Supreme Court Asked, Again, to Weigh In on Data Breach Standing as Circuit Split Widens
A Supreme Court ruling in a recent case would help clarify the standing issue for the lower courts, consumers and companies that suffer data breaches.
February 13, 2018 at 03:05 PM
5 minute read
CareFirst, a large health care company involved in a data breach case, has asked the U.S. Supreme Court to weigh in on whether victims can establish Article III standing to sue for the risk of future identity theft. The issue has split the federal appellate courts, with the U.S. Court of Appeals for the District of Columbia recently holding in CareFirst v. Attias that consumers could successfully plead such a claim.
Earlier this year, the high court declined to review another data breach case, Robins v. Spokeo, after the Ninth Circuit found that a plaintiff might be able to plead future injury related to false background information published by a website as an intangible injury sufficient to satisfy the “concrete injury” requirement for standing.
At issue in the CareFirst case is whether consumers can assert claims for the risk of harm due to the potential misuse of information obtained through a data breach. The district court dismissed complaints related to a 2015 breach at the large health care company, finding that increased risk of identity theft was too speculative to establish standing. The D.C. Circuit reversed, holding that plaintiffs demonstrated a substantial risk of future harm “by virtue of the hack and the nature of the data.”
The Sixth, Seventh and Ninth circuits have ruled similarly, in Galaria v. Nationwide Mutual Insurance, Lewert v. P.F. Chang's China Bistro and Krottner v. Starbucks, respectively. The Third, Fourth and Eighth circuits have disagreed, finding the “enhanced risk of future identity theft to be too speculative.”
While the specific allegations differ in each case, the decisions have led to a split between circuits, presenting a significant challenge attempting to reconcile the existing case law.
Two recent district court decisions from New York are illustrative. In Fero v. Excellus Health Plan, U.S. District Judge Elizabeth A. Wolford of the Western District of New York navigated conflicting case law by relying, in part, on the nature of the information disclosed in a breach. Excellus, a health care provider, had been the victim of breaches in which hackers had accessed information such as names, dates of birth, Social Security numbers and prior medical claims. Certain plaintiffs solely alleged injury due to the increased risk of future identity theft. Last month, on a motion for reconsideration, Wolford reversed her prior decision dismissing those claims and found that the Second Circuit's unreported decision in Whalen v. Michaels Stores suggested that it, too, would find the risk of future identify theft sufficient to confer standing under certain circumstances.
In Whalen, a breach resulted in the disclosure of credit card information, but the plaintiff promptly canceled the card so she was not liable for fraudulent charges. A three-judge panel of the Second Circuit affirmed the dismissal of the claims in a summary order, noting that the plaintiff didn't “plausibly face a threat of future fraud, because her stolen credit card was promptly cancelled … and no other personally identifying information … is alleged to have been stolen.” It cited in comparison the Sixth Circuit's decision in Galaria, which found standing where a hacker obtained personal data including Social Security numbers.
Wolford found the reference to Galaria indicative of how the Second Circuit would evaluate standing where additional information was disclosed. Unlike information relating to only a subsequently canceled credit card, she found that the data disclosed in the Excellus breach could lead to a variety of future fraudulent conduct, and therefore raised an “imminent risk” of future harm. (See Fero v. Excellus Health Plan.)
Last fall, another New York district judge reached a similar conclusion using slightly different reasoning in Sackin v. Transperfect Global. The case also involved a breach in which hackers accessed an array of consumer information. U.S. District Judge Lorna G. Schofield of the Southern District of New York noted that this disclosure could lead to a variety of fraudulent acts by the hackers (or third parties who subsequently purchased the information) and read Whalen to suggest the Second Circuit would recognize this as an injury-in-fact sufficient to establish standing. Schofield further looked to the probable motivation of the hackers, noting that given the nature of the breach, “the most likely and obvious motivation for the hacking is to use plaintiffs' [information] nefariously or sell it to someone who would.” She distinguished cases where the motivation behind the breach was less clear (such as in Beck, where a laptop was stolen, but there was no evidence that data on the laptop, rather than the laptop itself, was the target of the theft).
While the Excellus and Sackin decisions are no guarantee of how the Second Circuit might eventually rule, the cases reflect the lower courts' ongoing struggle to resolve the different precedents. A Supreme Court ruling in CareFirst would help clarify the standing issue for the lower courts, consumers and companies that suffer data breaches.
Craig A. Newman is a litigation partner with Patterson Belknap Webb & Tyler in New York and chairs the firm's data security practice group. Jonathan Hatch is counsel with the firm and practices in antitrust, white-collar defense, government investigations and data security.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
The Marble Palace Blog: Supreme Court Books You Should Read in 2025
Trending Stories
- 1‘Catholic Charities v. Wisconsin Labor and Industry Review Commission’: Another Consequence of 'Hobby Lobby'?
- 2With DEI Rollbacks, Employment Lawyers See Potential For Targeting Corporate Commitment to Equality
- 3In-House Legal Network The L Suite Acquires Legal E-Learning Platform Luminate+
- 4In Police Shooting Case, Kavanaugh Bleeds Blue and Jackson ‘Very Very Confused’
- 5Trump RTO Mandates Won’t Disrupt Big Law Policies—But Client Expectations Might
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
