Attias v. Carefirst, Inc. ( 2016 )

                              UNITED STATES DISTRICT COURT
FOR THE DISTRICT OF COLUMBIA
CHANTAL ATTIAS, et al.,
Plaintiffs,
v.                           Case No. 15-cv-00882 (CRC)
CAREFIRST, INC., et al.,
Defendants.
MEMORANDUM OPINION
Theft of electronic data has become commonplace in our digital economy, victimizing
millions of Americans each year. But while the resulting harm to consumers can be catastrophic,
not all data breaches result in legally actionable injuries. As a result, when consumers whose
data has been compromised seek redress in the courts, it must be determined whether their
alleged injuries are sufficiently specific and concrete to give them standing to sue. That is the
task presently before the Court in this case.
In June 2014, the health insurer CareFirst suffered a data breach that compromised the
personal information of some 1.1 million policyholders, including the seven named Plaintiffs
here. The purloined information included the policyholders’ names, birth dates, email addresses,
and subscriber identification numbers. Compl. ¶ 32; see also Defs.’ Reply Ex. 1 (Decl. Clayton
Moore House) ¶ 10. According to CareFirst, more-sensitive data, such as social security and
credit card numbers, was not stolen. 1 After CareFirst publicly acknowledged the breach in May
1
Although Plaintiffs assert in their opposition to the motion to dismiss that their social
security numbers were stolen in the data breach, the Complaint neither makes that allegation
explicitly nor contains any factual contentions that would support that conclusion. See Pls.’
Opp’n 17 (citing Compl. ¶ 57).
1
2015, Plaintiffs sued the company and various of its affiliates on behalf of themselves and other
policyholders, alleging that CareFirst violated a host of state laws and legal duties by failing to
safeguard their personal information. 2 Another set of plaintiffs filed a similar federal class
action in Maryland.
CareFirst has moved to dismiss Plaintiffs’ complaint. It argues that because Plaintiffs
have not alleged that their personal information has actually been misused, or explained how the
stolen information could readily be used to assume their identities, they lack standing to sue in
federal court. Plaintiffs mainly respond that the increased likelihood of identity theft that
resulted from the breach, and the costs they have incurred to mitigate it, are sufficient injuries to
establish standing. In resolving this dispute, the Court will follow the standard set by the
majority of courts that have confronted similar cases, including the related Maryland class
action: Absent facts demonstrating a substantial risk that stolen data has been or will be misused
in a harmful manner, merely having one’s personal information stolen in a data breach is
insufficient to establish standing to sue the entity from whom the information was taken.
Because Plaintiffs have not made the required showing, the Court lacks subject matter
jurisdiction over the case and will grant CareFirst’s motion to dismiss.
I.      Legal Standard
Defendants move to dismiss the Complaint for lack of subject matter jurisdiction
pursuant to Federal Rule of Civil Procedure 12(b)(1) and for failure to state a claim upon which
2
Plaintiffs allege that the Court has jurisdiction over the case pursuant to 28 U.S.C.
§ 1332(d)(2) because the class’s aggregate claims exceed $5,000,000 and “there are numerous
class members who are citizens of states other than the Defendants.” Compl. ¶ 10. The Court
will not assess this assertion because, as discussed below, it will dismiss the case for lack of
subject matter jurisdiction on standing grounds.
2
relief can be granted pursuant to Rule 12(b)(6). “The distinctions between 12(b)(1) and 12(b)(6)
are important and well understood. Rule 12(b)(1) presents a threshold challenge to the court’s
jurisdiction, whereas 12(b)(6) presents a ruling on the merits with res judicata effect.” Al-
Owhali v. Ashcroft, 

, 20 (D.D.C. 2003) (quoting Haase v. Sessions, 

, 906 (D.C.Cir.1987)) (internal quotation marks omitted). Because “a court must begin with
questions of jurisdiction” “[b]efore examining the merits of any claim,” In re Sci. Applications
Int’l Corp. (“SAIC”), 

, 23 (D.D.C. 2014), and because the Court will conclude
that it lacks subject matter jurisdiction, this Opinion will address only Defendants’ jurisdictional
arguments. Thus, “Federal Rule of Civil Procedure 12(b)(1) provides the relevant legal
standard.” 

Under this standard, the Court must “treat the [C]omplaint’s factual
allegations as true . . . and must grant [Plaintiffs] the benefit of all inferences that can be derived
from the facts alleged.” 

original) (quoting Sparrow v. United Air Lines, Inc.,

, 1113 (D.C. Cir. 2000)) (internal quotation marks omitted).
At the same time, because a “court has an ‘affirmative obligation to ensure that it is
acting within the scope of its jurisdictional authority,’” 

(quoting Grand Lodge of
Fraternal Order of Police v. Ashcroft, 

, 13 (D.D.C. 2001)), a plaintiff’s factual
allegations in the complaint “will bear closer scrutiny in resolving a 12(b)(1) motion than in
resolving a 12(b)(6) motion for failure to state a claim,” 

Lodge, 

at 13–14) (internal quotation mark omitted). “Additionally, unlike with a motion to dismiss
under Rule 12(b)(6), the Court ‘may consider materials outside the pleadings in deciding whether
3
to grant a motion to dismiss for lack of jurisdiction.’” 3 

Stevens Pharm. v.
FDA, 

, 1253 (D.C. Cir. 2005)).
II.     Analysis
Article III of the U.S. Constitution limits the reach of federal jurisdiction to the resolution
of cases and controversies. See U.S. Const. art. III, § 2. “Because ‘standing is an essential and
unchanging part of the case-or-controversy requirement of Article III,’” 

(quoting Lujan v. Defenders of Wildlife, 

, 560 (1992)), “standing is a necessary
‘predicate to any exercise of [the Court’s] jurisdiction,’” 

original) (quoting Fla.
Audubon Soc’y v. Bentsen, 

, 663 (D.C. Cir. 1996)). Consequently, every federal
court plaintiff “bears the burden of establishing the three elements that make up the irreducible
constitutional minimum of Article III standing: injury-in-fact, causation, and redressability.” 

v. UAL Corp., 

, 1362 (D.C. Cir. 2012)) (internal quotation
marks omitted). “Even in the class-action context, all named Plaintiffs must allege and show that
they personally have been injured.” 

v. Seldin, 

, 502 (1975))
(internal quotation mark omitted). And plaintiffs must plead or prove, “with the requisite
‘degree of evidence required at the successive stages of the litigation,’” each element of standing.

504 U.S. at 561). Thus, “at the motion-to-dismiss stage, Plaintiffs must plead
facts that, taken as true, make the existence of standing plausible.” 

at issue here is whether the named Plaintiffs have demonstrated an “injury
in fact” that is concrete, particularized, and actual or imminent, 

(quoting
Allen v. Wright, 

, 756 (1984)) (internal quotation marks omitted), and, if so,
3
For this reason, the Court will consider, and deny, Plaintiffs’ motion to strike the
affidavit of CareFirst IT security official Clayton Moore House, which details the parameters of
the data breach.
4
whether that injury is “fairly traceable” to the CareFirst data breach, 

(alteration
omitted) (quoting Simon v. E. Ky. Welfare Rights Org., 

, 41 (1976)) (internal
quotation mark omitted). With the exception of two of the Plaintiffs—Kirk and Connie Tringler,
who will be discussed below—none allege that they have suffered actual identity theft. 4 They
contend instead that they have been harmed because the data breach has increased the likelihood
that they will be the victims of identity theft in the future. In assessing such prospective harms,
the Supreme Court held in Clapper v. Amnesty International USA that “[a]llegations of possible
future injury” do not satisfy constitutional standing requirements. 

, 1147 (2013)
(quoting Whitmore v. Arkansas, 

, 158 (1990)) (internal quotation marks omitted).
Rather, the “threatened injury must be certainly impending to constitute injury in fact.” 

495 U.S. at 158) (internal quotation marks omitted). That does not mean
that Plaintiffs are required to show that it is “literally certain that the harms they identify will
come about.” 

n.5. But they must at least demonstrate a “‘substantial risk’ that the
4
Although the Plaintiffs’ opposition to the Defendants’ motion to dismiss asserts that
“many Plaintiffs have already suffered identity theft, credit card fraud, and had their tax returns
stolen,” Pls.’ Opp’n 5 (emphasis added) (citing Compl. ¶¶ 47–57), and that victims of the data
breach other than the Tringlers have suffered “actual identity theft and fraud,” 

(citing
Compl. ¶ 57), the Complaint contains no factual allegations to support those assertions. The
paragraphs of the Complaint Plaintiffs cite contain only conjecture regarding Plaintiffs other than
the Tringlers. See Compl. ¶ 49 (“Identity thieves can use identifying data . . . to open new
financial accounts and incur charges in another person’s name . . . .” (emphasis added)); 

(“Identity thieves can use personal information . . . to perpetrate a variety of crimes that do not
cause financial loss, but nonetheless harm the victims. For instance, . . . .” (emphasis added)); 

(“[I]dentity thieves may get medical services using the Plaintiff’s PII [Personally
Identifiable Information] and PHI [Personal Health Information] or commit any number of other
frauds . . . .” (emphasis added)); 

(“Identity thieves can use [stolen] information” to enroll
unwilling beneficiaries into certain health plans. (emphasis added)). Because a “complaint may
not be amended by the briefs in opposition to a motion to dismiss,” BEG Invs., LLC v. Alberti,

, 26 (D.D.C. 2015) (quoting Coleman v. Pension Benefit Guar. Corp., 94 F.
Supp. 2d 18, 24 n.8 (D.D.C. 2000)) (internal quotation marks omitted), Plaintiffs’ assertion of
harm in their opposition does not constitute an allegation mounted in the Complaint.
5
harm will occur.” 

Co. v. Geertson Seed Farms, 

, 2754–55
(2010)). Plaintiffs whose claim of injury depends on an “attenuated chain of inferences
necessary to find harm” will “fall short” of the mark. 

turns to each of Plaintiffs’
claimed injuries below.
A.      Increased Risk of Identity Theft
Judge Boasberg of this Court recently applied Clapper’s “certainly impending” standard
to a claim of injury resulting from filched electronic data. 

. In that
case, back-up tapes containing the personal information and medical records of military service
members were among various items stolen from the car of an employee of the information
technology company SAIC. See 

The data tapes originated with a federal agency
that provides health insurance to military families, and SAIC was in possession of the tapes
through an IT security contract with the agency. See 

whose data was
contained on the tapes sued, alleging in part that they had been harmed by the increased
likelihood that they would suffer identity fraud as a result of the theft. See 

found the plaintiffs’ claims of increased risk of identity theft to be insufficient
to establish injury in fact. Judge Boasberg reasoned that too many assumptions were required to
find the alleged harm certainly impending. The thief would still need to “recognize the tapes for
what they were”; “find a tape reader and attach it to her computer”; “acquire software to upload
the data”; decipher any encrypted portions of the data; “acquire familiarity with the [health
insurance company’s] database format, which might require another round of special software”;
and finally, “either misuse a particular Plaintiff’s [information] or sell that Plaintiff’s data to a
willing buyer who would then abuse it.” 

Because the plaintiffs had not alleged that
6
any of those things had occurred, and because those “events [were] entirely dependent on the
actions of an unknown third party,” they failed to demonstrate standing under Clapper. 

to distinguish SAIC by pointing out that, unlike the thieves there—who
stole various physical objects from a car, some of which happened to contain data—those here
breached CareFirst’s server protections for the very purpose of accessing that data, thus
demonstrating their intent to misuse it. See Pls.’ Opp’n 10–11. Plaintiffs point to the Seventh
Circuit’s recent decision in Remijas v. Neiman Marcus Group, 

(7th Cir. 2015), as
more-analogous precedent. Remijas involved a data breach of Neiman Marcus’s computer
systems, which compromised customers’ credit card information, social security numbers, and
birth dates. See 

Of the 350,000 credit cards whose information was potentially
exposed, 9,200 “were known to have been used fraudulently.” 

words, the hackers
had clearly demonstrated that they had the means and the will either to abuse the information
they accessed or to sell it to others who did so. Unlike in SAIC, where only two plaintiffs out of
the 4.7 million service members whose information was stolen plausibly alleged an injury
traceable to the theft, 

–33, in Remijas, even the plaintiffs who had not
yet experienced fraud had demonstrated that they faced a “substantial risk” of fraud sufficient to
confer standing because so many other plaintiffs had experienced cognizable harm traceable to
the breach, 

.
The Court views SAIC to be more similar to this case than Remijas and other data breach
cases cited by Plaintiffs. See Pls.’ Opp’n 6–10. While the series of assumptions required to find
concrete harm to Plaintiffs may be somewhat shorter here than that in SAIC, their theory of
injury is still too speculative to satisfy Clapper. The Court would have to assume, at a minimum,
that the hackers have the ability to read and understand Plaintiffs’ personal information, the
7
intent to “commit future criminal acts by misusing the information,” and the ability to “use such
information to the detriment of [Plaintiffs] by making unauthorized transactions in [Plaintiffs’]
names.” Chambliss v. CareFirst, Inc., No. RDB-15-2288, 

