Attias v. Carefirst, Inc.

UNITED STATES DISTRICT COURT FOR THE DISTRICT OF COLUMBIA CHANTAL ATTIAS, et al., Plaintiffs, v. Case No. 15-cv-00882 (CRC) CAREFIRST, INC., et al., Defendants. MEMORANDUM OPINION Theft of electronic data has become commonplace in our digital economy, victimizing millions of Americans each year. But while the resulting harm to consumers can be catastrophic, not all data breaches result in legally actionable injuries. As a result, when consumers whose data has been compromised seek redress in the courts, it must be determined whether their alleged injuries are sufficiently specific and concrete to give them standing to sue. That is the task presently before the Court in this case. In June 2014, the health insurer CareFirst suffered a data breach that compromised the personal information of some 1.1 million policyholders, including the seven named Plaintiffs here. The purloined information included the policyholders’ names, birth dates, email addresses, and subscriber identification numbers. Compl. ¶ 32; see also Defs.’ Reply Ex. 1 (Decl. Clayton Moore House) ¶ 10. According to CareFirst, more-sensitive data, such as social security and credit card numbers, was not stolen. 1 After CareFirst publicly acknowledged the breach in May 1 Although Plaintiffs assert in their opposition to the motion to dismiss that their social security numbers were stolen in the data breach, the Complaint neither makes that allegation explicitly nor contains any factual contentions that would support that conclusion. See Pls.’ Opp’n 17 (citing Compl. ¶ 57). 1 2015, Plaintiffs sued the company and various of its affiliates on behalf of themselves and other policyholders, alleging that CareFirst violated a host of state laws and legal duties by failing to safeguard their personal information. 2 Another set of plaintiffs filed a similar federal class action in Maryland. CareFirst has moved to dismiss Plaintiffs’ complaint. It argues that because Plaintiffs have not alleged that their personal information has actually been misused, or explained how the stolen information could readily be used to assume their identities, they lack standing to sue in federal court. Plaintiffs mainly respond that the increased likelihood of identity theft that resulted from the breach, and the costs they have incurred to mitigate it, are sufficient injuries to establish standing. In resolving this dispute, the Court will follow the standard set by the majority of courts that have confronted similar cases, including the related Maryland class action: Absent facts demonstrating a substantial risk that stolen data has been or will be misused in a harmful manner, merely having one’s personal information stolen in a data breach is insufficient to establish standing to sue the entity from whom the information was taken. Because Plaintiffs have not made the required showing, the Court lacks subject matter jurisdiction over the case and will grant CareFirst’s motion to dismiss. I. Legal Standard Defendants move to dismiss the Complaint for lack of subject matter jurisdiction pursuant to Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim upon which 2 Plaintiffs allege that the Court has jurisdiction over the case pursuant to 28 U.S.C. § 1332(d)(2) because the class’s aggregate claims exceed $5,000,000 and “there are numerous class members who are citizens of states other than the Defendants.” Compl. ¶ 10. The Court will not assess this assertion because, as discussed below, it will dismiss the case for lack of subject matter jurisdiction on standing grounds. 2 relief can be granted pursuant to Rule 12(b)(6). “The distinctions between 12(b)(1) and 12(b)(6) are important and well understood. Rule 12(b)(1) presents a threshold challenge to the court’s jurisdiction, whereas 12(b)(6) presents a ruling on the merits with res judicata effect.” Al- Owhali v. Ashcroft, 279 F. Supp. 2d 13, 20 (D.D.C. 2003) (quoting Haase v. Sessions, 835 F.2d 902, 906 (D.C.Cir.1987)) (internal quotation marks omitted). Because “a court must begin with questions of jurisdiction” “[b]efore examining the merits of any claim,” In re Sci. Applications Int’l Corp. (“SAIC”), 45 F. Supp. 3d 14, 23 (D.D.C. 2014), and because the Court will conclude that it lacks subject matter jurisdiction, this Opinion will address only Defendants’ jurisdictional arguments. Thus, “Federal Rule of Civil Procedure 12(b)(1) provides the relevant legal standard.” Id. at 22. Under this standard, the Court must “treat the [C]omplaint’s factual allegations as true . . . and must grant [Plaintiffs] the benefit of all inferences that can be derived from the facts alleged.” Id. (omission in original) (quoting Sparrow v. United Air Lines, Inc., 216 F.3d 1111, 1113 (D.C. Cir. 2000)) (internal quotation marks omitted). At the same time, because a “court has an ‘affirmative obligation to ensure that it is acting within the scope of its jurisdictional authority,’” id. at 23 (quoting Grand Lodge of Fraternal Order of Police v. Ashcroft, 185 F. Supp. 2d 9, 13 (D.D.C. 2001)), a plaintiff’s factual allegations in the complaint “will bear closer scrutiny in resolving a 12(b)(1) motion than in resolving a 12(b)(6) motion for failure to state a claim,” id. (quoting Grand Lodge, 185 F. Supp. 2d at 13–14) (internal quotation mark omitted). “Additionally, unlike with a motion to dismiss under Rule 12(b)(6), the Court ‘may consider materials outside the pleadings in deciding whether 3 to grant a motion to dismiss for lack of jurisdiction.’” 3 Id. (quoting Jerome Stevens Pharm. v. FDA, 402 F.3d 1249, 1253 (D.C. Cir. 2005)). II. Analysis Article III of the U.S. Constitution limits the reach of federal jurisdiction to the resolution of cases and controversies. See U.S. Const. art. III, § 2. “Because ‘standing is an essential and unchanging part of the case-or-controversy requirement of Article III,’” SAIC, 45 F. Supp. 3d at 23 (quoting Lujan v. Defenders of Wildlife, 504 U.S. 555, 560 (1992)), “standing is a necessary ‘predicate to any exercise of [the Court’s] jurisdiction,’” id. (alteration in original) (quoting Fla. Audubon Soc’y v. Bentsen, 94 F.3d 658, 663 (D.C. Cir. 1996)). Consequently, every federal court plaintiff “bears the burden of establishing the three elements that make up the irreducible constitutional minimum of Article III standing: injury-in-fact, causation, and redressability.” Id. (quoting Dominguez v. UAL Corp., 666 F.3d 1359, 1362 (D.C. Cir. 2012)) (internal quotation marks omitted). “Even in the class-action context, all named Plaintiffs must allege and show that they personally have been injured.” Id. (quoting Warth v. Seldin, 422 U.S. 490, 502 (1975)) (internal quotation mark omitted). And plaintiffs must plead or prove, “with the requisite ‘degree of evidence required at the successive stages of the litigation,’” each element of standing. Id. (quoting Lujan, 504 U.S. at 561). Thus, “at the motion-to-dismiss stage, Plaintiffs must plead facts that, taken as true, make the existence of standing plausible.” Id. The question at issue here is whether the named Plaintiffs have demonstrated an “injury in fact” that is concrete, particularized, and actual or imminent, Lujan, 504 U.S. at 560 (quoting Allen v. Wright, 468 U.S. 737, 756 (1984)) (internal quotation marks omitted), and, if so, 3 For this reason, the Court will consider, and deny, Plaintiffs’ motion to strike the affidavit of CareFirst IT security official Clayton Moore House, which details the parameters of the data breach. 4 whether that injury is “fairly traceable” to the CareFirst data breach, id. at 590 (alteration omitted) (quoting Simon v. E. Ky. Welfare Rights Org., 426 U.S. 26, 41 (1976)) (internal quotation mark omitted). With the exception of two of the Plaintiffs—Kirk and Connie Tringler, who will be discussed below—none allege that they have suffered actual identity theft. 4 They contend instead that they have been harmed because the data breach has increased the likelihood that they will be the victims of identity theft in the future. In assessing such prospective harms, the Supreme Court held in Clapper v. Amnesty International USA that “[a]llegations of possible future injury” do not satisfy constitutional standing requirements. 133 S. Ct. 1138, 1147 (2013) (quoting Whitmore v. Arkansas, 495 U.S. 149, 158 (1990)) (internal quotation marks omitted). Rather, the “threatened injury must be certainly impending to constitute injury in fact.” Id. (quoting Whitmore, 495 U.S. at 158) (internal quotation marks omitted). That does not mean that Plaintiffs are required to show that it is “literally certain that the harms they identify will come about.” Id. at 1150 n.5. But they must at least demonstrate a “‘substantial risk’ that the 4 Although the Plaintiffs’ opposition to the Defendants’ motion to dismiss asserts that “many Plaintiffs have already suffered identity theft, credit card fraud, and had their tax returns stolen,” Pls.’ Opp’n 5 (emphasis added) (citing Compl. ¶¶ 47–57), and that victims of the data breach other than the Tringlers have suffered “actual identity theft and fraud,” id. at 3 (citing Compl. ¶ 57), the Complaint contains no factual allegations to support those assertions. The paragraphs of the Complaint Plaintiffs cite contain only conjecture regarding Plaintiffs other than the Tringlers. See Compl. ¶ 49 (“Identity thieves can use identifying data . . . to open new financial accounts and incur charges in another person’s name . . . .” (emphasis added)); id. ¶ 50 (“Identity thieves can use personal information . . . to perpetrate a variety of crimes that do not cause financial loss, but nonetheless harm the victims. For instance, . . . .” (emphasis added)); id. ¶ 51 (“[I]dentity thieves may get medical services using the Plaintiff’s PII [Personally Identifiable Information] and PHI [Personal Health Information] or commit any number of other frauds . . . .” (emphasis added)); id. ¶ 55 (“Identity thieves can use [stolen] information” to enroll unwilling beneficiaries into certain health plans. (emphasis added)). Because a “complaint may not be amended by the briefs in opposition to a motion to dismiss,” BEG Invs., LLC v. Alberti, 85 F. Supp. 3d 13, 26 (D.D.C. 2015) (quoting Coleman v. Pension Benefit Guar. Corp., 94 F. Supp. 2d 18, 24 n.8 (D.D.C. 2000)) (internal quotation marks omitted), Plaintiffs’ assertion of harm in their opposition does not constitute an allegation mounted in the Complaint. 5 harm will occur.” Id. (quoting Monsanto Co. v. Geertson Seed Farms, 130 S. Ct. 2743, 2754–55 (2010)). Plaintiffs whose claim of injury depends on an “attenuated chain of inferences necessary to find harm” will “fall short” of the mark. Id. The Court turns to each of Plaintiffs’ claimed injuries below. A. Increased Risk of Identity Theft Judge Boasberg of this Court recently applied Clapper’s “certainly impending” standard to a claim of injury resulting from filched electronic data. SAIC, 45 F. Supp. 3d at 24. In that case, back-up tapes containing the personal information and medical records of military service members were among various items stolen from the car of an employee of the information technology company SAIC. See id. at 19–20. The data tapes originated with a federal agency that provides health insurance to military families, and SAIC was in possession of the tapes through an IT security contract with the agency. See id. Service members whose data was contained on the tapes sued, alleging in part that they had been harmed by the increased likelihood that they would suffer identity fraud as a result of the theft. See id. The Court found the plaintiffs’ claims of increased risk of identity theft to be insufficient to establish injury in fact. Judge Boasberg reasoned that too many assumptions were required to find the alleged harm certainly impending. The thief would still need to “recognize the tapes for what they were”; “find a tape reader and attach it to her computer”; “acquire software to upload the data”; decipher any encrypted portions of the data; “acquire familiarity with the [health insurance company’s] database format, which might require another round of special software”; and finally, “either misuse a particular Plaintiff’s [information] or sell that Plaintiff’s data to a willing buyer who would then abuse it.” Id. at 25. Because the plaintiffs had not alleged that 6 any of those things had occurred, and because those “events [were] entirely dependent on the actions of an unknown third party,” they failed to demonstrate standing under Clapper. Id. Plaintiffs attempt to distinguish SAIC by pointing out that, unlike the thieves there—who stole various physical objects from a car, some of which happened to contain data—those here breached CareFirst’s server protections for the very purpose of accessing that data, thus demonstrating their intent to misuse it. See Pls.’ Opp’n 10–11. Plaintiffs point to the Seventh Circuit’s recent decision in Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015), as more-analogous precedent. Remijas involved a data breach of Neiman Marcus’s computer systems, which compromised customers’ credit card information, social security numbers, and birth dates. See id. at 690. Of the 350,000 credit cards whose information was potentially exposed, 9,200 “were known to have been used fraudulently.” Id. In other words, the hackers had clearly demonstrated that they had the means and the will either to abuse the information they accessed or to sell it to others who did so. Unlike in SAIC, where only two plaintiffs out of the 4.7 million service members whose information was stolen plausibly alleged an injury traceable to the theft, SAIC, 45 F. Supp. 3d at 31–33, in Remijas, even the plaintiffs who had not yet experienced fraud had demonstrated that they faced a “substantial risk” of fraud sufficient to confer standing because so many other plaintiffs had experienced cognizable harm traceable to the breach, Remijas, 794 F.3d at 693. The Court views SAIC to be more similar to this case than Remijas and other data breach cases cited by Plaintiffs. See Pls.’ Opp’n 6–10. While the series of assumptions required to find concrete harm to Plaintiffs may be somewhat shorter here than that in SAIC, their theory of injury is still too speculative to satisfy Clapper. The Court would have to assume, at a minimum, that the hackers have the ability to read and understand Plaintiffs’ personal information, the 7 intent to “commit future criminal acts by misusing the information,” and the ability to “use such information to the detriment of [Plaintiffs] by making unauthorized transactions in [Plaintiffs’] names.” Chambliss v. CareFirst, Inc., No. RDB-15-2288, 2016 WL 3055299, at *4 (D. Md. May 27, 2016) (alterations in original) (quoting In re SuperValu, Inc., Customer Data Sec. Breach Litig., No. 14-MD-2586, 2016 WL 81792, at *5 (D. Minn. Jan. 7, 2016)) (internal quotation mark omitted). And, even more speculative than in SAIC—where social security numbers were among the stolen data—is the question whether the hackers here would be willing or able to use the existing data to acquire additional data. Plaintiffs have not suggested, let alone demonstrated, how the CareFirst hackers could steal their identities without access to their social security or credit card numbers. See, e.g., Antman v. Uber Techs., Inc., No. 3:15-cv-01175, 2015 WL 6123054, at *11 (N.D. Cal. Oct. 19, 2015) (“[T]he court holds that Mr. Antman’s allegations are not sufficient because his complaint alleges only the theft of names and driver’s licenses. Without a hack of information such as social security numbers, account numbers, or credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate injury.”). The absence of such a showing distinguishes this case from Remijas, where the demonstrated existence of thousands of unauthorized charges shortly following the data breach clearly established a connection between the breach and the thieves’ ability and willingness to commit fraud. The court in the related Maryland class action reached same conclusion, granting the defendants’ motion to dismiss for lack of subject matter jurisdiction on standing grounds. It rejected the plaintiffs’ argument that the breach increased their risk of future harm because “most courts to consider the issue ‘have agreed that the mere loss of data—without any evidence that it has been either viewed or misused—does not constitute an injury sufficient to confer standing.’” 8 Chambliss, 2016 WL 3055299, at *4 (quoting SAIC, 45 F. Supp. 3d at 19) (citing In re Zappos.com, Inc., 108 F.Supp.3d 949, 958–59 (D. Nev. 2015); Green v. eBay, Inc., No. 14-1688, 2015 WL 2066531, at *5 (E.D. La. May 4, 2015); In re Horizon Healthcare Servs., Inc. Data Breach Litig., No. 13-7418, 2015 WL 1472483, at *6 (D.N.J. Mar. 31, 2015); Key v. DSW, Inc., 454 F.Supp.2d 684, 689 (S.D. Ohio 2006)). The court added that “since Clapper[,] . . . courts have been even more emphatic in rejecting ‘increased risk’ as a theory of standing in data-breach cases.” Id. (quoting SAIC, 45 F.Supp.3d at 28) (citing In re SuperValu, 2016 WL 81792, at *4); Strautins v. Trustwave Holdings, Inc., 27 F.Supp.3d 871, 876 (N.D. Ill. 2014)) (internal quotation marks omitted). This Court likewise concludes that Plaintiffs have not demonstrated a sufficiently substantial risk of future harm stemming from the breach to establish standing. B. Actual Identity Theft As noted above, two of the named Plaintiffs—Kirk and Connie Tringler—allege that they have already suffered an injury from the data breach. They claim that they have experienced tax- refund fraud in that they have still not received an expected tax refund. See Compl. ¶ 57. While suffering this type of fraud may constitute a concrete and particularized injury, in order to demonstrate standing, Plaintiffs must also plausibly assert that their alleged injury is “fairly traceable to the challenged action.” Clapper, 133 S. Ct. at 1147. And again, while the Plaintiffs’ opposition asserts that the stolen information included social security numbers, the Complaint does not support that allegation. See supra note 1; Pls.’ Opp’n 17; Compl. ¶ 57. As Defendants point out, and Plaintiffs do not contest, “[i]t is not plausible that tax refund fraud could have been conducted without the Tringlers’ Social Security Numbers.” Defs. Reply 5; see also Furlow v. United States, 55 F. Supp. 2d 360, 362–63 (D. Md. 1999) (“[T]o receive an income tax exemption . . . , the taxpayer must include the social security number or taxpayer identification 9 number of the claimed individual on his returns.”). Therefore, the Tringlers have not plausibly alleged that any tax-return fraud they have experienced is fairly traceable to the data breach. C. Other Claimed Harms In addition to arguing that the increased risk of future harm confers standing upon Plaintiffs other than the Tringlers and that the Tringlers have already experienced cognizable injury, all Plaintiffs contend that they have experienced four other types of harm: (1) economic harm through having to purchase credit-monitoring services to prevent identity theft and fraud; (2) economic harm through overpayment for their insurance coverage, the cost of which they maintain should have covered prophylactic measures against hacking; (3) loss of the intrinsic value of their personal information; and (4) violation of their statutory rights under consumer protection acts. None of the arguments in support of these contentions is availing. First, because the increased risk of future identity theft or fraud is too speculative to confer standing, Plaintiffs cannot opt in to standing-conferring economic injury by purchasing protection from that future harm. Where “future harm . . . is not certainly impending,” plaintiffs “cannot manufacture standing by choosing to make expenditures based on” that “hypothetical” harm. Clapper, 133 S. Ct. at 1143. In other words, Plaintiffs “cannot create standing by ‘inflicting harm on themselves’” in the form of purchasing credit-monitoring services in order “to ward off an otherwise speculative injury.” SAIC, 45 F. Supp. 3d at 26 (quoting Clapper, 133 S. Ct. at 1151). Second, a claim that “some indeterminate part of their premiums went toward paying for security measures . . . is too flimsy to support standing.” Id. at 30. Like the plaintiffs in SAIC, Plaintiffs here “do not maintain that the money they paid could have or would have bought a better policy with a more bullet-proof information-security regime.” Id. Nor have they “alleged 10 facts that show that the market value of their insurance coverage (plus security services) was somehow less than what they paid.” Id. Third, also like the plaintiffs in SAIC, “Plaintiffs do not contend that they intended to sell [their personal] information on the cyber black market in the first place, so it is uncertain how they were injured” by the alleged loss of the intrinsic value of that information. Id. In addition, “it is unclear whether or how the data has been devalued by the breach.” Id. Without factual allegations to support this contention, Plaintiffs do not plausibly assert harm from the loss of their personal information’s intrinsic value. Fourth, Plaintiffs contend that this Court must conclude that they have standing because the D.C. Court of Appeals, they assert, has held that a violation of the D.C. Consumer Protection Procedures Act can confer standing on its own. See Pls.’ Opp’n 13 (citing Grayson v. AT&T Corp., 15 A.3d 219, 247 (D.C. 2011)). Setting aside the fact that only the Plaintiffs who are residents of the District of Columbia assert violations of this D.C. Act, statutory rights cannot confer Article III standing on a plaintiff who does not have it otherwise. See Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547–48 (2016) (“Injury in fact is a constitutional requirement, and ‘[i]t is settled that Congress cannot erase Article III’s standing requirements by statutorily granting the right to sue to a plaintiff who would not otherwise have standing.’” (alteration in original) (quoting Raines v. Byrd, 521 U.S. 811, 820 n.3 (1997))). This is so because an injury in fact must be “both ‘concrete and particularized.’” Id. at 1545 (quoting Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180–81 (2000)). While violation of a plaintiff’s statutory rights is not irrelevant to standing, it is also not sufficient because it “concern[s] particularization, not concreteness,” id. at 1548: “Article III standing requires a concrete injury even in the context of a statutory violation,” id. at 1549. And a “‘concrete’ injury 11 must be ‘de facto’; that is, it must actually exist.” Id. at 1548. Where a violation of a statute “may result in no harm,” that mere violation is insufficient to confer standing. Id. at 1550. Even if Plaintiffs’ rights under applicable consumer protection acts have been violated, because they do not plausibly allege concrete harm, they have not demonstrated that they have standing to press their claims. 5 III. Conclusion For the foregoing reasons, Defendants’ motion to dismiss will be granted and the Second Amended Complaint dismissed without prejudice, and Plaintiffs’ motion to strike will be denied. An order accompanies this memorandum opinion. CHRISTOPHER R. COOPER United States District Judge Date: August 10, 2016 5 Plaintiffs have filed a notice of supplemental authority flagging for the Court a recently decided D.C. Circuit case concerning an alleged violation of D.C. laws protecting consumers from the disclosure of contact information in the course of credit card transactions. See Hancock v. Urban Outfitters, Inc., No. 14-7047, 2016 WL 3996710 (D.C. Cir. July 26, 2016). The court held that the plaintiffs failed to establish standing because, although they alleged statutory violations, they did not allege any concrete injury in fact as a result of those violations. See id. at *6–7. In dicta, the court noted that “increased risk of fraud or identity theft . . . may satisfy Article III’s requirement of concrete injury.” Id. at *7. It is this statement that Plaintiffs emphasize in their notice. However, the D.C. Circuit’s reasoning, and the principal that increased risk of harm may satisfy the constitutional requirement of concrete injury are entirely consistent with the Court’s analysis here. 12