The D.C. Circuit Court of Appeals ruled that alleging theft of social security or credit card numbers from a data breach is sufficient to claim a substantial risk of future identity theft and therefore maintain suit in federal court.
The D.C. Circuit has become the latest in a growing list of Circuit Courts, including the Second, Third, and Fourth Circuits, to address the issue of standing in the context of data breach cases. Specifically, the D.C. Circuit analyzed what level of injury is necessary to trigger standing in the federal courts. In order for a plaintiff to sue a party in federal court, they must be able to state a plausible claim for relief, including that they have suffered an injury in fact that is fairly traceable to the defendant’s actions.
At issue in Attias, et al., v. CareFirst, Inc., et al., was whether the plaintiffs’ had sufficiently alleged facts meeting the “injury in fact” requirement. To meet this requirement, a plaintiff may claim they face a substantial risk of future injury. In this case specifically, this means that plaintiffs must plausibly allege that defendants’ actions left the plaintiffs facing a substantial risk of identity theft.
Neither party argued over whether identity theft, should it befall one of the plaintiffs, would fulfill the requirement of injury in fact. The point of contention was whether the complaint alleged that the plaintiffs were facing a substantial risk of identity theft as a result of the defendants’ alleged negligence in the data breach.
In denying the plaintiffs’ initial attempt, the lower court did not read the complaint to allege the theft of social security numbers or credit card numbers and did not believe the plaintiffs had suggested how the hackers could steal their identities without access to such information. On appeal, the D.C. Circuit disagreed with the lower court, and found that the complaint did, in fact, allege the theft of personal identification information, including credit card and social security numbers. Because an unauthorized party had already accessed personally identifying data on the defendants’ servers, it was plausible to infer that this party had both the intent and ability to use the stolen data for to commit a crime.
The entire D.C. Circuit opinion may be found here.