Are you “injured” when hackers steal your private data – even if they haven’t used the data to steal your identity yet?  Can you pursue legal action against the company to whom you entrusted your data, if it failed to adequately safeguard the data from theft?

The answers are “yes” and “yes” according to the Court of Appeals for the D.C. Circuit’s recent reversal in Chantal Attias, et al. v. CareFirst, Inc., et al., at least under the facts as alleged in that case.

CareFirst Cyberattack Suit

In 2014, health insurer CareFirst BlueCross BlueShield suffered a cyberattack, resulting in an alleged theft of its customers’ personal information.  Several CareFirst customers filed suit, claiming that the breach was the result of CareFirst’s carelessness.  The district court dismissed the case for lack of standing, concluding that the alleged injury was not “actual or imminent.”

Last week, the Court of Appeals reversed.

Standing to Sue

The core issue on appeal was whether the plaintiffs have “standing” to bring the case.  To show standing, a plaintiff must have suffered an “injury in fact” that is “fairly traceable” to the defendant’s conduct, and that is “likely to be redressed” by the relief sought by the plaintiff. Attias v. Carefirst, Inc., 2017 WL 3254941, at *3 (D.C. Cir. Aug. 1, 2017) (citations omitted).  Moreover, the injury must be concrete, particularized and – “most importantly” for the plaintiffs in CareFirst – the injury must be “‘actual and imminent’ rather than speculative.”  Id. at *4.

Actual and Imminent vs. Speculative

So, how should you describe the harm when your private information is stolen?  Is it “actual and imminent” or “speculative”?  The CareFirst plaintiffs alleged that the data breach “exposed them to a heightened risk of identity theft.”  Id. at *4.  Certainly, having one’s identity stolen would be sufficient harm.  As the Court of Appeals noted: “Nobody doubts that identity theft, should it befall one of these plaintiffs, would constitute a concrete and particularized injury.” Id. at *5.

But the CareFirst class was not relying on allegations that identity theft had already befallen them.  That is why the standing issues discussed in CareFirst are so critical to consumer privacy rights and future data breach cases.  A data breach happens.  The theft of information is real.  Must a plaintiff wait until his or her credit rating is decimated before having the right to file suit?  Must a breach manifest itself – in the form of stolen funds, or a compromised bank account, or other tangible consequences of identity theft – before a company is compelled to defend allegations that it failed to safeguard the private information entrusted to it?

Enough Risk

Ultimately, the issue in CareFirst boiled down to a simple question: What is the risk that the CareFirst hackers could steal the plaintiffs’ identities?

The Court of Appeals rejected the district court’s answer to this question, in part because the district court had rested its decision on “an incorrect premise: that the complaint did not allege the theft of social security or credit card numbers in the data breach.”  Id. at *5.

But not only had the hackers allegedly taken social security and credit card numbers, there was also the reality that . . . they were hackers!  The Court found it plausible to infer that a hacker “has both the intent and the ability to use that data for ill.” Id. at *6. Echoing a question raised by the Seventh Circuit in another data breach case, the Court of Appeals asked:

“Why else would hackers break into a . . . database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”  See Remijas v. Neiman Marcus Grp., 794 F.3d 688, 693 (7th Cir. 2015).  No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.

Id.  Accordingly, the Court of Appeals reversed the district court’s order dismissing the case for lack of standing, and remanded the case to the district court for further proceedings.

Key Points

  • Dismissal reversed.  Plaintiffs have adequately alleged a substantial risk of injury resulting from the stolen information, which allegedly included social security and credit card numbers.
  • The alleged injury also met the other requirements for standing, that the injury was “fairly traceable” to defendant’s conduct and that the injury was “likely to be redressed by a favorable judicial decision.”
  • Plaintiffs have only “cleared the low bar to establish their standing at the pleading stage,” where all factual allegations are presumed to be true. The burden on plaintiff “grows as the litigation progresses.”

This article is for information purposes only.  It does not contain, and is not intended as, legal advice. If you have a legal issue, consult an attorney, who can advise you based on your specific facts and circumstances.  That’s really important.

*Disclosure: National Consumers League, which submitted an amicus curiae brief in support of appellants in CareFirst, is a former client of mine, when I was at a prior firm.

9.1Richard M Volin