Can Data Breach Victims Sue in Federal Court Without Actually Suffering Identity Theft?

Recently, health insurer CareFirst Inc. filed a petition with the Supreme Court of the United States to resolve a disagreement among federal appellate courts on the issue of whether victims of data breaches may sue in federal court when they do not allege a present injury. This suit, on appeal from the United States Court of Appeals for the District of Columbia Circuit, will largely center on the idea of standing, a threshold requirement for any plaintiff hoping to sue in federal court. More specifically, CareFirst Inc. alleges the D.C. Circuit erred in reasoning that a plaintiff has standing to sue in federal court simply by virtue of the fact and nature of the data that was accessed by hackers. The data included names, birth dates, email addresses, and subscriber identification numbers.

Pursuant to the federal law, standing requires that a plaintiff suffer some sort of injury to sue. Future injuries may be actionable. However, courts will require that there be a substantial risk of injury. For data breach victims that have not seen evidence of identity theft or fraud, the main question is whether theft of private information as a result of a data breach creates a substantial risk of an identity theft to be actionable.

This August, the United States Court of Appeals for the Eighth Circuit, which hears cases from federal courts in Iowa and Nebraska, ruled in Alleruzzo v. SuperValu, Inc. that a district court properly dismissed many plaintiffs from a data breach action. In that case, hackers gained access to customers’ card information from a grocery store network. This included names, card numbers, expiration dates, card verification values codes, and personal identification numbers. Several customers filed suit under a variety of theories, but only alleged that one customer suffered a single fraudulent charge. Due to lack of injury, the case was dismissed by the district court.

On appeal, the plaintiffs argued that theft of their card information created a substantial risk that they will suffer identity theft in the future. The court initially noted that because card information does not contain social security numbers and birth dates, the information cannot plausibly be used to open new accounts, a form of identity theft most harmful to consumers. It also analyzed a 2007 Government Accountability Office report, which concluded that based on available information, most breaches have not resulted in detected incidents of identity theft. Since the plaintiffs presented no facts from which the court could conclude that plaintiffs suffered a substantial risk of future identity theft, they had no standing to sue in federal court.

The Eighth Circuit and the D.C. Circuit are not the only courts to consider the issue. Like the Eighth Circuit, the United States Court of Appeals for the Fourth Circuit, in Beck v. McDonald, concluded that the risk of identity theft was too hypothetical to allow plaintiffs to sue. Meanwhile, the United States Courts of Appeals for the Sixth and Seventh Circuit have stated, in Reijas v. Neiman Marcus and Galaria v. Nationwide Mutual, that data breach victims suffered an imminent risk of identity theft when the breach occurred.

While the Supreme Court has not yet agreed to hear CareFirst’s arguments, this is certainly an issue to keep watching. Should courts continue to state that data breach victims have standing to sue businesses by virtue of the fact that hackers gained access to the data, such litigation can be expected to rise as data breaches continue.