A circuit split on whether actual misuse of personal data is required to have standing to assert data breach claims remains unresolved. Last week the Supreme Court rejected a petition to review that issue in CareFirst v. Attias. In CareFirst, the D.C. Circuit joined several other circuits in holding that the threat of misuse of data, in and of itself, gives rise to standing. Other circuits require more concrete harm in the form of actual misuse of data. Until the Supreme Court settles the issue, companies will remain susceptible to data breach lawsuits in jurisdictions adhering to the liberal standard endorsed in CareFirst.
In CareFirst, the defendant CareFirst initially succeeded in obtaining dismissal of the data breach claims on standing grounds. CareFirst argued that plaintiffs had alleged no injury beyond the statutory violations purportedly arising from the breach. In fact, three years later, none of the plaintiffs had suffered any concrete harm resulting from the breach. The trial court agreed with CareFirst’s argument that without a concrete injury and without an imminent risk of substantial harm, plaintiffs did not have standing to sue simply because the breach had exposed their personal data.
The D.C. Circuit disagreed. Although no misuse of data had yet occurred, the D.C. Circuit read the complaint to allege that Social Security Numbers and credit card information had been stolen (disagreeing with the lower court’s reading that this data had not been compromised) along with other data that together amounted to personally identifiable information. The nature of the data stolen – SSNs and credit card information – influenced the court’s decision. The judges inferred that hackers would not break into a database and take this information for any reason other than to commit theft or fraud. The injury arose from the threat caused by mere exposure of this particularly sensitive data. In the court’s view, it was at least “plausible” that it would be misused in the future, and that risk was substantial enough in the court’s eyes to give rise to standing.
The D.C. Circuit now aligns with the Sixth, Seventh, and Ninth Circuits on the sufficiency of the risk of data misuse to confer standing in a data breach case. The Second, Third, Fourth, and Eighth Circuits hold differently. Those courts hold that where no subsequent identity theft or fraud occurs, and each passing day diminishes the “imminence” of any risk of injury caused by the breach, plaintiffs lack standing to sue where a complaint does not allege more than mere exposure of personal information.
So – are consumers at imminent risk of real harm if their data is exposed, or is something more required to amount to an injury? For now, the answer continues to depend in part on where you get sued. After Spokeo, defendants and plaintiffs alike seek greater clarity as to the types of injuries that suffice for Article III standing in data breach cases. The continuing split on this particular standing issue, combined with ongoing criminal activities targeting PII, make it likely that at some point the Supreme Court will decide this issue. How courts decide the issue in the meantime may well depend on their experience with data breach claims and whether evidence developed over time supports or undermines claims that exposure of PII inevitably creates a substantial likelihood of identity theft, fraud, loss, or other concrete injuries.