DC Circuit - The FindLaw DC Circuit Court of Appeals Opinion Summaries Blog

Risk of Identity Theft Is Injury Enough for Federal Court Standing

With data breaches occurring daily, the courts have become center stages for deciding who is responsible.

In Attias v. CareFirst, Inc., the U.S. Circuit Court of Appeals for the District of Columbia reviewed the story of customers against a health insurer after hackers compromised their data. A trial court said the plaintiffs didn't allege sufficient injury to confer federal court standing.

Drawing on "experience and common sense," however, the appeals court turned the spotlight on the company and said the potential for identify theft was injury enough.

First Care to Encrypt

The problem really started for the insurer when it failed to encrypt its customer data. It turned into a bigger issue when hackers later stole the information in 2014.

CareFirst did not discover the breach for almost a year, then notified its customers a month later. The plaintiffs filed their class action much faster, alleging negligence, breach of contract and violations of various consumer-protection laws.

A trial judge dismissed the complaint, concluding the plaintiffs had not alleged the risk of identify theft was sufficient injury to confer standing under Article III.

"Plaintiffs have not suggested, let alone demonstrated, how the CareFirst hackers could steal their identities without access to their social security or credit card numbers," the trial judge said.

The appeals court said the trial judge decided the case on incorrect premise: that the complaint did not allege the theft of social security or credit card numbers in the data breach.

Why Else Would Hackers Break In?

In fact, the panel said, the complaint did allege sufficient facts of identity theft. Under the circumstances, the plaintiffs faced a substantial risk of injury.

"As the Seventh Circuit asked, in another data breach case where the court found standing, 'Why else would hackers break into a ... database and steal consumers' private information?'" the court said, citing Remijas v. Neiman Marcus Grp., 794 F.3d 688, 693 (7th Cir. 2015). "Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities."

The Electronic Privacy Information Center, which filed an amicus brief in the case, said reasonable data security measures can prevent many of the most common forms of criminal hacking.

"But until data breach victims can hold companies legally accountable for their lax security, data breaches will continue to occur at an alarming pace," the EPIC brief said.

Related Resources: