Plaintiff Class Gets Its Foot in the Courthouse Door in Data Breach Lawsuit
Data breach is today's hot button issue. And it just got hotter. On the heels of major data breaches at Equifax and Uber, the U.S. Supreme Court is confronted with the question of whether it will resolve a threshold issue in all data breach class actions—was the plaintiff class actually injured?
February 14, 2018 at 10:12 AM
4 minute read
Data breach is today's hot button issue. And it just got hotter. On the heels of major data breaches at Equifax and Uber, the U.S. Supreme Court is confronted with the question of whether it will resolve a threshold issue in all data breach class actions—was the plaintiff class actually injured?
In Attias v. CareFirst, the U.S. Court of Appeals for the D.C. Circuit Court reversed a D.C. district court and allowed the plaintiff class to survive Article III standing by holding that a substantial likelihood of identity theft suffices as injury-in-fact in the data breach context. For the plaintiff class in Attias, the courthouse door is open and their foot is in. But Carefirst has filed a petition for writ of cert, potentially leaving it up to the Supremes to decide whether the door remains open.
In June 2014, CareFirst, a health insurance provider, fell prey to cyber intruders who breached its computer system and gained access to customers' personal information including, allegedly, identifying data that can be used to open new financial accounts and incur charges in another person's name. The customers, whose personal information was accessed, filed suit, citing as their injury-in-fact a heightened risk of identity theft.
In analyzing the customers' alleged injury, the D.C. Circuit Court looked to U.S. Supreme Court precedent addressing unrealized injury—a future risk of harm—as injury-in-fact sufficient to confer Article III standing. In so doing, it noted that the Supreme Court, albeit not in the data breach context, has found injury-in-fact where a threatened harm was either “certainly impending” or at “substantial risk” of occurring. In reliance on Supreme Court precedent, the circuit court then went on to define the standard for assessing increased-risk-of-harm as injury-in-fact by employing a technique that dates back to grade school, working backward. Start with the ultimate alleged harm, the circuit court instructed, and then determine whether the increased risk of such harm makes the potential injury to a plaintiff sufficiently imminent.
In the data breach context, the ultimate alleged harm is identity theft. Working backward, the D.C. Circuit Court noted that the plaintiff class alleged that cyber intruders accessed personal information, including Social Security numbers and health insurance subscriber ID numbers, and then the court posed a question—“Why else would hackers break into a database and steal consumers' private information?”. For the court, the question answered itself—no reason other than to steal consumers' identities.
To drive home its point about the imminence of the threat of identity theft, the court further illustrated by comparing the likelihood of harm in the CareFirst breach to the likelihood of harm in Clapper v. Amnesty International, a 2013 Supreme Court case. In Clapper, the plaintiffs challenged a provision of the Foreign Intelligence Surveillance Act, alleging as ultimate harm, government interception of their communications with overseas contacts. The circuit court in CafeFirst, mimicking the Supreme Court in Clapper, noted that the harm alleged by the plaintiff class in Clapper would come to fruition only if a series of independent actors, intelligence officials and Article III judges, took certain actions. The circuit court's point being that realization of the harm in Clapper, unlike in CareFirst, depended on “a long sequence of uncertain contingencies involving multiple independent actors.”
Ultimately, the D.C. Circuit Court held that the breach perpetrated against CaseFirst allowed for plausible injury-in-fact by creating a substantial likelihood that CareFirst's customers, whose personal information was accessed, would suffer identity theft. Other circuit courts have either expressly refused to find injury-in-fact from a future threat of identity theft or found injury-in-fact only where the identity theft actually occurred. For example, in Reilly v. Ceridian, the Third Circuit held that absent misuse of stolen personal information, there is no injury-in-fact. In Resnick v. Avmed, the Eleventh Circuit found injury-in-fact where identity theft actually occurred—fraudulent accounts were opened in the plaintiffs' names and fraudulent charges were made to those accounts.
If the Supreme Court elects to hear CareFirst's case, it will establish the law of the land for Article III standing in the data breach context. However, it is important to note that courts' findings as to Article III standing in data breach suits depend heavily on the facts as alleged. Nonetheless, the Supreme Court's decision would be a landmark in data breach litigation.
Justin Guido is an associate with Rumberger Kirk & Caldwell in Miami. Jacey Kaps is a partner in the Miami office and heads the firm's cyber and technology practice team. Steve Berlin is a litigation associate in the Tampa office and focuses his practice in the areas of casualty defense and cyber and technology law.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllNavigating Claims Under the Florida Telephone Solicitation Act and Florida Telemarketing Act
4 minute readSecond Circuit Ruling Expands VPPA Scope: What Organizations Need to Know
6 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250