Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

Attias v. CareFirst, Inc.

United States District Court, District of Columbia

August 10, 2016

CHANTAL ATTIAS, et al., Plaintiffs,
CAREFIRST, INC., et al., Defendants.



         Theft of electronic data has become commonplace in our digital economy, victimizing millions of Americans each year. But while the resulting harm to consumers can be catastrophic, not all data breaches result in legally actionable injuries. As a result, when consumers whose data has been compromised seek redress in the courts, it must be determined whether their alleged injuries are sufficiently specific and concrete to give them standing to sue. That is the task presently before the Court in this case.

         In June 2014, the health insurer CareFirst suffered a data breach that compromised the personal information of some 1.1 million policyholders, including the seven named Plaintiffs here. The purloined information included the policyholders’ names, birth dates, email addresses, and subscriber identification numbers. Compl. ¶ 32; see also Defs.’ Reply Ex. 1 (Decl. Clayton Moore House) ¶ 10. According to CareFirst, more-sensitive data, such as social security and credit card numbers, was not stolen.[1] After CareFirst publicly acknowledged the breach in May 2015, Plaintiffs sued the company and various of its affiliates on behalf of themselves and other policyholders, alleging that CareFirst violated a host of state laws and legal duties by failing to safeguard their personal information.[2] Another set of plaintiffs filed a similar federal class action in Maryland.

         CareFirst has moved to dismiss Plaintiffs’ complaint. It argues that because Plaintiffs have not alleged that their personal information has actually been misused, or explained how the stolen information could readily be used to assume their identities, they lack standing to sue in federal court. Plaintiffs mainly respond that the increased likelihood of identity theft that resulted from the breach, and the costs they have incurred to mitigate it, are sufficient injuries to establish standing. In resolving this dispute, the Court will follow the standard set by the majority of courts that have confronted similar cases, including the related Maryland class action: Absent facts demonstrating a substantial risk that stolen data has been or will be misused in a harmful manner, merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken. Because Plaintiffs have not made the required showing, the Court lacks subject matter jurisdiction over the case and will grant CareFirst’s motion to dismiss.

         I. Legal Standard

         Defendants move to dismiss the Complaint for lack of subject matter jurisdiction pursuant to Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim upon which relief can be granted pursuant to Rule 12(b)(6). “The distinctions between 12(b)(1) and 12(b)(6) are important and well understood. Rule 12(b)(1) presents a threshold challenge to the court’s jurisdiction, whereas 12(b)(6) presents a ruling on the merits with res judicata effect.” Al-Owhali v. Ashcroft, 279 F.Supp.2d 13, 20 (D.D.C. 2003) (quoting Haase v. Sessions, 835 F.2d 902, 906 (D.C.Cir.1987)) (internal quotation marks omitted). Because “a court must begin with questions of jurisdiction” “[b]efore examining the merits of any claim, ” In re Sci. Applications Int’l Corp. (“SAIC”), 45 F.Supp.3d 14, 23 (D.D.C. 2014), and because the Court will conclude that it lacks subject matter jurisdiction, this Opinion will address only Defendants’ jurisdictional arguments. Thus, “Federal Rule of Civil Procedure 12(b)(1) provides the relevant legal standard.” Id. at 22. Under this standard, the Court must “treat the [C]omplaint’s factual allegations as true . . . and must grant [Plaintiffs] the benefit of all inferences that can be derived from the facts alleged.” Id. (omission in original) (quoting Sparrow v. United Air Lines, Inc., 216 F.3d 1111, 1113 (D.C. Cir. 2000)) (internal quotation marks omitted).

         At the same time, because a “court has an ‘affirmative obligation to ensure that it is acting within the scope of its jurisdictional authority, ’” id. at 23 (quoting Grand Lodge of Fraternal Order of Police v. Ashcroft, 185 F.Supp.2d 9, 13 (D.D.C. 2001)), a plaintiff’s factual allegations in the complaint “will bear closer scrutiny in resolving a 12(b)(1) motion than in resolving a 12(b)(6) motion for failure to state a claim, ” id. (quoting Grand Lodge, 185 F.Supp.2d at 13-14) (internal quotation mark omitted). “Additionally, unlike with a motion to dismiss under Rule 12(b)(6), the Court ‘may consider materials outside the pleadings in deciding whether to grant a motion to dismiss for lack of jurisdiction.’”[3] Id. (quoting Jerome Stevens Pharm. v. FDA, 402 F.3d 1249, 1253 (D.C. Cir. 2005)).