, at *4 (D. Md. May
27, 2016) (alterations in original) (quoting In re SuperValu, Inc., Customer Data Sec. Breach
Litig., No. 14-MD-2586, 

, at *5 (D. Minn. Jan. 7, 2016)) (internal quotation
mark omitted). And, even more speculative than in SAIC—where social security numbers were
among the stolen data—is the question whether the hackers here would be willing or able to use
the existing data to acquire additional data. Plaintiffs have not suggested, let alone
demonstrated, how the CareFirst hackers could steal their identities without access to their social
security or credit card numbers. See, e.g., Antman v. Uber Techs., Inc., No. 3:15-cv-01175,

, at *11 (N.D. Cal. Oct. 19, 2015) (“[T]he court holds that Mr. Antman’s
allegations are not sufficient because his complaint alleges only the theft of names and driver’s
licenses. Without a hack of information such as social security numbers, account numbers, or
credit card numbers, there is no obvious, credible risk of identity theft that risks real, immediate
injury.”). The absence of such a showing distinguishes this case from Remijas, where the
demonstrated existence of thousands of unauthorized charges shortly following the data breach
clearly established a connection between the breach and the thieves’ ability and willingness to
commit fraud.
The court in the related Maryland class action reached same conclusion, granting the
defendants’ motion to dismiss for lack of subject matter jurisdiction on standing grounds. It
rejected the plaintiffs’ argument that the breach increased their risk of future harm because “most
courts to consider the issue ‘have agreed that the mere loss of data—without any evidence that it
has been either viewed or misused—does not constitute an injury sufficient to confer standing.’”
8
Chambliss, 

, at *4 (quoting 

) (citing In re
Zappos.com, Inc., 

, 958–59 (D. Nev. 2015); Green v. eBay, Inc., No. 14-1688,

, at *5 (E.D. La. May 4, 2015); In re Horizon Healthcare Servs., Inc. Data
Breach Litig., No. 13-7418, 

, at *6 (D.N.J. Mar. 31, 2015); Key v. DSW, Inc.,

, 689 (S.D. Ohio 2006)). The court added that “since Clapper[,] . . . courts
have been even more emphatic in rejecting ‘increased risk’ as a theory of standing in data-breach
cases.” 

45 F.Supp.3d at 28) (citing In re SuperValu, 

, at *4);
Strautins v. Trustwave Holdings, Inc., 

, 876 (N.D. Ill. 2014)) (internal
quotation marks omitted). This Court likewise concludes that Plaintiffs have not demonstrated a
sufficiently substantial risk of future harm stemming from the breach to establish standing.
B.      Actual Identity Theft
As noted above, two of the named Plaintiffs—Kirk and Connie Tringler—allege that they
have already suffered an injury from the data breach. They claim that they have experienced tax-
refund fraud in that they have still not received an expected tax refund. See Compl. ¶ 57. While
suffering this type of fraud may constitute a concrete and particularized injury, in order to
demonstrate standing, Plaintiffs must also plausibly assert that their alleged injury is “fairly
traceable to the challenged action.” 

. And again, while the Plaintiffs’
opposition asserts that the stolen information included social security numbers, the Complaint
does not support that allegation. See supra note 1; Pls.’ Opp’n 17; Compl. ¶ 57. As Defendants
point out, and Plaintiffs do not contest, “[i]t is not plausible that tax refund fraud could have been
conducted without the Tringlers’ Social Security Numbers.” Defs. Reply 5; see also Furlow v.
United States, 

, 362–63 (D. Md. 1999) (“[T]o receive an income tax
exemption . . . , the taxpayer must include the social security number or taxpayer identification
9
number of the claimed individual on his returns.”). Therefore, the Tringlers have not plausibly
alleged that any tax-return fraud they have experienced is fairly traceable to the data breach.
C.      Other Claimed Harms
In addition to arguing that the increased risk of future harm confers standing upon
Plaintiffs other than the Tringlers and that the Tringlers have already experienced cognizable
injury, all Plaintiffs contend that they have experienced four other types of harm: (1) economic
harm through having to purchase credit-monitoring services to prevent identity theft and fraud;
(2) economic harm through overpayment for their insurance coverage, the cost of which they
maintain should have covered prophylactic measures against hacking; (3) loss of the intrinsic
value of their personal information; and (4) violation of their statutory rights under consumer
protection acts. None of the arguments in support of these contentions is availing.
First, because the increased risk of future identity theft or fraud is too speculative to
confer standing, Plaintiffs cannot opt in to standing-conferring economic injury by purchasing
protection from that future harm. Where “future harm . . . is not certainly impending,” plaintiffs
“cannot manufacture standing by choosing to make expenditures based on” that “hypothetical”
harm. 

