In October 2017, healthcare insurer, CareFirst, petitioned the United States Supreme Court, requesting the Court to clarify the constitutional standing requirement for plaintiffs seeking to bring claims regarding their exposure during corporate data breaches.
In order to invoke federal court jurisdiction, a plaintiff must plead an actual or imminent injury. The Supreme Court has held that the imminence requirement is satisfied where a threatened injury is “certainly impending” or there is “substantial risk” that future harm will occur. However, where the injury requires a chain of inferences in order to find harm or speculation regarding actors not before the court, an injury is not “imminent” and there is no standing.
CareFirst argued that the United States Court of Appeals for the District of Columbia applied an overly permissive standard in finding that plaintiffs in a data breach class action suit had established injury sufficient to show Article III standing. The D.C. Circuit held that the consumers’ future risk of financial fraud resulting from the exposure of their credit card and social security numbers was not too speculative to establish an injury. CareFirst argued that the D.C. Court’s interpretation was irreconcilable with the Supreme Court’s jurisprudence and decisions from the Third, Fourth and Eighth Circuits that dismissed data breach plaintiffs’ actions for failing to allege imminent injuries. CareFirst additionally argued that a Circuit split would leave litigants, including cybersecurity insurers and businesses, uncertain when federal courts can hear data breach claims.
Respondents, in a reply brief filed on January 2, 2018, argued that the Supreme Court should deny the petition, claiming that the different outcomes in various Circuits was the result of differing facts, rather than confusion regarding the law of standing in a data breach context.
The question of who has standing to bring an action in the data breach context is a significant one. Just in the past few years, hackers have compromised millions of individuals’ personal data. Data breaches will increase as the physical world becomes more integrated into computer-based systems, undoubtedly resulting in more data breach class actions. The Supreme Court is traditionally disinclined to find a Circuit split where one might not exist and may be unlikely to certify this question. We will continue to follow the outcome of this case.