With the federal circuits following divergent paths in class actions stemming from the online theft of personal data, a new petition to the U.S. Supreme Court argues that the justices must help lower courts figure out whether data breach victims have a constitutional right to sue.
The health insurer CareFirst is asking the Supreme Court to reverse a decision by the District of Columbia U.S. Circuit Court of Appeals that allows a data breach class action against the company to move forward. CareFirst contends that its case provides an ideal vehicle for the justices to make sense of a hash of appellate decisions addressing the threshold question of whether data breach victims meet Article III’s requirement of a concrete or imminent injury.
That guidance, CareFirst said, is increasingly necessary as the incidence of data theft – and ensuing class action litigation – continues to rise. “Lower courts have struggled to consistently apply Article III standing principles to future injuries allegedly caused by data theft, including the increased risk of future identity theft,” wrote CareFirst’s lawyers at Eversheds Sutherland. “Without guidance, courts, litigants, cybersecurity insurers and corporate America will remain uncertain as to when a federal court can hear such claims.”
Lower courts are so inconsistent, CareFirst said, that judges in different federal circuits have reached opposite conclusions in nearly identical data breach class actions against the insurer. District Court judges in Baltimore and Peoria found purported victims of the breach hadn’t established a real or impending injury from the theft of their birthdates and insurance ID numbers. But the D.C. Circuit, in the case CareFirst is asking the Supreme Court to review, said the insurer’s customers did have standing to sue “simply by virtue of the hack and the nature of the data that the plaintiffs allege was taken.”
The D.C. Circuit’s ruling, CareFirst said, is at odds with decisions from the 3rd, 4th and 8th Circuits, which have held the mere theft of personal information does not establish a right to sue. The 4th Circuit’s February 2017 ruling in Beck v. McDonald explicitly held that under the U.S. Supreme Court’s 2013 precedent in Clapper v. Amnesty International, the risk of identity theft after a data breach is too speculative to give plaintiffs a constitutional right to sue. The 8th Circuit said pretty much the same thing in last month’s In re: Supervalu, although the appeals court went on to find plaintiffs established standing by alleging actual misuse of stolen credit card data.
The 6th and 7th Circuits, meanwhile, have agreed with the D.C. Circuit that because hackers steal data in order to commit identity fraud, data breach victims are at imminent risk and therefore have standing to sue. The 7th Circuit was the first to reach that conclusion, in 2015’s Remijas v. Neiman Marcus. The 6th Circuit followed suit in 2016’s Galaria v. Nationwide Mutual.
The circuit court confusion seems undeniable to me, but Jonathan Nace of Nidel & Nace, who represents plaintiffs suing CareFirst, said he and his co-counsel will emphasize that every case has presented different facts to the appellate courts that have ruled on standing for data breach victims. “Clearly there are a lot of circuit opinions but I can’t tell you there’s a clear factual pattern,” he said. Nace also said his side will argue the Supreme Court should take a pass on the CareFirst case because the D.C. Circuit was right to find standing. “Standing is supposed to be an easy threshold to cross,” Nace said.
I’ve theorized that in the long run, class actions may not be the best way to hold corporations accountable for leaving our personal information vulnerable to hackers. Mandatory arbitration clauses, meanwhile, are likely to make consumer class actions increasingly rare. But at the moment, class actions are just about the only way consumers can demand compensation for the time and expense they lose because of data breaches. Personal information belonging to tens of millions of American consumers has been exposed to hackers. The Supreme Court owes it to them – and the businesses they’re suing – to clarify standing in data breach class actions.