Yesterday, the U.S. Supreme Court denied certiorari in CareFirst, Inc. v. Chantal Attias, No. 17-641. In CareFirst, the U.S. Court of Appeals for the D.C. Circuit held that plaintiffs suing over a 2014 data breach had established standing by asserting there was a substantial risk that unauthorized access to their personal information, including credit card and social security numbers, could be used for identity theft, even if there were no allegations that such identity theft had occurred. The D.C. Circuit then concluded that, in the context of the exposure of credit card and social security numbers, a substantial risk of harm exists simply by virtue of the data beach and the nature of the data stolen.