Chantal Attias v. CareFirst, Inc. , 865 F.3d 620 ( 2017 )

 United States Court of Appeals
FOR THE DISTRICT OF COLUMBIA CIRCUIT
Argued March 31, 2017                 Decided August 1, 2017
No. 16-7108
CHANTAL ATTIAS, INDIVIDUALLY AND ON BEHALF OF ALL
OTHERS SIMILARLY SITUATED, ET AL.,
APPELLANTS
v.
CAREFIRST, INC., DOING BUSINESS AS GROUP
HOSPITALIZATION AND MEDICAL SERVICES, INC., DOING
BUSINESS AS CAREFIRST OF MARYLAND, INC., DOING BUSINESS
AS CAREFIRST BLUECROSS BLUESHIELD, DOING BUSINESS AS
CAREFIRST BLUECHOICE, INC., ET AL.,
APPELLEES
Appeal from the United States District Court
for the District of Columbia
(No. 1:15-cv-00882)
Jonathan B. Nace argued the cause for appellants. With
him on the briefs was Christopher T. Nace.
Marc Rotenberg and Alan Butler were on the brief for
amicus curiae Electronic Privacy Information Center (EPIC) in
support of appellants.
Tracy D. Rezvani was on the brief for amicus curiae
National Consumers League in support of appellants.
2
Matthew O. Gatewood argued the cause for appellees.
With him on the briefs was Robert D. Owen.
Andrew J. Pincus, Stephen C.N. Lilley, Kathryn
Comerford Todd, Steven P. Lehotsky, and Warren Postman
were on the brief for amicus curiae The Chamber of Commerce
of the United States of America in support of appellees.
Before: TATEL, GRIFFITH, and MILLETT, Circuit Judges.
Opinion for the Court filed by Circuit Judge GRIFFITH.
GRIFFITH, Circuit Judge: In 2014, health insurer CareFirst
suffered a cyberattack in which its customers’ personal
information was allegedly stolen. A group of CareFirst
customers attributed the breach to the company’s carelessness
and brought a putative class action. The district court dismissed
for lack of standing, finding the risk of future injury to the
plaintiffs too speculative to establish injury in fact. We
conclude that the district court gave the complaint an unduly
narrow reading. Plaintiffs have cleared the low bar to establish
their standing at the pleading stage. We accordingly reverse.
I
CareFirst and its subsidiaries are a group of health
insurance companies serving approximately one million
customers in the District of Columbia, Maryland, and
Virginia. 1 When customers purchased CareFirst’s insurance
policies, they provided personal information to the company,
1
The facts in this section are primarily taken from the plaintiffs’
second amended complaint.
3
including their names, birthdates, email addresses, social
security numbers, and credit card information. CareFirst then
assigned each customer a subscriber identification number. The
companies stored this information on their servers. Allegedly,
though, CareFirst failed to properly encrypt some of the data
entrusted to its care.
In June 2014, an unknown intruder breached twenty-two
CareFirst computers and reached a database containing its
customers’ personal information. CareFirst did not discover the
breach until April 2015 and only notified its customers in May
2015. Shortly after the announcement, seven CareFirst
customers brought a class action against CareFirst and its
subsidiaries in our district court. Their complaint invoked
diversity jurisdiction under the Class Action Fairness Act, 28
U.S.C. § 1332(d), and raised eleven different state-law causes
of action, including breach of contract, negligence, and
violation of various state consumer-protection statutes.
The parties disagree over what the complaint alleged.
According to CareFirst, the complaint alleged only the
exposure of limited identifying data, such as customer names,
addresses, and subscriber ID numbers. According to plaintiffs,
the complaint also alleged the theft of customers’ social
security numbers. The plaintiffs sought to certify a class
consisting of all CareFirst customers residing in the District of
Columbia, Maryland, and Virginia whose personal information
had been hacked. CareFirst moved to dismiss for lack of Article
III standing and, in the alternative, for failure to state a claim.
The district court agreed that the plaintiffs lacked standing,
holding that they had alleged neither a present injury nor a high
enough likelihood of future injury. The plaintiffs had argued
that they suffered an increased risk of identity theft as a result
4
of the data breach, but the district court found this theory of
injury to be too speculative. The district court did not read the
complaint to allege the theft of social security numbers or credit
card numbers, and concluded that “[p]laintiffs have not
suggested, let alone demonstrated, how the CareFirst hackers
could steal their identities without access to their social security
or credit card numbers.” Attias v. CareFirst, Inc., 

