Justin Guido, Jacey Kaps, Steve Berlin

Data breach is today's hot button issue. And it just got hotter. On the heels of major data breaches at Equifax and Uber, the U.S. Supreme Court is confronted with the question of whether it will resolve a threshold issue in all data breach class actions—was the plaintiff class actually injured?

In Attias v. CareFirst, the U.S. Court of Appeals for the D.C. Circuit Court reversed a D.C. district court and allowed the plaintiff class to survive Article III standing by holding that a substantial likelihood of identity theft suffices as injury-in-fact in the data breach context. For the plaintiff class in Attias, the courthouse door is open and their foot is in. But Carefirst has filed a petition for writ of cert, potentially leaving it up to the Supremes to decide whether the door remains open.

In June 2014, CareFirst, a health insurance provider, fell prey to cyber intruders who breached its computer system and gained access to customers' personal information including, allegedly, identifying data that can be used to open new financial accounts and incur charges in another person's name. The customers, whose personal information was accessed, filed suit, citing as their injury-in-fact a heightened risk of identity theft.

In analyzing the customers' alleged injury, the D.C. Circuit Court looked to U.S. Supreme Court precedent addressing unrealized injury—a future risk of harm—as injury-in-fact sufficient to confer Article III standing. In so doing, it noted that the Supreme Court, albeit not in the data breach context, has found injury-in-fact where a threatened harm was either “certainly impending” or at “substantial risk” of occurring. In reliance on Supreme Court precedent, the circuit court then went on to define the standard for assessing increased-risk-of-harm as injury-in-fact by employing a technique that dates back to grade school, working backward. Start with the ultimate alleged harm, the circuit court instructed, and then determine whether the increased risk of such harm makes the potential injury to a plaintiff sufficiently imminent.

In the data breach context, the ultimate alleged harm is identity theft. Working backward, the D.C. Circuit Court noted that the plaintiff class alleged that cyber intruders accessed personal information, including Social Security numbers and health insurance subscriber ID numbers, and then the court posed a question—“Why else would hackers break into a database and steal consumers' private information?”. For the court, the question answered itself—no reason other than to steal consumers' identities.

To drive home its point about the imminence of the threat of identity theft, the court further illustrated by comparing the likelihood of harm in the CareFirst breach to the likelihood of harm in Clapper v. Amnesty International, a 2013 Supreme Court case. In Clapper, the plaintiffs challenged a provision of the Foreign Intelligence Surveillance Act, alleging as ultimate harm, government interception of their communications with overseas contacts. The circuit court in CafeFirst, mimicking the Supreme Court in Clapper, noted that the harm alleged by the plaintiff class in Clapper would come to fruition only if a series of independent actors, intelligence officials and Article III judges, took certain actions. The circuit court's point being that realization of the harm in Clapper, unlike in CareFirst, depended on “a long sequence of uncertain contingencies involving multiple independent actors.”

Ultimately, the D.C. Circuit Court held that the breach perpetrated against CaseFirst allowed for plausible injury-in-fact by creating a substantial likelihood that CareFirst's customers, whose personal information was accessed, would suffer identity theft. Other circuit courts have either expressly refused to find injury-in-fact from a future threat of identity theft or found injury-in-fact only where the identity theft actually occurred. For example, in Reilly v. Ceridian, the Third Circuit held that absent misuse of stolen personal information, there is no injury-in-fact. In Resnick v. Avmed, the Eleventh Circuit found injury-in-fact where identity theft actually occurred—fraudulent accounts were opened in the plaintiffs' names and fraudulent charges were made to those accounts.

If the Supreme Court elects to hear CareFirst's case, it will establish the law of the land for Article III standing in the data breach context. However, it is important to note that courts' findings as to Article III standing in data breach suits depend heavily on the facts as alleged. Nonetheless, the Supreme Court's decision would be a landmark in data breach litigation.

​Justin Guido is an associate with Rumberger Kirk & Caldwell in Miami. Jacey Kaps is a partner in the Miami office and heads the firm's cyber and technology practice team. Steve Berlin is a litigation associate in the Tampa office and focuses his practice in the areas of casualty defense and cyber and technology law.