Guest Commentary by David T. Cohen, Counsel at Ropes & Gray LLP in its New York, NY office.
Article III of the U.S. Constitution requires all private litigants in federal court to establish “standing,” that is, to show that they are proper litigants to raise the defendant’s alleged legal violations with the court. To have standing, a plaintiff must face an actual or sufficiently imminent future injury from the legal violation. Several recent federal appellate decisions have grappled with the issue of when, if ever, a plaintiff whose personal information was compromised in a data breach—but who has suffered no actual harm from that compromise—faces a sufficiently imminent future harm to have Article III standing.
One such recent case stands out from the pack, both because it hails from the particularly prominent U.S. Court of Appeals for the D.C. Circuit, and because it is the subject of a forthcoming petition for a writ of certiorari, setting the stage for what could become the first-ever ruling by the U.S. Supreme Court on the issue in a data breach matter.
That case is Attias v. CareFirst, Inc., where a three-judge panel of the D.C. Circuit held that consumer plaintiffs whose social security numbers, payment card numbers, and medical information were allegedly stolen from the network of health insurer CareFirst, Inc. faced a sufficient risk of harm to establish standing at the motion-to-dismiss stage. Companies that collect personal information should closely monitor this case, as it could have a significant impact on their liability exposure in the wake of a breach.
Standing in Federal Court Based on Future Harm
A private plaintiff seeking to invoke the jurisdiction of the federal courts must satisfy the standing requirements of Article III, which require that a plaintiff allege and ultimately prove, among other things, an ‘‘injury in fact.’’ As explained in prior Supreme Court decisions such as Lujan v. Defenders of Wildlife, to show an injury in fact, a plaintiff must demonstrate an injury that is ‘‘(a) concrete and particularized’’ and ‘‘(b) actual or imminent, not conjectural or hypothetical.’’ 504 U.S. 555, 560 (1992). Constitutional standing also requires the plaintiff to show “traceability,” i.e., a causal connection between the injury alleged and the conduct complained of, as well as “redressability,” i.e., that a judicial decision would redress his or her injury. Ibid.
In Clapper v. Amnesty International, the Supreme Court held that where a plaintiff contends that harm is imminent but has not yet occurred, the harm must be “certainly impending” in order to constitute an injury in fact. 568 U.S. 398, 410 (2013). In limited circumstances, the Court has also found standing based on a “substantial risk” of harm, but without definitively stating whether the “substantial risk” standard is distinct from the “certainly impending” standard. See id. at 414 n.5; Susan B. Anthony List v. Driehaus, 134 S. Ct. 2334, 2341 (2014).
But regardless of the standard used, the Court has made crystal clear that a “speculative chain of possibilities” or “speculation about the decisions of independent actors” not before the Court will not give rise to standing. Clapper, 568 U.S. at 409, 414 & n.5. Thus, in Clapper, the Court denied standing to several attorneys and human rights, labor, legal, and media organizations who claimed their communications with foreign intelligence targets might be intercepted by the government under a portion of the Foreign Intelligence Surveillance Act of 1978, 50 U.S.C. §1881a.
The interception would only have occurred if the government actually decided to target plaintiffs’ non-U.S. contacts, did so under §1881a, obtained approval from a special court, succeeded in intercepting the communications, and plaintiffs were parties to those particular communications. This, the Court held, was the quintessential “speculative chain of possibilities” that cannot give a plaintiff standing. And, plaintiffs’ theory impermissibly rested on “speculation about the decisions of independent actors,” such as the special court.
In the context of data breaches, lower courts have reached differing conclusions as to whether the risk of fraud or identity theft from a breach created a sufficiently imminent injury for standing purposes.* CareFirst merits special attention because it hails from the U.S. Court of Appeals for the D.C. Circuit and is the subject of a forthcoming petition for a writ of certiorari to the Supreme Court.
The CareFirst Decision
CareFirst and its subsidiaries (“CareFirst”) are a group of health insurance companies that collect personal information from their customers, including names, birthdates, email addresses, social security numbers, and credit card information. They then assign each customer a subscriber identification number. According to the D.C. Circuit, in June 2014, an unknown intruder allegedly hacked into CareFirst’s computer network and stole this information. Seven customers whose data was allegedly stolen then brought a putative class action against CareFirst, alleging eleven different state-law causes of action, including breach of contract, negligence, and violation of various state consumer-protection statutes.