193, 201 (D.D.C. 2016).
Based on its determination that the plaintiffs had failed to
allege an injury in fact, the district court ordered that their
“[c]omplaint be dismissed without prejudice.” J.A. 350
(emphasis omitted). The court did not decide whether diversity
jurisdiction was proper, or whether the plaintiffs had stated a
claim for which relief could be granted. Plaintiffs timely
appealed.
II
Although the parties agree that we have jurisdiction to hear
this appeal, we have an independent duty to ensure that we are
acting within the limits of our authority. See Steel Co. v.
Citizens for a Better Env’t, 

, 93-94 (1998). Our
jurisdiction embraces “appeals from all final decisions of the
district courts of the United States.” 28 U.S.C. § 1291
(emphasis added). In evaluating the finality of district court
rulings on motions to dismiss, we have distinguished between
orders dismissing the action, which are final, see Ciralsky v.
CIA, 

, 666 (D.C. Cir. 2004), and orders dismissing
the complaint, which, if rendered “without prejudice,” are
“typically” not final, Murray v. Gilmore, 

, 712
(D.C. Cir. 2005). But here, even though the district court
ordered that the plaintiffs’ “[c]omplaint be dismissed without
prejudice,” J.A. 350 (emphasis omitted), we are convinced that
5
its order was final, and that we have jurisdiction over this
appeal.
Key to that conclusion are the district court’s grounds for
dismissal. The court below concluded that it lacked subject-
matter jurisdiction because the plaintiffs lacked Article III
standing. See Lujan v. Defenders of Wildlife, 

,
560-61 (1992) (identifying the plaintiff’s Article III standing as
an element of federal courts’ jurisdiction). When a court lacks
subject-matter jurisdiction, it has no authority to address the
dispute presented. “Jurisdiction is the power to declare the law,
and when it ceases to exist, the only function remaining to the
court is that of announcing the fact and dismissing the cause.”
Steel 

(quoting Ex parte McCardle, 74 U.S.
(7 Wall.) 506, 514 (1868)). Thus, in the ordinary case, a
dismissal for lack of subject-matter jurisdiction ends the
litigation and leaves nothing more for the court to do. That is
the definition of a final, appealable order. See Riley v. Kennedy,

, 419 (2008). This principle fits neatly into the
Ciralsky-Murray framework: a dismissal for lack of subject-
matter jurisdiction is, in effect, a dismissal of the action, and
therefore final, even if, as here, it is styled as a dismissal of the
complaint. See Tootle v. Sec’y of Navy, 

, 172 (D.C.
Cir. 2006) (“A district court must dismiss an action where . . .
it concludes that it lacks subject matter jurisdiction.”).
But that rule is flexible, and we recognize, as did the
Ciralsky court, that the district court’s intent is a significant
factor in the analysis. 

. Thus, if the
district court intended for the action to continue via amendment
of the complaint to allege facts supporting jurisdiction, its
dismissal order is not final. See 

.
6
To accommodate both the rule that a dismissal for lack of
subject-matter jurisdiction ordinarily ends the action and the
need to respect the intentions of the district court that entered
the order, we will presume, absent a clear indication to the
contrary, that a dismissal for lack of subject-matter jurisdiction
under Rule 12(b)(1) is a final, appealable order. Other circuits
have similarly concluded that a district court’s dismissal for
lack of subject-matter jurisdiction is generally final and
appealable. See, e.g., Radha Geismann, M.D., P.C. v. ZocDoc,
Inc., 

, 509 n.3 (2d Cir. 2017); City of Yorkville ex
rel. Aurora Blacktop Inc. v. Am. S. Ins. Co., 

, 715-
16 (7th Cir. 2011); Whisnant v. United States, 

,
1180 (9th Cir. 2005).
Where subject-matter jurisdiction depends on the factual
allegations in the complaint, as it does here, the district court
can signal that a dismissal under Rule 12(b)(1) is not final if it
expressly gives the plaintiff leave to amend the complaint. See
FED. R. CIV. P. 15(a)(2). A court that has extended such an
invitation to amend clearly contemplates that there is still some
work for the court to do before the litigation is over. See 

; see also Mohawk Indus., Inc. v. Carpenter,

, 106 (2009) (describing a final decision as one
“by which a district court disassociates itself from a case”
(quoting Swint v. Chambers Cty. Comm’n, 

, 42
(1995))).
On the other hand, a court’s statement that its jurisdictional
dismissal is “without prejudice” will not, by itself, overcome
the presumption that such dismissals terminate the action, not
just the complaint. By dismissing without prejudice, a district
court leaves the plaintiff free to return later to the same court
with the same underlying claim. See Semtek Int’l Inc. v.
Lockheed Martin Corp., 

, 505 (2001). But as
7
Ciralsky explained, either a complaint or an action can be
dismissed “without prejudice.” 

