A recent federal appellate decision suggests that it might be getting easier for cyberattack plaintiffs to establish standing in a manner sufficient to survive a motion to dismiss. According to the U.S. Court of Appeals for the District of Columbia Circuit, people whose personal information was compromised in a cyberattack have standing to sue so long as they allege that a data breach traceable to the target company’s negligence exposed them to a substantial risk of identity theft, and they reasonably spent money to protect themselves in the wake of the attack. The case is Attias v. CareFirst, Inc., decided on August 1, 2017.
In so holding, the Court of Appeals reversed the district court’s dismissal of the action, admonishing the lower court for giving “the complaint an unduly narrow reading.” Both decisions turned on whether the plaintiffs had alleged that their social security or credit card numbers had been stolen. The lower court concluded that the plaintiffs did not demonstrate a sufficiently substantial risk of harm, and therefore lacked standing, because they had “not suggested, let alone demonstrated how the CareFirst hackers could steal their identities without access to their social security or credit card numbers.”
The Court of Appeals took issue with this approach, because it presumed that the plaintiffs did not allege that this information had been stolen. However, the court noted, the complaint alleged that “PII/PHI/Sensitive Information” had been taken, and included in the definition of that term “patient credit card … and social security numbers.” Further, the complaint alleged that identity thieves could use the information accessed in the attack to “open new financial account[s] [and] incur charges in another person’s name.” At the motion dismiss stage, this combination of allegations is sufficient to establish a substantial risk of future harm, the court held.
A distinguishing feature of cyberattack cases, the court noted, is that an unauthorized party has already accessed another person’s information. In this circumstance, “it is much less speculative – at the very least, it is plausible – to infer that this party has both the intent and the ability to use that data for ill,” the court reasoned.
Having found that the plaintiffs had sufficiently alleged an “injury in fact” to establish standing, the Court of Appeals then addressed the second prong in the standing analysis: whether the injury could be fairly traceable to the alleged conduct of the defendant. CareFirst argued that this prong was not met, because there was no allegation that the attacker was affiliated with the company. But such a direct connection is not required, the Court of Appeals concluded. Rather, the plaintiffs’ allegations that CareFirst’s failure to properly secure their data creates enough of a link to the injury to satisfy the “fairly traceable” standard.
Finally, the court made short work of finding that the plaintiffs had satisfied the final requirement for standing – that the harm they suffered was “likely to be redressed by a favorable judicial decision” – by alleging that they had reasonably spent money to protect themselves against the potential for identity theft. This money could be recovered through an award of money damages, thereby meeting the third prong of the standing analysis.
In conclusion, Attias v. CareFirst carries three main takeaways for cyberattack litigants on the question of standing: (1) some courts will take a broad reading of complaint allegations at the motion to dismiss stage, and may infer from the cyberattack itself an intent harm to the victims; (2) the hacker need not be affiliated with the target company for the plaintiffs’ alleged harm to be traced back to that company; and (3) if the plaintiffs reasonably incurred costs to protect themselves from identity theft in the wake of the attack, they will, at least in some jurisdictions, satisfy prong three of the standing analysis.
