While a war rages on the issue of standing in data breach cases, the need to prove damages is presenting an even greater hurdle for plaintiffs, as we have noted previously. One clear illustration of this trend is Attias v. CareFirst, Inc., a case that involves both standing and damages issues.
Attias arises from a data breach at a health insurer that allegedly compromised policyholder information. The defense began by moving to dismiss for lack of standing, and the district court granted the motion. But the D.C. Circuit reversed, finding that the plaintiffs had adequately alleged a “substantial risk” of injury. (We watched the certiorari petition to see if the Supreme Court would address the “substantial risk” standard, but the petition was denied.)
On remand, the defense strategy shifted. Instead of arguing that the federal court lacked jurisdiction over the dispute, the defense focused on the elements of the plaintiffs’ claims —specifically, the damages element. That element was required for all the alleged claims (breach of contract, negligence, fraud, and breach of duty of confidentiality), as well as the Maryland, Virginia, and D.C. statutory claims asserted by different plaintiffs.
Plaintiffs responded with four theories of actual damage: (1) actual misuse, (2) “benefit of the bargain” damages, (3) mitigation damages, and (4) emotional distress. The court found that only actual misuse could satisfy the damages requirement. Plaintiffs’ allegations relating to the benefit of the bargain were too conclusory to support a claim, and the alleged mitigation efforts undertaken by plaintiffs were purely preventative rather than responsive to any actual harm suffered. The claim for emotional distress was likewise too speculative, in the district court’s eyes, to be actionable. Because of these rulings, the claims of all but two plaintiffs were dismissed. The two remaining plaintiffs both alleged actual identity theft.
Attias also addresses several other hot-button issues in data breach class actions. It analyzes D.C.’s form of the economic loss doctrine and concludes that the parties’ contractual relationship (as insurer/insured) barred tort claims that did not arise from duties independent of the parties’ contract. The court then concluded that the insurer did not owe a freestanding duty to protect insured information independent of the insurer’s contractual promises. It also found that no common-law duty to protect information applied and rejected the plaintiffs’ request to find a special or fiduciary relationship between insurer and insured.
Plaintiffs thus went away largely empty-handed. While two plaintiffs had claims survive, most claims were dismissed. Moreover, and more importantly, the door to class certification is all but closed. A class would have to include members who suffered actual damages, and such a showing is almost certain to require individualized proof of both causation and damages. Assuming a class could be certified over these problems, it would be far smaller than the class of all insureds whose data was affected by the breach.
The district court’s second dismissal is up on appeal again, but Attias remains instructive. Defendants should realize the power of damages issues in data breach class actions. Focusing on damages may be a shorter path to victory than arguing standing — with a lesser risk of getting stuck in a state-court forum to boot. A strategy that challenges plaintiffs to articulate how a particular breach affected them and the class can also serve the defense’s aims even if an early dismissal is not the result: Focusing on the elements of claims often narrows the case and highlights the kind of evidentiary issues that can make class certification impossible. Focusing on damages, both at the pleading stage, through discovery and in motion practice, can pay decided dividends, particularly in cases where damages are frequently evanescent for many in the putative class (e.g., consumer data breach and statutory violation claims), and in cases where damages are likely to be highly variable.