November 23, 2020

Volume X, Number 328


November 20, 2020

Subscribe to Latest Legal News and Analysis

Supreme Court Denies Cert Petition in CareFirst v. Attias

Earlier today, the Supreme Court of the United States denied certiorari in CareFirst v. Attias, a closely watched case that some thought provided the Court with an opportunity to clarify the standing analysis under Spokeo v. Robins in data breach class actions.In January, we blogged about CareFirst.  We noted that the core issue in the case – whether fear of identity theft flowing from a data breach is an “injury in fact” sufficient to trigger Article III standing – could have major impact on the viability of future data breach class actions.  The district court’s finding in favor of CareFirst on the standing issue was reversed and remanded last August by the U.S. Court of Appeals for the D.C. Circuit, which held that plaintiffs had alleged a risk of future injury because it was at least “plausible” that the cybercriminals had the intent and ability to use the stolen data for wrongful purposes.  CareFirst then filed a petition for certiorari to the United States Supreme Court, which today denied the petition leaving in place the D.C. Circuit’s ruling in favor of Plaintiffs.

The Court’s denial of certiorari is clearly good news for the Plaintiffs, and may signal that the Supreme Court, at least as of now, is comfortable with the ongoing split among courts of appeal over the viability of data breach class actions in federal court.  The Sixth, Seventh, Ninth, and D.C Circuits have permitted data breach class actions to proceed based on a fear of identity theft, whereas the First, Third and Fourth have not.  (The Third Circuit, however, has allowed a data breach class action to proceed based on violation of the FCRA’s confidentiality requirements.)  There is a modest trend among Courts of Appeal that have recently addressed the issue to find that standing exists in data breach class actions where the breach was caused by cybercriminals.

Most data breach class actions that have proceeded beyond the motion to dismiss stage have settled, notwithstanding potentially viable defenses on issues such as causation and the reasonableness of the defendant’s information security program.  Some settle quickly, while others have progressed through very heavy discovery phases.  Whether CareFirst will settle this case or proceed to discovery is an issue to watch.

Copyright © by Ballard Spahr LLPNational Law Review, Volume VIII, Number 52



About this Author

Philip Yannella, Ballard Spahr Law Firm, Philadelphia, Data Security Attorney

As Co-Practice Leader of Ballard’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Mr. Yannella regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of...

Edward McAndrew, Ballard Spahr, Philidelphia, Washington DC, Data Security, Privacy

Edward J. McAndrew is a counselor, investigator, and trial lawyer who helps clients navigate life in the digital world. He is the Co-Practice Leader of the firm's Privacy and Data Security Group.

Named a "Cybersecurity and Data Privacy Trailblazer" by The National Law Journal, Mr. McAndrew advises clients on cybersecurity, digital privacy, cyber-incident response, social media, online speech, defamation, commercial, employment, intellectual property, corporate governance, regulatory, and criminal matters. He also advises clients on cyber-based national security issues, as...