In Attias v. CareFirst, Inc., the U.S. District Court for the District of Columbia (D.D.C.) jumpstarted the debate concerning the harm plaintiffs must allege to move forward with data breach class action litigation. In recent years, courts across the country have disagreed about what constitutes an “injury-in-fact” when an individual’s data is stolen in a data breach. This debate has centered on “standing” – the minimum thresholds plaintiffs must achieve to sue in a particular court. The standing requirements for US Federal Courts are set forth in Article III of the US Constitution. “Injury-in-fact” is one requirement of standing, and the Supreme Court has held that it requires a plaintiff to allege an injury that is “concrete andparticularized” and “actual or imminent, not conjectural or hypothetical.”
With respect to data breach class action litigation in Federal court, whether plaintiffs have properly alleged harm is of key importance. Unfortunately, there is a split between the courts on this issue. The courts disagree about whether the theft of personal information that exposes an individual to a heightened risk of identity theft is an “injury-in-fact” sufficient to confer standing under Article III. Some courts – the D.C., Third, Sixth, Seventh, Ninth, and Eleventh Circuits – believe (at a high level) that alleging only a heightened risk of future injury is enough to show an “injury-in-fact.” By contrast, other courts – the Second, Fourth, and Eighth Circuits – believe that plaintiffs must allege that the stolen personal data has been actually misused.
In Attias, the D.D.C. reached an interesting result that shows why standing is not the only way defendants may defeat litigation by challenging the plaintiff’s alleged injury. The court found that although the Attias plaintiffs established standing by alleging a heightened risk of future identity theft, their case must still be dismissed because that risk is not “actual damage” for which they are entitled to relief. The court dismissed the lawsuit under Federal Rule of Civil Procedure 12(b)(6) for failure to state a claim. Since “actual damages” is a common element for many data breach-related claims we expect that defendants will increasingly rely on this tactic. In this post we explore the Attias decision and the court’s decision-making process and rationale.
Background: Millions of Records Exposed in CareFirst Data Breach
Attias concerned a data breach at a Washington, D.C. based health insurer, CareFirst. The insurer suffered a cyberattack that exposed the personal information of millions of their customers. A group of plaintiffs brought a putative class action in the D.D.C. alleging that CareFirst failed to properly encrypt their personal information and otherwise secure that information. They sought damages under state-law-based tort and contract theories.
Common to the class action claims were allegations of “mental and emotional pain” and a requirement that the plaintiffs must now engage in “years of constant surveillance of their financial and personal records, monitoring, and loss of rights.” With the exception of two individual plaintiffs, however, there were no allegations of actual misuse of the personal information or any direct monetary harm caused by the data breach.
In 2016, the D.D.C. first dismissed the Attias lawsuit for failure to allege an “injury-in-fact.” In this opinion, the court found that “merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken.” On appeal, however, the D.C. Circuit reversed. In so doing the appellate court aligned itself with those courts to find standing based upon a heightened risk of future identity theft. The case was ultimately remanded back to the D.D.C. in what was described by some as “good news” for the plaintiffs.
The Attias Remand: The Dog That Didn’t Bark
The plaintiffs’ “good news” proved to be short-lived. In its decision following remand, the D.D.C. accepted that an increased risk of future identify theft is an “injury-in-fact.” But it rejected that this result also meant that the plaintiffs had suffered “actual damages.” It explained instead that the Attias litigation could proceed only if the plaintiffs “[pled] a proper cause of action under the relevant . . . law.” This, in turn, required the court to again consider the nature and sufficiency of the injury alleged. However, the inquiry related to the plaintiffs’ substantive claims rather than Article III standing.
The court first analyzed each of the nine claims brought by the Attias class action plaintiffs: (1) breach of contract, (2) negligence, (3) negligence per se, (4) fraud, (5) constructive fraud, (6) breach of the duty of confidentiality, (7) violation of the Maryland Consumer Protection Act (“MCPA”), (8) violation of the Virginia Consumer Protection Act, and (9) violation of the District of Columbia Breach Notification Statute. From its review, the court found that each claim required the plaintiffs to allege “actual damage.”
The upshot of the court’s analysis was that the plaintiffs once again found themselves on the defensive concerning the nature of their alleged injury. To this end, the Attias plaintiffs’ presented four theories for why the CareFirst data breach resulted in “actual damage” that entitled them to relief. These theories, and the court’s rejection of them, highlight the obstacles that data breach plaintiffs will confront when their litigation is based upon the theft, but not misuse, of their personal information.
- Heightened Risk of Identity Theft. First and foremost, the plaintiffs argued that the heightened risk of identity theft is itself “actual damage.” The court disagreed. It explained that the D.C. Court of Appeals had previously held that “speculative harm,” including the mere increased risk of identity theft, fails to support claims in both the negligence and breach of fiduciary duty contexts. As such, the court found that a heightened risk of identity theft is also inadequate to allege “actual damages” in the context of the plaintiffs’ analogous tort and contract claims.
- Benefit of the Bargain. The plaintiffs next argued that they suffered “actual damage” because, as part of their insurance contract, they paid CareFirst to adequately safeguard their personal information. This is known as the “benefit of the bargain,” and in some cases has been found sufficient to show “actual damages.” The court, however, distinguished between cases in which a plaintiff pointed to a specific amount they paid for data security (using as an example the precise cost of a premium email subscription), and those in which plaintiffs alleged only that some indeterminate amount of their insurance premium was paid for data security (as the Attias plaintiffs had). The court found that the Attias plaintiffs could not show “actual damages” without “put[ing] a number . . . on the value of the contracted-for data security.”
- Mitigation Costs. The plaintiffs also argued that the time and money they spent to protect against identity theft after the CareFirst data breach (including, for example, acquiring identity theft protection and credit monitoring) constitutes “actual damage.” The D.D.C. again disagreed. It explained that mitigation costs arise in two contexts, which are tied to whether a plaintiff’s personal information has been misused. “Responsive” costs, for example a delay restoring funds following a fraudulent purchase or time spent resolving a dispute with the bank and the police, are “consequential” injuries of the data breach that are “actual damages.” By contrast, “prophylactic” and “preventative” costs, such as purchasing credit monitoring services, are not “actual damages” when there is no concomitant allegation that the stolen personal information had actually been misused. The court found that the Attias plaintiffs had only alleged preventative expenses, and therefore had not demonstrated “actual damages.”
- Emotional Distress. Finally, the plaintiffs alleged that the CareFirst data breach caused “actual damage” in the form of emotional pain and suffering. The court recognized that in some cases emotional distress is found to constitute “actual damages.” However, in these cases, the plaintiffs also alleged either that the emotional harm was tied to a direct physical injury or alternatively was caused by someone with a special and close relationship to the plaintiff (like a spouse). By contrast, generic “pain and suffering,” which the court compared to assertions that a defendant’s action “made [the plaintiff] feel bad,” are not “actual damages.” The court concluded that the Attias plaintiffs had only alleged the latter, and therefore could not proceed with their claim.
Having rejected the plaintiffs’ arguments concerning “actual damage,” the D.D.C. once again dismissed the putative class action plaintiffs from the Attias litigation for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). Shortly thereafter, the court ordered entry of final judgment, effectively ending the class action litigation pending appeal. Thus, albeit under a different legal defense, CareFirst again prevailed because the stolen data had not actually been used to perpetuate identity theft.
The result in Attias – namely that the heightened risk of future identify theft establishes an “injury-in-fact” but not “actual damages” – is notable, but it is not unique. Courts of appeals in the Seventh, Eighth, and Ninth Circuits have reached similar results. This development must be closely watched by plaintiffs and defendants alike. Should this become a trend, the outcome will be a new impediment for plaintiffs in data breach litigation.
It is equally possible, however, that Attias will prove to be informative but not dispositive in future cases. The Attias decision is tied to both its specific pleadings and the local law from which its causes of action originated. Future plaintiffs may be able to avoid the Attias result, then, through purposeful tailoring their pleadings and more careful selection of the jurisdictions in which they seek relief. Moreover, the success of these class actions may turn on the ability of a plaintiff to find named plaintiffs that have suffered the correct consequences necessary to plead past a motion to dismiss.
We should expect to hear more about Attias. The plaintiffs have again appealed, and in the coming months the D.C. Circuit will likely speak to this issue. Moreover, as the frequency of data breach litigation continues to escalate, other circuits too will no doubt opine regarding the relationship between “injury-in-fact” and “actual damage.” Finally, some cases may be dismissed on this theory, but without prejudice, and these plaintiffs now have a road map to enhance their pleadings and may be able to find the right type of plaintiff to get past a motion to dismiss. If that happens the value of the plaintiff’s case arguably increases and potentially sets up a battle around class certification.
As this debate unfolds, it behooves both plaintiffs and defendants, and their counsel, to consider the implication of Attias at the earliest possible opportunity. For plaintiffs, it is now an imperative that their theory of the case and initial pleadings account for the “actual damage” requirements of their underlying causes of action. Equally, defendants in current and future data breach litigation should immediately conduct an Attias analysis – if applicable, a successful “Attias defense” may avoid the excessive litigation costs associated with discovery, trial, and the potential adverse judgment.