U.S. Supreme Court Declines to Review Standing of Data Breach Plaintiffs: Court Will Not Disturb the D.C. Circuit’s Ruling in CareFirst Class Action, Allowing Plaintiffs to Proceed Based on a “Substantial Risk” of Harm, Rather than Actual Harm

Sullivan & Cromwell LLP - February 21, 2018

Yesterday, the U.S. Supreme Court denied certiorari in CareFirst, Inc. v. Chantal Attias, No. 17-641. In CareFirst, the U.S. Court of Appeals for the D.C. Circuit held that plaintiffs suing over a 2014 data breach had established standing by asserting there was a substantial risk that unauthorized access to their personal information, including credit card and social security numbers, could be used for identity theft, even if there were no allegations that such identity theft had occurred. The D.C. Circuit then concluded that, in the context of the exposure of credit card and social security numbers, a substantial risk of harm exists simply by virtue of the data beach and the nature of the data stolen.