. In other words, Plaintiffs “cannot create standing by
‘inflicting harm on themselves’” in the form of purchasing credit-monitoring services in order
“to ward off an otherwise speculative injury.” 

(quoting 

).
Second, a claim that “some indeterminate part of their premiums went toward paying for
security measures . . . is too flimsy to support standing.” 

Like the plaintiffs in SAIC,
Plaintiffs here “do not maintain that the money they paid could have or would have bought a
better policy with a more bullet-proof information-security regime.” 

they “alleged
10
facts that show that the market value of their insurance coverage (plus security services) was
somehow less than what they paid.” 

like the plaintiffs in SAIC, “Plaintiffs do not contend that they intended to sell
[their personal] information on the cyber black market in the first place, so it is uncertain how
they were injured” by the alleged loss of the intrinsic value of that information. 

“it is unclear whether or how the data has been devalued by the breach.” 

allegations to support this contention, Plaintiffs do not plausibly assert harm from the loss of
their personal information’s intrinsic value.
Fourth, Plaintiffs contend that this Court must conclude that they have standing because
the D.C. Court of Appeals, they assert, has held that a violation of the D.C. Consumer Protection
Procedures Act can confer standing on its own. See Pls.’ Opp’n 13 (citing Grayson v. AT&T
Corp., 

, 247 (D.C. 2011)). Setting aside the fact that only the Plaintiffs who are
residents of the District of Columbia assert violations of this D.C. Act, statutory rights cannot
confer Article III standing on a plaintiff who does not have it otherwise. See Spokeo, Inc. v.
Robins, 

, 1547–48 (2016) (“Injury in fact is a constitutional requirement, and ‘[i]t
is settled that Congress cannot erase Article III’s standing requirements by statutorily granting
the right to sue to a plaintiff who would not otherwise have standing.’” (alteration in original)
(quoting Raines v. Byrd, 

, 820 n.3 (1997))). This is so because an injury in fact
must be “both ‘concrete and particularized.’” 

(quoting Friends of the Earth, Inc. v.
Laidlaw Envtl. Servs. (TOC), Inc., 

, 180–81 (2000)). While violation of a
plaintiff’s statutory rights is not irrelevant to standing, it is also not sufficient because it
“concern[s] particularization, not concreteness,” 

“Article III standing requires a
concrete injury even in the context of a statutory violation,” 

And a “‘concrete’ injury
11
must be ‘de facto’; that is, it must actually exist.” 

Where a violation of a statute
“may result in no harm,” that mere violation is insufficient to confer standing. 

Even
if Plaintiffs’ rights under applicable consumer protection acts have been violated, because they
do not plausibly allege concrete harm, they have not demonstrated that they have standing to
press their claims. 5
III.    Conclusion
For the foregoing reasons, Defendants’ motion to dismiss will be granted and the Second
Amended Complaint dismissed without prejudice, and Plaintiffs’ motion to strike will be denied.
An order accompanies this memorandum opinion.
CHRISTOPHER R. COOPER
United States District Judge
Date:   August 10, 2016
5
Plaintiffs have filed a notice of supplemental authority flagging for the Court a recently
decided D.C. Circuit case concerning an alleged violation of D.C. laws protecting consumers
from the disclosure of contact information in the course of credit card transactions. See Hancock
v. Urban Outfitters, Inc., No. 14-7047, 

(D.C. Cir. July 26, 2016). The court
held that the plaintiffs failed to establish standing because, although they alleged statutory
violations, they did not allege any concrete injury in fact as a result of those violations. See 

In dicta, the court noted that “increased risk of fraud or identity theft . . . may satisfy
Article III’s requirement of concrete injury.” 

It is this statement that Plaintiffs
emphasize in their notice. However, the D.C. Circuit’s reasoning, and the principal that
increased risk of harm may satisfy the constitutional requirement of concrete injury are entirely
consistent with the Court’s analysis here.
12