Tuesday, August 1, 2017
The D.C. Circuit ruled today that a group of CareFirst customers, proceeding as a class, had standing to sue the health insurer for its carelessness in protecting customers' personal information after cyber-attackers allegedly stole that information. The ruling is a victory for the plaintiffs, but it doesn't mean that the case will proceed to the merits: the lower court still has to determine whether it has diversity jurisdiction.
The problem was that the plaintiffs alleged imminent harms from the breach, and not actual harms. (As it turns out, some plaintiffs did allege actual harms, but the court didn't rule on those claims, because its ruling on imminent harms was sufficient to support standing.) The court applied the substantial-risk-of-harm test and ruled that the plaintiffs alleged a sufficiently imminent harm. Contrasting Clapper v. Amnesty International, the court said,
Here, by contrast, an unauthorized party has already accessed personally identifying data on CareFirst's servers, and it is much less speculative--at the very least, it is plausible--to infer that this party has both the intent and the ability to use that data for ill. As the Seventh Circuit asked, in another data breach case where the court found standing, "Why else would hackers break into a . . . database and steal consumers' private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities." . . . No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm; a substantial risk of harm exists already, simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken. That risk is much more substantial than the risk presented to the Clapper Court, and satisfies the requirement of an injury in fact.
As to traceability, the court said that this doesn't require the plaintiffs to sue only "the most immediate cause, or even a proximate cause, of the plaintiffs' injuries [in this case, the robbers]; it requires only that those injuries be 'fairly traceable' to the defendant.'" The plaintiffs satisfied this test.
As to redressability, the court said that the plaintiffs have incurred costs to mitigate any damage, and that these "self-imposed risk-mitigation costs" "can satisfy the redressability requirement, when combined with a risk of future harm that is substantial enough to qualify as an injury in fact." (But the court noted that these kinds of costs are insufficient to satisfy the injury-in-fact requirement.)