Late last month, the Supreme Court declined to review the D.C. Circuit’s decision in CareFirst v Attias. In CareFirst, the D.C. Circuit ruled that the mere theft of personal information was sufficient to provide standing to bring suit, even in the absence of other alleged harm. As we have previously discussed, the federal Courts of Appeals have reached differing conclusions on the issue—with the D.C., Third, Sixth, Seventh, Ninth, and Eleventh Circuits[1] holding that data theft, with the attendant risk of future identify theft fraud, is by itself sufficient for Article III standing, and the Second, Fourth, and Eighth Circuits[2] holding, in contrast, that such allegations are not sufficient on their own to satisfy Article III’s injury requirements.
This Circuit split has largely developed following the Supreme Court’s May 2016 decision in Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016), which held that Article III requires plaintiffs to allege a “concrete and particularized” injury that is “actual or imminent, not conjectural or hypothetical.” In Spokeo, the Ninth Circuit originally found standing was present for a plaintiff claiming Fair Credit Reporting Act violations based on alleged inaccuracies contained in an online profile published by Spokeo, but the Supreme Court vacated and remanded for the Ninth Circuit to analyze whether the alleged harms met the standards set forth in its opinion. On remand, the Ninth Circuit again found standing for the plaintiff even under the new Spokeo standards. Spokeo once again sought the Supreme Court’s review, but its certiorari petition was denied earlier this year.
For now, it appears that the Supreme Court is hesitant to wade back into Article III standing requirements having recently decided Spokeo. As a result, data breach plaintiffs will likely attempt to steer their cases, to the extent possible, toward Circuits with more hospital interpretations of Spokeo. Potential defendants should keep this in mind when considering the litigation risk following a data breach or other cybersecurity incidents.
[1] Attias v. Carefirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), cert. denied Carefirst v. Attias, No. 17-641 (2017); In re: Horizon Healthcare Services Inc. Data Breach Litigation, 846 F.3d 625 (3rd Cir. 2017); Galaria v. Nationwide Mut. Ins. Co., 2016 WL 4728027 (6th Cir. Sept. 12, 2016); Remijas v. Neiman Marcus Grp., 794 F.3d 688, 693 (7th Cir. 2015); Spokeo v Robins, 867 F.3d 1108 (9th Cir. 2017); Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012).
[2] Whalen v. Michaels Stores, Inc., 689 Fed. Appx. 89, 2017 WL 1556116 (2d Cir. May 2, 2017); Beck v. McDonald, 848 F.3d 262, 268 (4th Cir. 2017), cert. denied sub nom. Beck v. Shulkin, No. 16-1328, 2017 WL 1740442 (U.S. June 26, 2017); In re SuperValu, Inc., 870 F.3d 763 (8th Cir. 2017).