         II. Analysis

         Article III of the U.S. Constitution limits the reach of federal jurisdiction to the resolution of cases and controversies. See U.S. Const. art. III, § 2. “Because ‘standing is an essential and unchanging part of the case-or-controversy requirement of Article III, ’” SAIC, 45 F.Supp.3d at 23 (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)), “standing is a necessary ‘predicate to any exercise of [the Court’s] jurisdiction, ’” id. (alteration in original) (quoting Fla. Audubon Soc’y v. Bentsen, 94 F.3d 658, 663 (D.C. Cir. 1996)). Consequently, every federal court plaintiff “bears the burden of establishing the three elements that make up the irreducible constitutional minimum of Article III standing: injury-in-fact, causation, and redressability.” Id. (quoting Dominguez v. UAL Corp., 666 F.3d 1359, 1362 (D.C. Cir. 2012)) (internal quotation marks omitted). “Even in the class-action context, all named Plaintiffs must allege and show that they personally have been injured.” Id. (quoting Warth v. Seldin, 422 U.S. 490, 502 (1975)) (internal quotation mark omitted). And plaintiffs must plead or prove, “with the requisite ‘degree of evidence required at the successive stages of the litigation, ’” each element of standing. Id. (quoting Lujan, 504 U.S. at 561). Thus, “at the motion-to-dismiss stage, Plaintiffs must plead facts that, taken as true, make the existence of standing plausible.” Id.

         The question at issue here is whether the named Plaintiffs have demonstrated an “injury in fact” that is concrete, particularized, and actual or imminent, Lujan, 504 U.S. at 560 (quoting Allen v. Wright, 468 U.S. 737, 756 (1984)) (internal quotation marks omitted), and, if so, whether that injury is “fairly traceable” to the CareFirst data breach, id. at 590 (alteration omitted) (quoting Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 41 (1976)) (internal quotation mark omitted). With the exception of two of the Plaintiffs-Kirk and Connie Tringler, who will be discussed below-none allege that they have suffered actual identity theft.[4] They contend instead that they have been harmed because the data breach has increased the likelihood that they will be the victims of identity theft in the future. In assessing such prospective harms, the Supreme Court held in Clapper v. Amnesty International USA that “[a]llegations of possible future injury” do not satisfy constitutional standing requirements. 133 S.Ct. 1138, 1147 (2013) (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)) (internal quotation marks omitted). Rather, the “threatened injury must be certainly impending to constitute injury in fact.” Id. (quoting Whitmore, 495 U.S. at 158) (internal quotation marks omitted). That does not mean that Plaintiffs are required to show that it is “literally certain that the harms they identify will come about.” Id. at 1150 n.5. But they must at least demonstrate a “‘substantial risk’ that the harm will occur.” Id. (quoting Monsanto Co. v. Geertson Seed Farms, 130 S.Ct. 2743, 2754-55 (2010)). Plaintiffs whose claim of injury depends on an “attenuated chain of inferences necessary to find harm” will “fall short” of the mark. Id. The Court turns to each of Plaintiffs’ claimed injuries below.

         A. Increased Risk of Identity Theft

         Judge Boasberg of this Court recently applied Clapper’s “certainly impending” standard to a claim of injury resulting from filched electronic data. SAIC, 45 F.Supp.3d at 24. In that case, back-up tapes containing the personal information and medical records of military service members were among various items stolen from the car of an employee of the information technology company SAIC. See id. at 19-20. The data tapes originated with a federal agency that provides health insurance to military families, and SAIC was in possession of the tapes through an IT security contract with the agency. See id. Service members whose data was contained on the tapes sued, alleging in part that they had been harmed by the increased likelihood that they would suffer identity fraud as a result of the theft. See id.

         The Court found the plaintiffs’ claims of increased risk of identity theft to be insufficient to establish injury in fact. Judge Boasberg reasoned that too many assumptions were required to find the alleged harm certainly impending. The thief would still need to “recognize the tapes for what they were”; “find a tape reader and attach it to her computer”; “acquire software to upload the data”; decipher any encrypted portions of the data; “acquire familiarity with the [health insurance company’s] database format, which might require another round of special software”; and finally, “either misuse a particular Plaintiff’s [information] or sell that Plaintiff’s data to a willing buyer who would then abuse it.” Id. at 25. Because the plaintiffs had not alleged that any of those things had occurred, and because those “events [were] entirely dependent on the actions of an unknown third party, ” they failed to demonstrate standing under Clapper. Id.

         Plaintiffs attempt to distinguish SAIC by pointing out that, unlike the thieves there-who stole various physical objects from a car, some of which happened to contain data-those here breached CareFirst’s server protections for the very purpose of accessing that data, thus demonstrating their intent to misuse it. See Pls.’ Opp’n 10-11. Plaintiffs point to the Seventh Circuit’s recent decision in Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015), as more-analogous precedent. Remijas involved a data breach of Neiman Marcus’s computer systems, which compromised customers’ credit card information, social security numbers, and birth dates. See id. at 690. Of the 350, 000 credit cards whose information was potentially exposed, 9, 200 “were known to have been used fraudulently.” Id. In other words, the hackers had clearly demonstrated that they had the means and the will either to abuse the information they accessed or to sell it to others who did so. Unlike in SAIC, where only two plaintiffs out of the 4.7 million service members whose information was stolen plausibly alleged an injury traceable to the theft, SAIC, 45 ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.