June 21, 2019

Plaintiffs' attorneys suing over data breaches scored a big win Friday after a federal appeals court reinstated lawsuits brought on behalf of victims of data breaches that hit the U.S. Office of Personnel Management.

The U.S. Court of Appeals for the D.C. Circuit found that the plaintiffs in two consolidated cases had standing to sue in federal court under Article III of the U.S. Constitution. The ruling reversed a district judge's 2017 dismissal of both cases, one of which was a class action, against the OPM and its contractor, KeyPoint Government Solutions Inc.

The class plaintiffs "have plausibly alleged a substantial risk of future identity theft that is fairly traceable to OPM's and KeyPoint's cybersecurity failings and likely redressable, at least in part, by damages," the panel wrote. Further, the plaintiffs in the second case, who are members of the National Treasury Employees Union, "have plausibly alleged actual and imminent constitutional injuries that are likewise traceable to OPM's challenged conduct and redressable."

The panel affirmed dismissal as to only the NTEU's allegations that the OPM breaches violated its members' constitutional right to privacy.

Lawyers who handle data breach class actions have closely watched the OPM cases, which was one of several to address whether victims of data breaches have sufficient injuries to sue, especially if they did not suffer fraudulent charges or other immediate costs associated with a cyberattack. In many cases, victims of data breaches allege nothing more than the risk of identity theft, but some cases have named plaintiffs who suffered fraudulent tax returns, charges to their credit cards or other costs.

Courts have split over whether those injuries are sufficient to have standing, with Friday's ruling siding for the plaintiffs.

"The court's decision represents another strong endorsement for the growing recognition by courts that plaintiffs can establish Article III standing in data breach cases based upon the substantial risk of future identity theft, and the rejection of the narrow view that standing only exists in these cases where there are 'out-of-pocket' losses," wrote Andrew Friedman, a Washington, D.C., partner at Cohen Milstein Sellers & Toll, in an email. He is a lead plaintiffs attorney in class actions over data breaches at Home Depot and Anthem.

"The decision should further bolster data breach lawsuits where the majority of the class has not yet experienced fraud losses, yet the real risk of injury to those class members is significant," he wrote.

The complete article can be viewed here.