October 23, 2019

October 23, 2019

Subscribe to Latest Legal News and Analysis

October 22, 2019

Subscribe to Latest Legal News and Analysis

October 21, 2019

Subscribe to Latest Legal News and Analysis

Supreme Court Declines to Address Circuit Split on Data Breach Standing Issue

A circuit split on whether actual misuse of personal data is required to have standing to assert data breach claims remains unresolved.  Last week the Supreme Court rejected a petition to review that issue in CareFirst v. Attias.  In CareFirst, the D.C. Circuit joined several other circuits in holding that the threat of misuse of data, in and of itself, gives rise to standing. Other circuits require more concrete harm in the form of actual misuse of data. Until the Supreme Court settles the issue, companies will remain susceptible to data breach lawsuits in jurisdictions adhering to the liberal standard endorsed in CareFirst.

In CareFirst, the defendant CareFirst initially succeeded in obtaining dismissal of the data breach claims on standing grounds. CareFirst argued that plaintiffs had alleged no injury beyond the statutory violations purportedly arising from the breach. In fact, three years later, none of the plaintiffs had suffered any concrete harm resulting from the breach. The trial court agreed with CareFirst’s argument that without a concrete injury and without an imminent risk of substantial harm, plaintiffs did not have standing to sue simply because the breach had exposed their personal data.

The D.C. Circuit disagreed. Although no misuse of data had yet occurred, the D.C. Circuit read the complaint to allege that Social Security Numbers and credit card information had been stolen (disagreeing with the lower court’s reading that this data had not been compromised) along with other data that together amounted to personally identifiable information. The nature of the data stolen – SSNs and credit card information – influenced the court’s decision. The judges inferred that hackers would not break into a database and take this information for any reason other than to commit theft or fraud. The injury arose from the threat caused by mere exposure of this particularly sensitive data. In the court’s view, it was at least “plausible” that it would be misused in the future, and that risk was substantial enough in the court’s eyes to give rise to standing.

The D.C. Circuit now aligns with the SixthSeventh, and Ninth Circuits on the sufficiency of the risk of data misuse to confer standing in a data breach case.  The SecondThirdFourth, and Eighth Circuits hold differently. Those courts hold that where no subsequent identity theft or fraud occurs, and each passing day diminishes the “imminence” of any risk of injury caused by the breach, plaintiffs lack standing to sue where a complaint does not allege more than mere exposure of personal information.

So – are consumers at imminent risk of real harm if their data is exposed, or is something more required to amount to an injury? For now, the answer continues to depend in part on where you get sued. After Spokeo, defendants and plaintiffs alike seek greater clarity as to the types of injuries that suffice for Article III standing in data breach cases.  The continuing split on this particular standing issue, combined with ongoing criminal activities targeting PII, make it likely that at some point the Supreme Court will decide this issue.  How courts decide the issue in the meantime may well depend on their experience with data breach claims and whether evidence developed over time supports or undermines claims that exposure of PII inevitably creates a substantial likelihood of identity theft, fraud, loss, or other concrete injuries.

©1994-2019 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.


About this Author

Jane Haviland, Mintz Levin Law Firm, Complex Commercial Litigation Product Liability & Complex Tort Securities Litigation Health Care Enforcement & Investigations

Jane’s practice focuses on litigation matters, including health care enforcement defense, complex civil and business litigation, and product liability law. Recent victories to which Jane has contributed include:

  • Defense verdicts on summary judgment in multi-jurisdictional product liability disputes involving FDA-approved pharmaceutical drugs and assay test development.
  • Defense verdict on partial summary judgment in a bet-the-company case involving a dispute between the majority owner of a multi-billion dollar company and private equity investors.


Kevin McGinty, Corporate, Class Action, Attorney, Mintz Levin, Law Firm

Kevin concentrates in complex corporate and class action litigation. He chairs the firm's Class Action Working Group and has extensive experience defending consumer, antitrust, unfair trade practice, contract, mass tort, and employment class actions.

He has also represented corporations, professionals, and individuals in business acquisition disputes. Kevin’s clients have included health care–related entities (including pharmacies, PBMs, and managed care organizations), insurers (including life, auto, and casualty companies), retailers, manufacturers, and accounting firms. Several of these clients are Fortune 500 companies.