The U.S. District Court for the District of Columbia dismissed the suit for lack of standing, holding that the plaintiffs had alleged neither a present injury nor a high enough likelihood of future injury. The plaintiffs then appealed to the D.C. Circuit.
The D.C. Circuit panel reversed the District Court, holding that plaintiffs pled a risk of future harm that was sufficient to give them standing. According to the panel, the complaint sufficiently alleged that the plaintiffs “face a substantial risk of identity theft as a result of CareFirst’s alleged negligence in the data breach,” and that they therefore sufficiently pled an injury in fact. “Why else,” the court asked, “would hackers break into a database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.” Slip op. at 14 (quoting Neiman Marcus, 794 F.3d at 693).
Thus, the court concluded that a substantial risk of harm exists “simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.” The court further held that plaintiffs met Article III’s “traceability” requirement because this heightened risk of harm was causally attributable to CareFirst’s allegedly inadequate data-security practices, and that they met the “redressability” requirement because a judicial decision could compensate them for costs they incurred in responding to the breach.
Shortly after the decision, CareFirst moved to stay the court’s mandate pending CareFirst’s forthcoming petition to the Supreme Court for a writ of certiorari. The panel granted the motion on September 6, 2017.
The CareFirst litigation merits close attention from companies that collect personal information, because, if left in place, the D.C. Circuit’s decision would open the courthouse door in many instances to claims against companies that have suffered data-security breaches. As noted, however, CareFirst plans to file a petition for a writ of certiorari to the Supreme Court.
The panel decision is vulnerable to reversal in the Supreme Court because it runs afoul of the bedrock principle, confirmed in Clapper, that Article III standing cannot be premised on a “speculative chain of possibilities” or “speculation about the decisions of independent actors” not before the court. Just as the possible approval of surveillance by the third-party special court in Clapper was too unpredictable to allow standing, the actions of a third-party hacker or other criminal are likewise unpredictable.
Even if he has the ability to commit fraud, which is not always the case, he may not have the intent to commit fraud, for any number of reasons. In fact, hackers’ avowed purpose often is not to commit identity theft or harm consumers, but rather to embarrass or harm the hacked corporation, steal trade secrets, or make a political statement.
What is more, it is typically not the hacker himself who misuses stolen data—instead any misuse is committed by downstream criminals who must first purchase the data on the black market. Thus, only if third parties become aware of the stolen information, and if they reveal their interest in it, and if they actually take steps to acquire and use the information to plaintiffs’ detriment, and if they are successful in doing so, and if plaintiffs suffer actual damage from the misuse, then and only then will plaintiffs suffer any injury from the breach. There are just as many “ifs” in this scenario as there were in Clapper.
Moreover, even if plaintiffs adequately plead that harm from purportedly stolen data is sufficiently likely, they must also plead that the harm is “imminent,” i.e., it will occur immediately, if at all. See, e.g., Lujan, 504 U.S. at 560 (injury must be “actual or imminent”); In re Zappos.com, 108 F. Supp. 3d 949, 959 (D. Nev. 2015) (future harm from data breach must be “immediate” to create standing). The CareFirst panel decision made no effort to evaluate when any misuse of plaintiffs’ data might occur. In fact, any misuse might not happen for many years, if at all.
The Supreme Court should take the case and reverse the D.C. Circuit’s decision. The panel’s agreement to stay its own mandate pending the certiorari petition suggests it recognizes the risk of reversal, as obtaining such a stay required that CareFirst present a “substantial question.” In the meantime, however, CareFirst is the law of the D.C. Circuit, and companies that collect personal information should take notice.
*Compare, e.g., Attias v. CareFirst, Inc., No. 16-7108, slip op. at 9 (D.C. Cir. Aug. 1, 2017) (standing conferred); Galaria v. Nationwide Mut. Ins., 663 F. App’x 384, 387–90 (6th Cir. 2016) (standing conferred); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963, 966–69 (7th Cir. 2016) (standing conferred); Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 692–93 (7th Cir. 2015) (standing conferred); with In re Supervalu, Inc., 870 F.3d 763, 769-72 (8th Cir. 2017) (standing denied); Whalen v. Michaels Stores, Inc., No. 16-260 (L), 2017 WL 1556116, at *1–2 (2d Cir. May 2, 2017) (Summ. Order) (standing denied); Beck v. McDonald, 848 F.3d 262, 273–76 (4th Cir. 2017) (standing denied); Reilly v. Ceridian, 664 F.3d 38, 41-46 (3d Cir. 2011) (standing denied).