To maintain a lawsuit in federal court, a plaintiff must allege an “injury in fact” caused by the defendant. Many times the injury is obvious; like a broken bone from a car accident or lost profits from a breach of contract. But sometimes the injury is not so obvious. When a company suffers a data breach and customer personal information is accessed or stolen, the fact of injury may not be clear. Must the customer show that her personal information has already been misused to steal her identity or does the mere increased risk of identity theft itself satisfy the standing requirement? Federal courts have struggled to answer this question.
Recently, the District Court for the Western District of New York held that a plaintiff can show injury in a data breach case merely by alleging she has an increased risk of identity theft. In Fero v. Excellus Health Plan, Inc. (WDNY 15-CV-06569), the plaintiffs brought a putative class action alleging various injuries arising out of a 2013 data breach of defendant Excellus Health Plan, Inc. The District Court originally dismissed the case against some of the plaintiffs for lack of standing because they did not allege they had suffered any actual misuse of their personally identifiable information. However, on reconsideration the District Court reversed itself and held that an increased risk of identity theft from a data breach alone is sufficient injury for purposes of standing.
The District Court relied on the intervening Second Circuit Court of Appeals’ summary order in Whalen v. Michaels Stores, Inc. 689 F. Appx. 89 (2d Cir., May 2, 2017). In Whalen, although the Second Circuit affirmed dismissal of the case based on lack of standing, it cited the Sixth Circuit’s decision in Galaria v. Nationwide Mut. Ins. Co. as an example of a case where a plaintiff did have standing to bring a data breach claim because of an increased risk of identity theft. 663 Fed. Appx. 384 (6th Cir. 2016). The Western District judge understood the Whalen decision to strongly imply that the Second Circuit would follow the Sixth Circuit (and a few others) to find that a risk of future identity theft is sufficient to allege an injury.
Several other circuit courts have held the opposite. Only the Supreme Court has the ability to reconcile the split of opinion. However, the Court recently declined to address the level of injury required to support standing in a different context by refusing to review the Ninth Circuit’s August 15, 2017 opinion in Robins v. Spokeo, Inc. That case had already been before the Court in a previous iteration, and had been sent back to the Ninth Circuit to determine whether the plaintiff’s injuries were “concrete.” Spokeo, Inc. v. Robins, __ U.S. __, 136 S. Ct. 1540, 194 L.Ed.2d 635 (2016).
The Supreme Court has a chance to address standing in the context of a data breach case when it decides whether to grant certiorari in Attias v. Carefirst, Inc., 865 F3d 620 (D.C. Cir. 2017). Like the New York court in Fero, the D.C. Circuit concluded the plaintiffs had standing based on a plausible allegation that they faced a substantial risk of identity fraud after a data breach. The Supreme Court is expected to take up the petition for certiorari in Carefirst during a February 2018 conference.
Ulmer attorneys are experienced in assisting clients navigate breach responses and other cybersecurity incidents. We regularly provide counsel on the myriad of regulatory schemes and seemingly inevitable investigations and litigation associated with an inadvertent loss or unauthorized acquisition of sensitive electronic information.