. Thus,
an order of dismissal “without prejudice” tells us nothing about
whether the district court intended to dismiss the action, which
would be a final order, or the complaint, which would not. By
contrast, an express invitation to amend is a much clearer signal
that the district court is rejecting only the complaint presented,
and that it intends the action to continue.
Though it may be possible in some cases to discern an
invitation to amend the complaint from clues in the district
court’s opinion, we think that anything less than an express
invitation is not a clear enough signal to overcome the
presumption of finality. This approach balances the district
court’s position as master of its docket, see Dietz v. Bouldin,

, 1892 (2016); Cunningham v. Hamilton Cty.,

, 203 (1999), our supervisory authority, see

(noting that we are not bound to
accept a district court’s determination that its order is final),
and the need for clarity in assessing the finality of an order, cf.

not always clear whether a district court intended its
order to dismiss the action or merely the complaint.”).
Because the district court in this case dismissed for lack of
subject-matter jurisdiction without expressly inviting the
plaintiffs to amend their complaint or giving some other
equally clear signal that it intended the action to continue, the
order under review ended the district court action, and was thus
final and appealable. We have appellate jurisdiction under 28
U.S.C. § 1291.
8
III
We now turn to the question the district court decided and
which we review de novo: whether the plaintiffs have standing
to bring their action against CareFirst. See Food & Water
Watch, Inc. v. Vilsack, 

, 913 (D.C. Cir. 2015).
Standing is a prerequisite to the existence of a “Case[]” or
“Controvers[y],” which is itself a precondition to the exercise
of federal judicial power. U.S. CONST. art. III, §§ 1-2; 

. To demonstrate standing, a plaintiff must show
that she has suffered an “injury in fact” that is “fairly traceable”
to the defendant’s actions and that is “likely to be redressed”
by the relief she seeks. Spokeo, Inc. v. Robins, 

,
1547 (2016) (quoting 

).
The burden to make all of these showings always remains
with the plaintiff, but the burden grows as the litigation
progresses. 

. The district court dismissed
this action at the pleading stage, where plaintiffs are required
only to “state a plausible claim” that each of the standing
elements is present. See Food & Water 

(emphasis added) (quoting Humane Soc’y of the U.S. v.
Vilsack, 

, 8 (D.C. Cir. 2015)); see also 

(“[E]ach element [of standing] must be
supported . . . with the manner and degree of evidence required
at the successive stages of the litigation. At the pleading stage,
general factual allegations of injury resulting from the
defendant’s conduct may suffice . . . .” (citations omitted)).
This case primarily concerns the injury-in-fact
requirement, which serves to ensure that the plaintiff has a
personal stake in the litigation. See Susan B. Anthony List v.
Driehaus (SBA List), 

, 2341 (2014). An injury
in fact must be concrete, particularized, and, most importantly
9
for our purposes, “actual or imminent” rather than speculative.

(quoting 

).
The district court found missing the requirement that the
plaintiffs’ injury be “actual or imminent.” 

here alleged that the data breach at CareFirst exposed them to
a heightened risk of identity theft. The principal question, then,
is whether the plaintiffs have plausibly alleged a risk of future
injury that is substantial enough to create Article III standing.
We conclude that they have. 2
As the district court recognized, the leading case on claims
of standing based on risk of future injury is Clapper v. Amnesty
International USA, 

(2013). In Clapper, plaintiffs
challenged a provision of the Foreign Intelligence Surveillance
Act that allowed surveillance of foreign nationals outside the
United States. 

(citing 50 U.S.C. § 1881a). Though
2
Two of the plaintiffs, Curt and Connie Tringler, alleged that
they had already suffered identity theft as a result of the breach.
Specifically, they claimed that their anticipated tax refund had gone
missing. The district court acknowledged that the Tringlers had
alleged an injury in fact but held that the Tringlers nevertheless
lacked standing because their injury was not fairly traceable to the
data breach. On the district court’s reading, the complaint did not
allege theft of social security numbers, and the Tringlers had not
explained how thieves could divert a tax refund without access to the
taxpayers’ social security numbers.
Because we conclude that all plaintiffs, including the Tringlers,
have standing to sue CareFirst based on their heightened risk of
future identity theft, we need not address the Tringlers’ separate
argument as to past identity theft. For the same reason, we will not
address the other theories of standing advanced by plaintiffs or their
amici, including the theory that CareFirst’s alleged violation of state
consumer protection statutes was a distinct injury in fact.
10
the plaintiffs were not foreign nationals, they alleged an
“objectively reasonable likelihood” that their communications
with overseas contacts would be intercepted. 

The
Court responded that “threatened injury must be certainly
impending to constitute injury in fact.” 

v. Arkansas, 

, 158 (1990)). But the Court also
noted that in some cases it has “found standing based on a
‘substantial risk’ that the harm will occur.” 

n.5.
The plaintiffs’ theory of standing in Clapper, however,
failed under either formulation. 

414 n.5. The major
flaw in their argument was that it rested on “a highly attenuated
chain of possibilities.” 

Several links in this chain
would have required the assumption that independent
decisionmakers charged with policy discretion (i.e., executive-
branch intelligence officials) and with resolving complex legal
and factual questions (i.e., the Article III judges of the Foreign
Intelligence Surveillance Court) would exercise their
discretion in a specific way. See 

With so many
links in the causal chain, the injury the plaintiffs feared was too
speculative to qualify as “injury in fact.”
In Susan B. Anthony List v. Driehaus, the Court clarified
that a plaintiff can establish standing by satisfying either the
“certainly impending” test or the “substantial risk” test. 

. The Court held that an advocacy group had
standing to bring a pre-enforcement challenge to an Ohio
statute prohibiting false statements during election campaigns.
See 

The holding rested in part on the fact that the
group could conceivably face criminal prosecution under the
statute, 

but the Court also described the risk of
administrative enforcement, standing alone, as “substantial,”

so even though any future enforcement
proceedings would be based on a complaint not yet made
11
regarding a statement the group had not yet uttered against a
candidate not yet identified. See 

Since SBA List, we have frequently upheld claims of
standing based on allegations of a “substantial risk” of future
injury. See, e.g., In re Idaho Conservation League, 

, 509 (D.C. Cir. 2016) (using “significant risk” and
“reasonabl[e] fears” as the standard); Nat’l Ass’n of
Broadcasters v. FCC, 

, 181 (D.C. Cir. 2015)
(using “substantial risk”); Sierra Club v. Jewell, 

, 7
(D.C. Cir. 2014) (using “substantial probability of injury”).
Under our precedent, “the proper way to analyze an increased-
risk-of-harm claim is to consider the ultimate alleged harm,”
which in this case would be identity theft, “as the concrete and
particularized injury and then to determine whether the
increased risk of such harm makes injury to an individual
citizen sufficiently ‘imminent’ for standing purposes.” Food &
Water 

(quoting Public Citizen, Inc. v.
Nat’l Highway Traffic Safety Admin., 

, 1298
(D.C. Cir. 2007)).
Nobody doubts that identity theft, should it befall one of
these plaintiffs, would constitute a concrete and particularized
injury. The remaining question, then, keeping in mind the light
burden of proof the plaintiffs bear at the pleading stage, is
whether the complaint plausibly alleges that the plaintiffs now
face a substantial risk of identity theft as a result of CareFirst’s
alleged negligence in the data breach. See 

with the familiar principle that the factual
allegations in the complaint are assumed to be true at the
motion-to-dismiss stage. See, e.g., Jerome Stevens Pharms.,
Inc. v. FDA, 

, 1253-54 (D.C. Cir. 2005); see also
Food & Water 

(noting that we need not
12
“assume the truth of legal conclusions[ or] accept inferences
that are unsupported by the facts set out in the complaint”
(quoting Arpaio v. Obama, 

, 19 (D.C. Cir. 2015))).
The district court concluded that the plaintiffs had “not
demonstrated a sufficiently substantial risk of future harm
stemming from the breach to establish standing,” Attias, 199 F.
Supp. 3d at 201, in part because they had “not suggested, let
alone demonstrated, how the CareFirst hackers could steal their
identities without access to their social security or credit card
numbers,” 

conclusion rested on an incorrect
premise: that the complaint did not allege the theft of social
security or credit card numbers in the data breach. In fact, the
complaint did.
The complaint alleged that CareFirst, as part of its
business, collects and stores its customers’ personal
identification information, personal health information, and
other sensitive information, all of which the plaintiffs refer to
collectively as “PII/PHI/Sensitive Information.” J.A. 7. This
category of “PII/PHI/Sensitive Information,” as plaintiffs
define it, includes “patient credit card . . . and social security
numbers.” J.A. 7. Next, the complaint asserted that “the
cyberattack [on CareFirst] allowed access to PII, PHI, ePHI,
and other personal and sensitive information of Plaintiffs.” J.A.
8. And, according to the plaintiffs, “[i]dentity thieves can use
identifying data—including that accessed on Defendants’
servers—to open new financial accounts[,] incur charges in
another person’s name,” and commit various other financial
misdeeds; the CareFirst breach exposed “all of the information
wrongdoers need” for appropriation of a victim’s identity. See
J.A. 5, 11 (emphasis added).
So we have specific allegations in the complaint that
CareFirst collected    and    stored    “PII/PHI/Sensitive
13
Information,” a category of information that includes credit
card and social security numbers; that PII, PHI, and sensitive
information were stolen in the breach; and that the data
“accessed on Defendants’ servers” place plaintiffs at a high risk
of financial fraud. The complaint thus plausibly alleges that the
CareFirst data breach exposed customers’ social security and
credit card numbers. CareFirst does not seriously dispute that
plaintiffs would face a substantial risk of identity theft if their
social security and credit card numbers were accessed by a
network intruder, and, drawing on “experience and common
sense,” we agree. Ashcroft v. Iqbal, 

, 679 (2009).
The complaint separately alleges that the “combination of
members’ names, birth dates, email addresses and subscriber
identification number[s] alone qualifies as personal
information, and the unauthorized access to said combination
of information creates a material risk of identity theft.” J.A. 8
(emphasis added). This allegation of risk based solely on theft
of health insurance subscriber ID numbers is plausible when
taken in conjunction with the complaint’s description of a form
of “medical identity theft” in which a fraudster impersonates
the victim and obtains medical services in her name. See J.A.
12. That sort of fraud leads to “inaccurate entries in [victims’]
medical records” and “can potentially cause victims to receive
improper medical care, have their insurance depleted, become
ineligible for health or life insurance, or become disqualified
from some jobs.” J.A. 12. These portions of the complaint
would make up, at the very least, a plausible allegation that
plaintiffs face a substantial risk of identity fraud, even if their
social security numbers were never exposed to the data thief.
Our conclusion that the alleged risk here is “substantial” is
bolstered by a comparison between this case and the
circumstances in Clapper. In Clapper, the plaintiffs feared the
14
interception of their overseas communications by the
government, but that harm could only occur through the
happening of a series of contingent events, none of which was
alleged to have occurred by the time of the lawsuit. 

. The harm also would not have arisen unless a
series of independent actors, including intelligence officials
and Article III judges, exercised their independent judgment in
a specific way. Even then, the intelligence officials would need
to have actually captured the plaintiffs’ conversations in the
process of targeting those plaintiffs’ foreign contacts. See 

contrast, an unauthorized party has already
accessed personally identifying data on CareFirst’s servers, and
it is much less speculative—at the very least, it is plausible—
to infer that this party has both the intent and the ability to use
that data for ill. As the Seventh Circuit asked, in another data
breach case where the court found standing, “Why else would
hackers break into a . . . database and steal consumers’ private
information? Presumably, the purpose of the hack is, sooner or
later, to make fraudulent charges or assume those consumers’
identities.” See Remijas v. Neiman Marcus Grp., 

,
693 (7th Cir. 2015). No long sequence of uncertain
contingencies involving multiple independent actors has to
occur before the plaintiffs in this case will suffer any harm; a
substantial risk of harm exists already, simply by virtue of the
hack and the nature of the data that the plaintiffs allege was
taken. That risk is much more substantial than the risk
presented to the Clapper Court, and satisfies the requirement
of an injury in fact.
Of course, plaintiffs cannot establish standing merely by
alleging that they have been injured. An alleged injury in fact
must also be “fairly traceable to the challenged conduct of the
defendant.” 

. