Last week, the D.C. Circuit joined an increasing number of federal courts applying a broad interpretation of the degree of harm required to satisfy Article III standing and expanding the holding of last summer’s Spokeo, Inc. v. Robbins, 136 S. Ct. 1540 (2016).
In Attias v. CareFirst Inc., No. 16-7108, 2017 U.S. App. LEXIS 13913 (D.C. Cir. Aug. 1, 2017), the Court of Appeals reversed the district court’s dismissal of a putative class action alleging injury stemming from a 2014 cyberattack on health insurer CareFirst. While the district court acknowledged that plaintiffs alleged a heightened risk of identity theft, it ultimately found this risk to fall short of the requirement that plaintiffs’ injury be “actual or imminent.”
Reversing the district court’s decision, the D.C. Circuit stated that the complaint alleged two independent sets of allegations sufficient to pass muster under Article III standing. First, the complaint alleged that the breach had exposed customers’ social security and credit card numbers. Second, the customers also alleged that hackers stole members’ names, birthdates, email addresses, and subscriber identification numbers. The Court went on to say that this latter allegation “would make up, at the very least, a plausible allegation that plaintiffs face a substantial risk of identity fraud, even if their social security numbers were never exposed to the data thief.” Attias, 2017 U.S. App. LEXIS 13913 at *16.
The Attias Court creates a broader circuit split on Article III standing in the context of data breaches. The Third Circuit (see In re Horizon Healthcare Servs. Data Breach Litig., 2017 U.S. App. LEXIS 1019 (3d Cir. Jan. 20, 2017)), Sixth Circuit (see Galaria v. Nationwide Mut. Ins., 663 Fed. Appx. 384 (6th Cir. 2016)), and Seventh Circuit (see Lewart v. P.F. Chang’s China Bistro, Inc. 819 F.3d 963 (7th Cir. 2016); Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. 2015)) have all taken similar positions to the D.C. Circuit.
The Second Circuit (see Whalen v. Michaels Stores, Nos. 16-260, 16-352, 2017 U.S. App. LEXIS 7717 (2nd Cir. May 2, 2017), and Fourth Circuit (see Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017)) have rejected this potential future harm as failing to allege cognizable, impending injury.
The growing circuit split cautions the plaintiffs’ bar and companies alike to keep a watchful eye on the Supreme Court—it is only a matter of time before it weighs back in on the application of Spokeo in cybersecurity litigation.
A link to the D.C. Circuit opinion can be found here.
KMK Law articles and blog posts are intended to bring attention to developments in the law and are not intended as legal advice for any particular client or any particular situation. The laws/regulations and interpretations thereof are evolving and subject to change. Although we will attempt to update articles/blog posts for material changes, the article/post may not reflect changes in laws/regulations or guidance issued after the date the article/post was published. Please consult with counsel of your choice regarding any specific questions you may have.
ADVERTISING MATERIAL.
© 2024 Keating Muething & Klekamp PLL. All Rights Reserved
Topics/Tags
Select- Litigation
- Class Action Litigation
- Appellate Law
- Cybersecurity and Privacy Law
- Data Breach
- E-Discovery
- Securities Law
- Coronavirus
- Sixth Circuit
- Supreme Court
- Intellectual Property
- Social Media
- Trademark
- Trademark Litigation
- Bet-the-Company Litigation
- E-Discovery Case Law
- Electronic Data Discovery
- Initial Coin Offering
- Antitrust
- Federal Rules of Civil Procedure
- Employment Law
- Workplace Accommodations
- ESI
- Employer Policies
- Labor & Employment Law
- Labor Law
- Technology
- ERISA
- Stock Drop
- Cryptocurrency
- GDPR
- General Data Protection Regulation
- SEC
- Securities Litigation
- Ascertainability
- Craft Brewing
- Cybersecurity Regulation
- Drug Enforcement Agency
- Medical Marijuana
- Ohio Foreclosure Reform
- Copyright Law
- Electronically Stored Information
- Environmental Law
- Fair Housing Act
- Health Care Act
- Healthcare Reform
- Pregnancy Discrimination
- Proportionality
- Religion Discrimination
- Seventh Circuit
- Accommodation
- Americans with Disabilities Act
- Business Process Improvement
- Cyber Insurance
- EEOC
- Employment Litigation
- FLSA
- Lenders
- Receivership Statute
- Telecommuting
- Employer Handbook
- Employer Rules
- National Labor Relations Act
- National Labor Relations Board
- NLRB
- Unions
- E-Discovery Project Plan
- Evidence
- Predictive Coding
- Quality Representation
- TAR ( Technology Assisted Review)
- Subpoena
- Arbitration
- CAFA
- Land Use & Zoning
- Construction Litigation
- Privacy
- Statute of Limitations
- Taxation
- Federal Rule
Recent Posts
- Agency Deference Loses its Luster Under Ohio Law—Is Interpretation of Administrative Statutes Ohio's Next Legal Hot Topic?
- United States Supreme Court Clarifies Boundaries of Federal Civil Rule 60(b)
- Motion for Reconsideration in an Appeal: Sometimes the Court will Reconsider if you Argue its Initial Decision was Just Wrong
- TransUnion LLC v. Ramirez and the Impact on Class Action Litigation
- Questioning the Questionnaires: New PPP-Related Litigation Raises Issues for Borrowers
- "You Don't Have to Go Home But You Can't Stay Here": Updates to Ohio and Kentucky’s COVID-19 Orders Impacting Bars & Restaurants
- Kentucky Restaurants Begin Opening with Limited Capacity Amid COVID-19 Epidemic
- Ohio Restaurants and Bars Begin Soft Openings for Diners Amid COVID-19 Epidemic
- Supreme Court Sidesteps “Cy Pres” Challenge
- Golfers, New and Old - Be Careful!