(Reuters) - Circuit splits, like beauty, can be in the eye of the beholder.
Last October, I told you about a petition for U.S. Supreme Court review by the health insurer CareFirst, which asked the justices to clarify constitutional standing requirements for plaintiffs exposed in corporate data breaches. CareFirst’s lawyers at Eversheds Sutherland argued that the District of Columbia U.S. Circuit Court of Appeals, which revived a data breach class action against the insurer, applied an overly permissive interpretation of constitutional standing requirements that is at odds with decisions by the 3rd, 4th and 8th Circuits, which have held that the mere theft of personal information does not give plaintiffs a right to sue.
CareFirst said the lower courts are in such disarray that judges in different circuits have reached opposite conclusions in competing class actions stemming from the exact same data breach. “Lower courts have struggled to consistently apply Article III standing principles to future injuries allegedly caused by data theft, including the increased risk of future identity theft,” its Supreme Court petition said. “Without guidance, courts, litigants, cybersecurity insurers and corporate America will remain uncertain as to when a federal court can hear such claims.”
Or not, according to a newly filed brief opposing Supreme Court review in the CareFirst case. The brief, by lawyers for the plaintiffs suing CareFirst, contends the much-ballyhooed (by me, among others) circuit split on standing in data breach class actions is a mirage.
In fact, according to plaintiffs’ lawyers from Paulson & Nace, Nidel & Nace and the Giatras Law Firm, the federal circuits all agree on how to interpret Supreme Court precedent on constitutional standing. The circuits may have reached different conclusions about standing in particular data breach class actions, the new brief said, but those conclusions were based on particular facts, not on the law.
“A review of these opinions does not demonstrate a split, but only that the courts are applying the facts to the appropriate precedent to weed out only those cases that do not meet the Article III standards the court has long identified,” the new Supreme Court brief said. “Not a single case cited by petitioners suggests a split on the legal issue.”
The brief addressed three circuit court rulings that held data breach victims do not have standing based only on the theft of their personal information. The 3rd Circuit’s 2011 decision in Reilly v. Ceridian (664 F.3d 38) predates the Supreme Court’s latest precedent on standing and imminent threat of injury, 2013’s Clapper v. Amnesty International (133 S.Ct. 1138) and 2014’s Susan B. Anthony List v. Driehaus (134 S.Ct. 2334). After the Supreme Court clarified the test for standing, the new brief said, the 3rd Circuit revised its analysis in a 2017 decision (846 F.3d 625) holding that plaintiffs in a data breach class action against Horizon Healthcare had standing based only on alleged violations of the Fair Credit Reporting Act.
Similarly, the CareFirst plaintiffs said, the 4th Circuit held last year, in Wikimedia v. NSA (857 F.3d 193) that data misappropriation can confer constitutional standing, despite its earlier decision in Beck v. McDonald (848 F.3d 262) that the mere risk of identity theft is not concrete enough to give data breach victims standing to sue. And even in the Beck decision, the CareFirst plaintiffs’ brief said, the 4th Circuit based its holding on the premise that no plaintiffs alleged their stolen data had actually been misused. That fact pattern distinguished the data breach class action at the 4th Circuit from the CareFirst case and others in which federal circuits have found the risk of identity theft sufficient to establish standing.
Finally, the CareFirst plaintiffs’ Supreme Court brief quoted the 8th Circuit’s own language in 2017’s In re SuperValu (870 F.3d 763), which it concedes to be the best evidence of a split amongst the circuits on standing for data breach victims. But the big problem with that evidence, according to the opposition brief, is that the 8th Circuit said all of the circuit rulings “ultimately turned on the substance of the allegations before each court,” so the different outcomes “need not” be reconciled.
Computer hackers have compromised personal information belonging to scores, if not hundreds, of millions of Americans. All of them are likely to be members of data breach class actions (whether they know it or not). So far, as I’ve said many times, consumer class actions based on the theft of personal data have not produced big-money damages. But these cases affect more people than any other class actions I can think of.
The Supreme Court has already ducked a big class action issue this term, when it declined to take up the issue of ascertainability and class certification. The CareFirst plaintiffs seem to be banking on the court’s disinclination to discern a circuit split when there may not actually be one.