In recent years, the insurance and financial services industries have been targets of high profile data breaches. The breached companies – themselves the victims of cyberattacks – often face putative class actions by consumers whose nonpublic financial and health information was allegedly compromised in the breach. Defendants in these cases have argued that a plaintiff's mere fear of future identity theft in the wake of a data breach is too speculative to be an injury in fact giving rise to standing to sue under Article III of the United States Constitution. Thus far, the standing question has split the federal circuits. The answer may make or break the future of data breach consumer class actions, as the majority of individuals whose information is compromised never experience identity theft or fraudulent charges traceable to the breach.
When will the Supreme Court weigh in? Unfortunately, not soon. On February 20, the Supreme Court denied a petition for writ of certiorari in Attias v. CareFirst to resolve a circuit split on the standing issue. Absent Supreme Court guidance on this issue, we anticipate that district courts within the District of Columbia, Sixth, and Seventh Circuits – which have ruled favorably for plaintiffs on the standing issue – will emerge as the forums of choice for data breach class actions. By contrast, defendants will likely seek to consolidate data breach class actions in the district courts within the Eighth and Fourth Circuits, which have held that fear of future identity theft is insufficient to confer standing to sue.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.