Earlier today, the Supreme Court of the United States denied certiorari in CareFirst v. Attias, a closely watched case that some thought provided the Court with an opportunity to clarify the standing analysis under Spokeo v. Robins in data breach class actions.In January, we blogged about CareFirst. We noted that the core issue in the case – whether fear of identity theft flowing from a data breach is an “injury in fact” sufficient to trigger Article III standing – could have major impact on the viability of future data breach class actions. The district court’s finding in favor of CareFirst on the standing issue was reversed and remanded last August by the U.S. Court of Appeals for the D.C. Circuit, which held that plaintiffs had alleged a risk of future injury because it was at least “plausible” that the cybercriminals had the intent and ability to use the stolen data for wrongful purposes. CareFirst then filed a petition for certiorari to the United States Supreme Court, which today denied the petition leaving in place the D.C. Circuit’s ruling in favor of Plaintiffs.
The Court’s denial of certiorari is clearly good news for the Plaintiffs, and may signal that the Supreme Court, at least as of now, is comfortable with the ongoing split among courts of appeal over the viability of data breach class actions in federal court. The Sixth, Seventh, Ninth, and D.C Circuits have permitted data breach class actions to proceed based on a fear of identity theft, whereas the First, Third and Fourth have not. (The Third Circuit, however, has allowed a data breach class action to proceed based on violation of the FCRA’s confidentiality requirements.) There is a modest trend among Courts of Appeal that have recently addressed the issue to find that standing exists in data breach class actions where the breach was caused by cybercriminals.
Most data breach class actions that have proceeded beyond the motion to dismiss stage have settled, notwithstanding potentially viable defenses on issues such as causation and the reasonableness of the defendant’s information security program. Some settle quickly, while others have progressed through very heavy discovery phases. Whether CareFirst will settle this case or proceed to discovery is an issue to watch.