in In re U.S. Office of Personnel Management Data Security Breach Litigation, Misc. Action No. 15-1394, MDL No. 2664 (Sept. 19, 2017), a consolidated multidistrict action by federal employees arising from the 2015 hacking of the U.S. Office of Personnel Management, which potentially exposed the names, birth dates, addresses, and social security numbers of more than 21 million people. The D.C. District Court dismissed, finding plaintiffs lacked Article III standing and the government had sovereign immunity from suit in any event. Distinguishing the D.C. Circuit’s Attias opinion, the district court explained that standing did not exist in the OPM breach – unlike cyberattacks against retailers and financial institutions – because the purpose of the breach was unclear and the nature of any resulting future harm was still unknown. Will the D.C. Circuit agree with this distinction?
In another highly-publicized case, a federal judge in Atlanta granted final approval to a $27.25 million settlement resolving claims by certain banking institutions against Home Depot following the 2014 data breach that allegedly compromised the credit and debit card information of 56 million customers. In that case, customers’ information was allegedly sold on the black market, leading to significant numbers of fraudulent transactions. The court also approved a payment of $15.3 million in attorneys’ fees, and Home Depot has agreed to implement new security measures; the fee award is currently on appeal to the Eleventh Circuit. The settlement payments are in addition to previously reported payments to settle consumer class claims and claims by various Visa and Mastercard providers.
As these companies dealt with ongoing litigation, another company’s problems were just beginning. Earlier this year, consumer credit agency Equifax was subject to one of the worst data breaches in history, which affected over 140 million people and exposed personal information including names, birth dates, addresses, and social security numbers. A multitude of class actions quickly began piling up around the country. Many of the lawsuits allege Equifax violated the Fair Credit Reporting Act, which requires companies to protect consumer information. Numerous litigants have petitioned the U.S. Judicial Panel on Multidistrict Litigation to consolidate the lawsuits in the Northern District of Georgia, where Equifax is headquartered and which handled the Home Depot data breach litigation. The Panel on Multidistrict Litigation will hear argument on the Equifax petitions on November 30.