Standing under Spokeo has been established. The Court of Appeals for the District of Columbia (the “Appeals Court”) reversed the USDC (District of Columbia)(the “District Court”) decision to dismiss a matter for lack of Article III standing. The case is Chantal Attiass et al. v. Carefirst, Inc. et al. (“CareFirst”). A data breach occurred in 2014 when an unknown intruder breached 22 of Defendant CareFirst’s computers and reached a database that contained personal information of about 1 million policyholders. The breach was discovered in 2015. The data compromised included names, birth dates, email addresses and subscriber identification numbers. The data was stored on CareFirst’s servers, allegedly without encryption. Defendant CareFirst is a group of health insurance companies.
No social security numbers or credit card numbers were stolen according to CareFirst. CareFirst filed a motion to dismiss making the usual Article III standing arguments that there were no allegations that the personal information was actually misused and there were no allegations as to how the information could be used to assume the plaintiffs identities thus plaintiffs suffered no concrete harm and the matter should be dismissed. In other words, no facts were alleged to show an injury in factoccurred that was concrete, particularized and “actual or imminent”. Citing Spokeo Inc. v. Robins, 136 S. Ct. 1540 (2016). Plaintiffs argued that they suffered an increased risk of identity theft as a result of the data breach. The District Court found plaintiffs’ argument to be too speculative and the “actual or imminent” injury was not found under Spokeo. Defendant won its motion to dismiss without prejudice.
The Appeals Court reversed and remanded the District Court’s decision on August 1, 2017.
Of note, the Court of Appeals compared the circumstances in the CareFirst matter with Clapper v. Amnesty International USA, 568 U.S. 398 (2013). In particular, the Court of Appeals looked at Clapper and found the alleged “harm could only occur through the happening of a series of contingent events, none of which was alleged to have occurred by the time of the lawsuit [in Clapper]. See Page 14 of Appeals’ Court decision. In the CareFirst matter the plaintiffs assert that an unauthorized party already accessed personal information on CareFirst’s servers, “and it is much less speculative – at the very least, it is plausible – to infer that this party has both the intent and the ability to use that data for ill. Page 14 of Appeals’ Court decision. The Appeals Court, cited Remijas v. Neiman Marcus Grp., 794 F. 3d 688, 693 (7 th Cir. 2015).
The Appeals Court found that since there was no long list of contingencies that may or may not occur, and that data was hacked by an unknown person than “that risk is much more substantial than the risk presented to the Clapper Court and satisfies the requirement of an injury in fact.” See Page 14 of Appeals’ Court decision. The Court further found that the plaintiffs’ injures are “fairly traceable” to the defendant because the Court assumed for its standing analysis that “plaintiffs will prevail on the merits of their claim that CareFirst failed to properly secure their data and thereby subjected them to a substantial risk of identity theft, …we have little difficulty concluding that their injury in fact is fairly traceable to CareFirst.” See Court of Appeals decision page 16.
Brace yourself, the Plaintiff’s Bar has been waiting for this day for a very long time.