Chantal Attias v. CareFirst, Inc.
2017 U.S. App. LEXIS 13913
| D.C. Cir. | 2017Background
- CareFirst, an insurer serving ~1M customers, stored customers’ personal data (names, DOBs, emails, subscriber IDs, and allegedly SSNs and credit card numbers) and was allegedly negligent in encrypting it.
- In June 2014 hackers accessed 22 CareFirst computers and a customer database; CareFirst discovered in April 2015 and notified customers in May 2015.
- Seven customers sued in a putative class action under state law claims (negligence, breach of contract, consumer-protection statutes), invoking CAFA diversity jurisdiction.
- District court dismissed the complaint without prejudice for lack of Article III standing, finding plaintiffs’ increased-risk-of-identity-theft theory too speculative and reading the complaint as not alleging theft of SSNs or credit-card numbers.
- D.C. Circuit held the district court’s jurisdictional dismissal was final and appealable and reviewed standing de novo, concluding plaintiffs plausibly alleged a substantial risk of identity theft and therefore standing.
- The court reversed and remanded, declining to reach diversity jurisdiction or Rule 12(b)(6) merits questions.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Article III standing based on heightened risk of future identity theft | Plaintiffs alleged hackers accessed PII/PHI including SSNs and credit-card data and that the breach created a substantial, imminent risk of identity theft | CareFirst argued plaintiffs alleged only limited data exposure (names, emails, subscriber IDs), making future identity-theft risk too speculative and not fairly traceable to CareFirst | Plaintiffs plausibly alleged exposure of sensitive data and a substantial risk of future identity theft; standing satisfied at pleading stage |
| Fair traceability between defendant’s conduct and injury | Plaintiffs: harm is fairly traceable because CareFirst allegedly failed to secure data, enabling the breach | CareFirst: any injury would be caused by the independent, unaffiliated thief, not CareFirst | Court: traceability satisfied for standing purposes because plaintiffs plausibly allege CareFirst’s negligence enabled the substantial risk of harm |
| Redressability of mitigation costs and future harms | Plaintiffs alleged they incurred mitigation expenses (monitoring, credit protection) and seek damages | CareFirst: costs may be speculative if threat is speculative | Court: where risk is substantial, mitigation costs are redressable and monetary relief could make plaintiffs whole |
| Finality/appealability of dismissal labeled "without prejudice" for lack of jurisdiction | Plaintiffs appealed the dismissal as final | CareFirst implicitly contended dismissal was not final because labeled without prejudice | Court presumed Rule 12(b)(1) jurisdictional dismissals final unless district court expressly invites amendment; here dismissal was final and appealable |
Key Cases Cited
- Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83 (jurisdictional limits and finality principles)
- Lujan v. Defenders of Wildlife, 504 U.S. 555 (standing: injury-in-fact, traceability, redressability framework)
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (concrete and particularized injury requirement)
- Clapper v. Amnesty Int’l USA, 568 U.S. 398 (risk-of-harm standing: ‘‘certainly impending’’ vs. ‘‘substantial risk’’ and attenuated causal chains)
- Susan B. Anthony List v. Driehaus, 573 U.S. 149 (standing based on substantial risk of enforcement)
- Remijas v. Neiman Marcus Grp., 794 F.3d 688 (7th Cir. decision recognizing standing from data-breach risk)