D.C. Circuit Moves Data Breach Suit Forward

The U.S. Court of Appeals, D.C. Circuit issued a decidedly pro-consumer opinion recently in addressing what is required to establish standing for a data breach class action.

Seven customers filed suit against CareFirst, a health insurance company that provides service to roughly one million customers in the District of Columbia, Maryland and Virginia. When customers purchased a policy, they provided personal information to the company, including names, birth dates, email addresses, Social Security numbers and credit card information. CareFirst stored the data on its servers.

In January 2014, a hacker breached the system and accessed the personal information of CareFirst’s customers, leading the plaintiffs to file a class action lawsuit. They alleged that CareFirst negligently failed to protect customer data, resulting in a heightened risk of identity theft.

CareFirst moved to dismiss, arguing that the plaintiffs lacked standing because they had neither a present injury nor a high enough likelihood of future injury. A federal district court agreed, finding the plaintiffs’ theory of harm too speculative.

The plaintiffs appealed, and the federal appellate panel reversed.

“Nobody doubts that identity theft, should it befall one of these plaintiffs, would constitute a concrete and particularized injury,” the court wrote. “The remaining question, then, keeping in mind the light burden of proof the plaintiffs bear at the pleading stage, is whether the complaint plausibly alleges that the plaintiffs now face a substantial risk of identity theft as a result of CareFirst’s alleged negligence in the data breach.”

Answering the question in the affirmative, the court emphasized that the plaintiffs’ complaint specified all the forms of personal information that were accessed by the hackers, including Social Security numbers. “CareFirst does not seriously dispute that plaintiffs would face a substantial risk of identity theft if their Social Security and credit card numbers were accessed by a network intruder, and, drawing on ‘experience and common sense,’ we agree,” the panel said.

Citing a decision by the U.S. Court of Appeals, Seventh Circuit in support of its finding that the alleged risk to the plaintiffs is “substantial,” the court found it at the very least plausible to infer the hacker had both the intent and the ability to use the data “for ill.”

“No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken,” the court said. “That risk … satisfies the requirement of an injury in fact.”

To read the opinion in Attias v. CareFirst Inc., click here.

Why it matters: While the case was still in the pleading stages, consumers can find a lot to like in the D.C. Circuit’s opinion, particularly the panel’s conclusion that a substantial risk of harm existed “simply by virtue of the hack and the nature of the data the plaintiffs allege was taken.”