In Dieffenbach v. Barnes & Noble, Inc., the Seventh Circuit allowed a data breach class action to survive the pleadings stage, including a challenge to the plaintiffs’ standing. At the same time, the Court indicated that the plaintiffs may have a tough time proving their claims on the merits or establishing that class certification is warranted. That warning may put the brakes on this action as well as others brought on a similar theory of liability.
Every data breach class action in federal court must confront a threshold question: has the plaintiff alleged a sufficient “injury in fact” to establish Article III standing? The inquiry frequently focuses on whether a plaintiff has standing simply by pleading an increased risk of future injury from the theft of personal identifying information (PII). This is because many named plaintiffs do not––because they cannot––allege any present harm. The federal courts of appeals continue to weigh in on the issue of whether allegations of possible future harm suffice for Article III purposes. But far from providing clarity or consensus, recent appellate decisions have reached differing conclusions, which appear highly dependent on the nature of the facts alleged in each case.
The D.C. Circuit recently gave its opinion as to whether pleading an increased risk of future injury is sufficient to establish Article III standing to sue in a data breach class action filed in federal court. The issue has divided federal circuit courts of appeals.
In answering in the affirmative, the D.C. Circuit joined the view of the Sixth, Seventh, and Eleventh Circuits. Compare Attias v. CareFirst, Inc., — F.3d —-, No. 16-7108, 2017 WL 3254941 (D.C. Cir. Aug. 1, 2017), with Resnick v. AvMed, Inc., 693 F.3d 1317 (11th Cir. 2012); Galaria v. Nationwide Mut. Ins. Co., 663 Fed. Appx. 384 (6th Cir. 2016) (unpublished); Lewert v. P.F. Chang’s China Bistro, Inc., 819 F.3d 963 (7th Cir. 2016); and Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688 (7th Cir. 2015). In Attias, the plaintiffs did not allege that they had suffered identity theft as the result of a hacking incident involving a system containing their data. The defendant argued that the mere threat of future harm was too speculative to give rise to standing. But the D.C. Circuit held that it was plausible that the unauthorized party had “the intent and the ability to use [the] data for ill” and thus that the plaintiffs had jurisdictional standing at least at the pleading stage. Id. at *1, *5-*6. Notably, the standing issue arises under Fed. R. Civ. P. 12(b)(1) as an issue of subject matter jurisdiction. The D.C. Circuit did not otherwise decide whether the plaintiffs’ allegations stated a claim that could withstand a motion to dismiss under Fed. R. Civ. P. 12(b)(6), allowing the district court the opportunity to first review the question.
By contrast, the Second and Fourth Circuits have held that data breach plaintiffs lack standing where they plead nothing more than an increased risk of future injury. See Whalen v. Michaels Stores, Inc., — Fed. Appx. —-, No. 16-260, 2017 WL 1556116, at *1 (2d Cir. May 2, 2017) (unpublished); Beck v. McDonald, 848 F.3d 262 (4th Cir. 2017), cert. denied sub nom., Beck v. Shulkin, No. 16-1328, 2017 WL 1740442 (U.S. June 26, 2017).
Notwithstanding the circuit court split, the United States Supreme Court has yet to grant certiorari to review the issue. We will continue to monitor and report on developments in data breach standing law as they occur.