Supreme Court Denies Cert Petition in CareFirst v. Attias
Wednesday, February 21, 2018
Supreme Court On Data Breach Class Actions
Print Mail Download i

Earlier today, the Supreme Court of the United States denied certiorari in CareFirst v. Attias, a closely watched case that some thought provided the Court with an opportunity to clarify the standing analysis under Spokeo v. Robins in data breach class actions.In January, we blogged about CareFirst.  We noted that the core issue in the case – whether fear of identity theft flowing from a data breach is an “injury in fact” sufficient to trigger Article III standing – could have major impact on the viability of future data breach class actions.  The district court’s finding in favor of CareFirst on the standing issue was reversed and remanded last August by the U.S. Court of Appeals for the D.C. Circuit, which held that plaintiffs had alleged a risk of future injury because it was at least “plausible” that the cybercriminals had the intent and ability to use the stolen data for wrongful purposes.  CareFirst then filed a petition for certiorari to the United States Supreme Court, which today denied the petition leaving in place the D.C. Circuit’s ruling in favor of Plaintiffs.

The Court’s denial of certiorari is clearly good news for the Plaintiffs, and may signal that the Supreme Court, at least as of now, is comfortable with the ongoing split among courts of appeal over the viability of data breach class actions in federal court.  The Sixth, Seventh, Ninth, and D.C Circuits have permitted data breach class actions to proceed based on a fear of identity theft, whereas the First, Third and Fourth have not.  (The Third Circuit, however, has allowed a data breach class action to proceed based on violation of the FCRA’s confidentiality requirements.)  There is a modest trend among Courts of Appeal that have recently addressed the issue to find that standing exists in data breach class actions where the breach was caused by cybercriminals.

Most data breach class actions that have proceeded beyond the motion to dismiss stage have settled, notwithstanding potentially viable defenses on issues such as causation and the reasonableness of the defendant’s information security program.  Some settle quickly, while others have progressed through very heavy discovery phases.  Whether CareFirst will settle this case or proceed to discovery is an issue to watch.

Copyright © by Ballard Spahr LLP

Current Legal Analysis

More from Ballard Spahr LLP

FinCEN Deputy Director Stresses Technological Innovation, Virtual Currency Enforcement and the U.S. Culture of Compliance
by: Brian N. Kearney
The EU’s Efforts to Combat Money Laundering, the Financing of Terrorism and Corruption Seem to Overlook a Very American Approach: Prosecute People
by: Peter D. Hardy , Mary Treanor
California Legislature Adopts Five Amendments to CCPA, But Largely Rejects Industry Efforts
by: Gregory Szewczyk
Should the Financial Industry Be Detecting Future Mass Shooters?
by: Peter D. Hardy , Mary Treanor
Trump Administration to Discharge the Federal Student Loan Debt of Totally and Permanently Disabled Veterans
by: Stacy H. Rubin
FinCEN Advisory Highlights Money Laundering Risks Related to Fentanyl Trafficking
by: Terence M. Grugan
CFPB’s First Remittance Transfer Rule Enforcement Action
by: Bowen "Bo" Ranney , James Kim
FinCEN Announces New “Global Investigations Division” Focused on Foreign Money Laundering Threats
by: Peter D. Hardy
DOL Seeks to Improve Employers’ FMLA Forms
by: Brian D. Pedrow , David S. Fryman
The Federal Reserve’s Entry into Real-Time Payments
by: Christopher D. Ford , Judy Mok

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins