Attias v. CareFirst: CareFirst Petitions for Cert to Decide Standard of Harm in Data Breach Cases

Petition for Writ of Certiorari, Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), No. ______. Petition hosted by Reuters.

On August 15, 2017, CareFirst petitioned for certiorari in Attias v. CareFirst. The case concerned a proposed class action filed against CareFirst after a hacker breached the database of the national health insurer. In June 2014, an unknown hacker gained access to CareFirst’s electronic servers and stole names, birth dates, email addresses and subscriber identification of 1.1 million policyholders.

In 2015, Attias and six other policyholders filed a class action suit arguing that CareFirst violated state laws and legal duties by failing to safeguard their information and exposing plaintiffs to identity theft. To sue, plaintiffs had to meet the standing requirement stipulated in Article III of the Constitution by proving that their injuries were “actual or imminent,” rather than speculative.

Plaintiffs alleged that they had standing to sue, because they had suffered an increased risk of identity theft. CareFirst then moved to dismiss, arguing that plaintiffs alleged a harm that was too speculative to establish a “concrete injury”—beyond an impermissibly “attenuated chain of possibilities”—as required by the Supreme Court.  

On August 10, 2016, the District Court held in favor of CareFirst. The Court ruled that mere possession of one’s personal information stolen in a data breach was insufficient to establish standing without additional facts demonstrating a “sufficiently substantial risk of future harm.”

On August 1, 2017, the Court of Appeals for the D.C. Circuit reversed, holding that plaintiffs had plausibly alleged a risk of future injury that was substantial enough to create Article III standing. Hackers had stolen customer’s personal identifying information, which plaintiffs said included patient credit card and social security numbers. The stolen information could also be used to open new financial accounts and appropriate victim’s identity. This injury was sufficient to establish standing because it was “at the very least . . . plausible” to infer that the hacker had the intent and ability to use the stolen data for illicit purposes.

In support of its cert petition to the Supreme Court, CareFirst made three arguments. First, CareFirst said that the D.C. Circuit erred in holding plaintiffs to a plausibility standard and a “light burden of proof” at the pleading stage. Here, as in all data breach cases, injuries resulting from a data breach are unknown at the time of a suit. Asking plaintiffs to plausibly demonstrate a substantial risk that these harms would occur, CareFirst argued, was not sufficient to establish standing, because it relied on a “highly attenuated chain of possibilities.” The Court failed to reconcile their standard with precedent and failed to recognize other motivations of the unknown hackers.

Second, CareFirst argued that this decision along with holdings in the Seventh, Sixth, and Third Circuit stood in contrast to recent decisions in the Second and Fourth Circuit. Multiple lower court decisions mirror these conflicting results. Without guidance from the Supreme Court, the gap between identical cases in different jurisdictions will grow.

Finally, CareFirst argued that the issues in this case are important, frequently recurring, and cleanly presented. The scope and number of cyberattacks has “potential for enormous liability,” CareFirst said, because defendants face an increasing pressure to settle. The longer a putative class action survives, the higher the damage claims become as tens of thousands of claimants are combined.. Circuit courts and lower courts will continue to split on the issue, so the Supreme Court’s decision will be critical to establish a consistent application of the standard. The issues presented in this case were purely legal and therefore are an “ideal opportunity” for the Court.

The National Law Review notes that if plaintiffs’ ability to survive the motion to dismiss phase increases and more cases survive class certification and enter discovery, such actions will become more expensive for companies to defend. These developments underscore the importance of organizations to carefully consider their privacy and network security requirements and insurance options as our data transactions move fully online. A summary of the case can be found at EPIC and Cleary Gottlieb. 

Amy Zhang is a 1L student at Harvard Law School.