Data breach attorneys and legal observers are eagerly awaiting clarity from the Supreme Court as to whether victims of data breaches have standing to sue in federal court. It seems they will have to keep waiting for now.
On February 20, the Court denied a petition for certiorari in CareFirst v. Attias. A ruling in the case would have had far-reaching implications for data breach cases.
In June 2014, hackers gained access to computer databases belonging to CareFirst, a health insurance provider.
They allegedly accessed customer records including identifying information that could be used to open new accounts such as credit cards or loans.
CareFirst customers filed suit in a class action, claiming the increased risk of identity theft they suffered constituted injury-in-fact. A Washington, D.C. district court ruled the plaintiffs lacked legal standing “[a]bsent facts demonstrating a substantial risk that stolen data has been or will be used in a harmful manner."
The D.C. Court of Appeals sided with the plaintiffs and reversed the ruling, teeing up CareFirst’s unsuccessful petition to the Supreme Court.
Article Three of the U.S. Constitution, which establishes the judicial branch of the federal government, defines the scope of lawsuits eligible to be heard in federal court as a check on the power of the judiciary. In order to establish legal standing, the plaintiff must show: (1) actual, not hypothetical, injury-in-fact, (2) causation of the injury by the defendant’s action, and (3) likelihood that a favorable court will redress the injury.
The second and third requirements are trivial for data breach plaintiffs: data breaches clearly can and do cause injury, and a monetary award to plaintiffs will remedy any financial injuries to the plaintiffs.
It is the first requirement that is tricky in these cases.
Data breaches are uniquely insidious. Vast amounts of personal information can be stolen in minutes. But the thieves, or the people to whom the thieves sell the stolen information, can wait months or years to attempt to use that information to commit identity theft. Or they could decide to do nothing with it, or even lose the data to a hard drive crash. Victims are left in the dark, waiting for and worrying about identity theft that could never happen. The psychological toll is significant. But whether data breaches amount to actual injury is another question.
Federal appeals courts have established differing precedents for whether risk of future injury constitutes injury-in-fact:
- Beck v. McDonald, No. 15-1395 (4th Cir. 2017). Veterans sued VA officials after a laptop and medical records went missing at a VA hospital. The Fourth Circuit ruled a district court was right to dismiss the case for lack of standing. The court noted, “[o]ur sister circuits are divided on whether a plaintiff may establish an Article III injury-in-fact based on an increased risk of future identity theft.”
- Alleruzzo v. SuperValu, Inc., No. 16-2378 (8th Cir. 2017). Hackers accessed credit card information from a grocery store. Various plaintiffs filed suit with various arguments, but only one customer suffered actual fraudulent charges. The Eighth Circuit Court of Appeals ruled a district court was right to dismiss the case.
- Remijas v. Neiman Marcus, 794 F.3d 688 (7th Cir. 2015). The Seventh Circuit found that, “the Neiman Marcus customers should not have to wait until hackers commit identity theft or credit-card fraud in order to give the class standing, because there is an ‘objectively reasonable likelihood’ that such an injury will occur.”
- Clapper v. Amnesty International USA, 568 U.S. 398, 409 (2013). This was the last time the Supreme Court weighed in on risk of future injury. The plaintiffs challenged a 2008 law expanding the surveillance of suspected foreign agents. They claimed the greater cost and effort required to securely communicate with clients who may have been targeted constituted injury. The Court disagreed, though they split 5-4, with Justice Alito writing for the majority, "Respondents cannot manufacture standing merely by inflicting harm on themselves based on their fears of hypothetical future harm that is not certainly impending.”
The DC Circuit Court’s ruling will make it easier for plaintiffs to make their case in that circuit. And elsewhere, plaintiffs will surely ask other federal courts to consider the precedent as they decide similar issues in their own circuits. But establishing standing will continue to be a tough hurdle to clear for many data breach plaintiffs.