Supreme Court Asked, Again, to Weigh In on Data Breach Standing as Circuit Split Widens
A Supreme Court ruling in a recent case would help clarify the standing issue for the lower courts, consumers and companies that suffer data breaches.
February 13, 2018 at 03:05 PM
5 minute read
CareFirst, a large health care company involved in a data breach case, has asked the U.S. Supreme Court to weigh in on whether victims can establish Article III standing to sue for the risk of future identity theft. The issue has split the federal appellate courts, with the U.S. Court of Appeals for the District of Columbia recently holding in CareFirst v. Attias that consumers could successfully plead such a claim.
Earlier this year, the high court declined to review another data breach case, Robins v. Spokeo, after the Ninth Circuit found that a plaintiff might be able to plead future injury related to false background information published by a website as an intangible injury sufficient to satisfy the “concrete injury” requirement for standing.
At issue in the CareFirst case is whether consumers can assert claims for the risk of harm due to the potential misuse of information obtained through a data breach. The district court dismissed complaints related to a 2015 breach at the large health care company, finding that increased risk of identity theft was too speculative to establish standing. The D.C. Circuit reversed, holding that plaintiffs demonstrated a substantial risk of future harm “by virtue of the hack and the nature of the data.”
The Sixth, Seventh and Ninth circuits have ruled similarly, in Galaria v. Nationwide Mutual Insurance, Lewert v. P.F. Chang's China Bistro and Krottner v. Starbucks, respectively. The Third, Fourth and Eighth circuits have disagreed, finding the “enhanced risk of future identity theft to be too speculative.”
While the specific allegations differ in each case, the decisions have led to a split between circuits, presenting a significant challenge attempting to reconcile the existing case law.
Two recent district court decisions from New York are illustrative. In Fero v. Excellus Health Plan, U.S. District Judge Elizabeth A. Wolford of the Western District of New York navigated conflicting case law by relying, in part, on the nature of the information disclosed in a breach. Excellus, a health care provider, had been the victim of breaches in which hackers had accessed information such as names, dates of birth, Social Security numbers and prior medical claims. Certain plaintiffs solely alleged injury due to the increased risk of future identity theft. Last month, on a motion for reconsideration, Wolford reversed her prior decision dismissing those claims and found that the Second Circuit's unreported decision in Whalen v. Michaels Stores suggested that it, too, would find the risk of future identify theft sufficient to confer standing under certain circumstances.
In Whalen, a breach resulted in the disclosure of credit card information, but the plaintiff promptly canceled the card so she was not liable for fraudulent charges. A three-judge panel of the Second Circuit affirmed the dismissal of the claims in a summary order, noting that the plaintiff didn't “plausibly face a threat of future fraud, because her stolen credit card was promptly cancelled … and no other personally identifying information … is alleged to have been stolen.” It cited in comparison the Sixth Circuit's decision in Galaria, which found standing where a hacker obtained personal data including Social Security numbers.
Wolford found the reference to Galaria indicative of how the Second Circuit would evaluate standing where additional information was disclosed. Unlike information relating to only a subsequently canceled credit card, she found that the data disclosed in the Excellus breach could lead to a variety of future fraudulent conduct, and therefore raised an “imminent risk” of future harm. (See Fero v. Excellus Health Plan.)
Last fall, another New York district judge reached a similar conclusion using slightly different reasoning in Sackin v. Transperfect Global. The case also involved a breach in which hackers accessed an array of consumer information. U.S. District Judge Lorna G. Schofield of the Southern District of New York noted that this disclosure could lead to a variety of fraudulent acts by the hackers (or third parties who subsequently purchased the information) and read Whalen to suggest the Second Circuit would recognize this as an injury-in-fact sufficient to establish standing. Schofield further looked to the probable motivation of the hackers, noting that given the nature of the breach, “the most likely and obvious motivation for the hacking is to use plaintiffs' [information] nefariously or sell it to someone who would.” She distinguished cases where the motivation behind the breach was less clear (such as in Beck, where a laptop was stolen, but there was no evidence that data on the laptop, rather than the laptop itself, was the target of the theft).
While the Excellus and Sackin decisions are no guarantee of how the Second Circuit might eventually rule, the cases reflect the lower courts' ongoing struggle to resolve the different precedents. A Supreme Court ruling in CareFirst would help clarify the standing issue for the lower courts, consumers and companies that suffer data breaches.
Craig A. Newman is a litigation partner with Patterson Belknap Webb & Tyler in New York and chairs the firm's data security practice group. Jonathan Hatch is counsel with the firm and practices in antitrust, white-collar defense, government investigations and data security.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllPreparing for Measured, Responsible and Reasoned Consumer Welfare Policy
4 minute readThe Marble Palace Blog: The Supreme Court’s Bond With Baseball
Protecting Attorney-Client Privilege in the Modern Age of Communications
6 minute readTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250