The Attias case stems from a data breach announced in 2015. At the time, CareFirst reported to its insureds that hackers had stolen personal information, including names, addresses, email addresses, birthdays, and identification numbers from its servers. CareFirst insureds from D.C., Maryland and Virginia joined in a complaint against CareFirst alleging negligence, breach of contract, and deceptive trade practices for CareFirst’s failures to properly secure this information. The trial court dismissed the case for lack of subject matter jurisdiction, finding none of plaintiffs’ allegations demonstrated “injury-in-fact” under the Constitution’s Article III standing analysis.
Plaintiffs appealed to the D.C. Circuit Court, however. The federal Court of Appeals applied the motion to dismiss standard of review, requiring plausible allegations of a case or controversy, and ruled “…portions of the complaint would make up, at the very least, a plausible allegation that plaintiffs face a substantial risk of identity fraud, even if their social security numbers were never exposed to the data thief.” Attias v. CareFirst, Inc., 865 F.3d at 628.
CareFirst petitioned the Supreme Court, warning of the threat of a “flood of lawsuits” if the Supreme Court did not overturn the Circuit Court. But the named plaintiffs responded, pointing out that there is not a circuit split on the legal requirements for standing. The opposition to the petition for writ of certiorari further pointed out that cases commonly relied upon by big businesses and the Chamber of Commerce found a lack of standing at the stage of summary judgment, where plaintiffs have a burden of producing admissible evidence.
Nidel & Nace and the plaintiffs’ attorney issued a statement on the significance of the opinion:
Obviously we are pleased with the Court’s decision to deny cert. The D.C. Circuit’s opinion was thorough and was based on a long line of standing jurisprudence. We don’t believe that the Supreme Court needs to spend its time developing unique standing jurisprudence in the data breach field. The fact is that data breaches are happening all the time. The D.C. Circuit’s opinion and the Supreme Court’s decision to deny cert simply indicates that our courts will permit citizens to hold corporations accountable when they fail to take reasonable precautions to protect our data. When you consider all of the Americans who have had their data exposed, it is important that corporate America understands that if they do not take reasonable steps to protect data, they will be held responsible.
As far as where the case goes from here, we are prepared to immediately proceed to discovery and move the case forward.
These plaintiffs now have an opportunity to head forward in their litigation, and similar plaintiffs will find reliable precedent in the D.C. Circuit’s opinion.