For years now, business organizations have had a ready and reliable defense to the customer class-action lawsuits that inevitably follow whenever a new data breach is announced: You can’t sue us because any damage from the breach is purely speculative unless the names, addresses, credit card numbers, etc., that were stolen in the attack have actually been misused for fraudulent purchases or identity theft. No harm (yet), no foul.
But a recent series of cases has begun to chip away at that defense, as courts become more attuned to the risks of identity theft, data breaches, and the underground market for personally identifiably information on the dark web. Courts are beginning to recognize that modern attackers steal personal information not for the thrill but for the profit—profit at the expense of the individuals whose identities are misused or who suffer fraudulent charges on their accounts. Even before compromised data is misused, individuals face the very real risk that it will be misused in the future.
The U.S. Court of Appeals for the D.C. Circuit recently took up the question in Attias v. CareFirst, Inc., 865 F.3d 620 (D.C. Cir. 2017), in which CareFirst customers sued the company for failure to keep their data reasonably secure. The lower court dismissed the case for lack of standing, reasoning that the risk of future injury to the plaintiffs from misuse of their stolen personal information was too speculative to support a lawsuit.
On appeal, however, the D.C. Circuit reversed the lower court and allowed the lawsuit to continue. In concluding that the plaintiffs’ claim was not too speculative, the Attias Court observed that the attackers may very well have breached CareFirst’s system for the purpose of obtaining and misusing customer personally identifying data: “[A]n unauthorized party has already accessed personally identifying data on CareFirst’s servers, and . . . at the very least, it is plausible . . . to infer that this party has both the intent and the ability to use that data for ill. . . . Why else would hackers break into a database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
The D.C. Circuit’s willingness to entertain data-breach claims for not-yet-suffered harms accords with recent decisions by other circuits around the country including the Seventh, Sixth, Third, and Eleventh Circuits, which have permitted claims to go forward based on the risk of future harms to individuals whose personal information was compromised in a data breach. The trend is not universal, however. Other courts, including the Second and Fourth Circuits, remain skeptical of data-breach claims for future harm and have recently dismissed such cases as premised on overly speculative allegations of harm.
The legal question will remain contentious for some time and may ultimately require the Supreme Court to step in. For now, this much is clear: Courts, lawyers, and data-breach victims are becoming increasingly attuned to the dangers of fraud following data breaches, and as public consciousness of the risk grows, organizations are less and less likely to get a pass from the courts on the ground that the dangers of data breaches are too speculative to support a claim.