Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

CybersecurityFeaturesLitigationUnited States Supreme CourtTechnology Media and TelecomCybersecurity Law & Strategy

Supreme Court Asked, Again, to Weigh In on Data Breach Standing as Circuit Split Widens

By Craig A. Newman and Jonathan Hatch
March 01, 2018

CareFirst, a large health care company involved in a data breach case, asked the U.S. Supreme Court to weigh in on whether victims can establish Article III standing to sue for the risk of future identity theft. The Court denied the request, leaving intact the recent holding of the U.S. Court of Appeals for the District of Columbia that consumers could successfully plead such a claim issue — and leaving a split among the federal appellate courts. See, Attias v. Carefirst, Inc., 865 F. 3d 620 (Court of Appeals, Dist. of Columbia Circuit 2017, cert. denied Feb. 20. 2018)

Earlier this year, the High Court declined to review another data breach case, Robins v. Spokeo, No. 11-56843, after the Ninth Circuit found that a plaintiff might be able to plead future injury related to false background information published by a website as an intangible injury sufficient to satisfy the “concrete injury” requirement for standing.

At issue in the CareFirst case is whether consumers can assert claims for the risk of harm due to the potential misuse of information obtained through a data breach. The district court dismissed complaints related to a 2015 breach at the large health care company, finding that increased risk of identity theft was too speculative to establish standing. The D.C. Circuit reversed, holding that plaintiffs demonstrated a substantial risk of future harm “by virtue of the hack and the nature of the data.”

The Sixth, Seventh and Ninth circuits have ruled similarly, in Galaria v. Nationwide Mutual Insurance, Nos. 15-3386, 15-3387 (2016), Lewert v. P.F. Chang's China Bistro, 819 F.3d 963 (2016), and Krottner v. Starbucks, 628 F.3d 1139 (2010), respectively. The Third, Fourth and Eighth circuits have disagreed, finding the “enhanced risk of future identity theft to be too speculative.”

While the specific allegations differ in each case, the decisions have led to a split between circuits, presenting a significant challenge attempting to reconcile the existing case law.

Two recent district court decisions from New York are illustrative. In Fero v. Excellus Health Plan, 236 F.Supp.3d 735 (2017), U.S. District Judge Elizabeth A. Wolford of the Western District of New York navigated conflicting case law by relying, in part, on the nature of the information disclosed in a breach.

Excellus, a health care provider, had been the victim of breaches in which hackers had accessed information such as names, dates of birth, Social Security numbers and prior medical claims. Certain plaintiffs solely alleged injury due to the increased risk of future identity theft. In January, on a motion for reconsideration, Wolford reversed her prior decision dismissing those claims and found that the Second Circuit's unreported decision in Whalen v. Michaels Stores suggested that it, too, would find the risk of future identify theft sufficient to confer standing under certain circumstances.

In Whalen, a breach resulted in the disclosure of credit card information, but the plaintiff promptly canceled the card so she was not liable for fraudulent charges. A three-judge panel of the Second Circuit affirmed the dismissal of the claims in a summary order, noting that the plaintiff didn't “plausibly face a threat of future fraud, because her stolen credit card was promptly cancelled … and no other personally identifying information … is alleged to have been stolen.” It cited in comparison the Sixth Circuit's decision in Galaria, which found standing where a hacker obtained personal data including Social Security numbers.

Wolford found the reference to Galaria indicative of how the Second Circuit would evaluate standing where additional information was disclosed. Unlike information relating to only a subsequently canceled credit card, she found that the data disclosed in the Excellus breach could lead to a variety of future fraudulent conduct, and therefore raised an “imminent risk” of future harm. (See, Fero v. Excellus Health Plan.)

Last fall, another New York district judge reached a similar conclusion using slightly different reasoning in Sackin v. Transperfect Global, No. 17 Civ. 1469 (LGS). That case also involved a breach in which hackers accessed an array of consumer information. U.S. District Judge Lorna G. Schofield of the Southern District of New York noted that this disclosure could lead to a variety of fraudulent acts by the hackers (or third parties who subsequently purchased the information) and read Whalen to suggest the Second Circuit would recognize this as an injury-in-fact sufficient to establish standing. Schofield further looked to the probable motivation of the hackers, noting that given the nature of the breach, “the most likely and obvious motivation for the hacking is to use plaintiffs' [information] nefariously or sell it to someone who would.” She distinguished cases where the motivation behind the breach was less clear (such as in Beck, where a laptop was stolen, but there was no evidence that data on the laptop, rather than the laptop itself, was the target of the theft).

While the Excellus and Sackin decisions are no guarantee of how the Second Circuit might eventually rule, the cases reflect the lower courts' ongoing struggle to resolve the different precedents. The fact that the Supreme Court decided not to rule in CareFirst keeps the standing issue murky for the lower courts, consumers and companies that suffer data breaches.

*****
Craig A. Newman is a litigation partner with Patterson Belknap Webb & Tyler in New York and chairs the firm's data security practice group. Jonathan Hatch is counsel with the firm and practices in antitrust, white-collar defense, government investigations and data security. This article also appeared in the National Law Journal, an ALM a sibling of this newsletter.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.