SCOTUS Nixes CareFirst Plea to Decide Data Breach Harm Standard

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Daniel R. Stoller

The U.S. Supreme Court Feb. 20 opted not to settle a question that has left plaintiffs, attorneys, and companies on the edge of their seats: how much harm must a data breach victim suffer to pursue claims in federal court?

At stake is a pot of gold. Every year, large numbers of data breaches are reported, with 2017 seeing an all-time high, according to the Identity Theft Resource Center. If a plaintiff class can proceed with a case, the damages could be large. The question is: if a plaintiff is left unscathed by a data breach, can he or she show enough harm to sustain a lawsuit? The answer would be a game-changer for consumers and companies.

Federal appeals courts have been split on whether mere fear of identity theft constitutes sufficient harm to support consumer data breach cases. The Sixth, Seventh, Ninth and D.C. Circuits have found a substantial risk of identity theft is enough to bring claims in federal court. The Third and Fourth Circuits have ruled that such harms are too speculative

The rejection of a request for review by CareFirst Inc. signals Supreme Court comfort with its 2016 decision in Spokeo, Inc. v. Robins, which held that plaintiffs must allege harm that is “actual or imminent,” rather than speculative, to have standing in federal court. The high court may be messaging that lower courts need more time to apply Spokeo in data breach cases, attorneys told Bloomberg Law Feb. 20.

The Supreme Court likely “believes that the law is still in a state of constant change, which it is, and they may want to see more solidification of the split before weighing in,” Alfred J. Saikali, litigation partner at Shook Hardy & Bacon LLP and chair of the firm’s privacy and data security practice, said.

Courts that have been favorable to plaintiffs in data breach cases, such as the Sixth, Seventh, Ninth and D.C. Circuits, will likely be the battleground for more clarity.

Better Odds in Some Circuits

“There are now several Circuits that have carved out a more favorable standard for plaintiffs, and we can expect their attorneys to take full advantage of that,” Frances Goins, litigation partner at Ulmer & Berne LLP in Cleveland and co-chair of the firm’s cybersecurity and privacy practice, told Bloomberg Law.

“The Supreme Court’s cert denial is consistent with Spokeo’s intended effect, as confirmed by the several appellate court decisions since Spokeo demonstrated that plaintiffs can satisfy standing without further guidance from the Court,” Amy E. Keller, class action litigation partner at DiCello Levitt & Casey LLC in Chicago and co-lead attorney for plaintiffs in Equifax Inc.'s data breach class action, told Bloomberg law.

A CareFirst spokesman declined Bloomberg Law’s email request for comment. Plaintiffs’ representatives didn’t immediately respond to Bloomberg Law’s email requests for comment.

“In the absence of government action, consumers can still rely upon private, civil lawsuits (such as class actions) to enforce their rights and seek damages for injuries that result from data breaches,” Keller said.

In any event, don’t expect the Supreme Court to settle data breach harm issues in the near future, attorneys said.

“The law will continue to be unsettled for the foreseeable future, a condition that will likely work to plaintiffs’ advantage,” Goins said.

The case arose out of 2015 data breach that compromised the information of 1.1 million CareFirst customers. CareFirst asked the Supreme Court to review an August 2017 ruling by the U.S. Court of Appeals for the District of Columbia Circuit that revived class data breach claims.

CareFirst was represented by Eversheds Sutherland LLP. The plaintiffs were represented by Paulson & Nace Pllc and the Giatras Law Firm.

The case is CareFirst, Inc. v. Attais, U.S., No. 17-641, review denied 2/20/18 .

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security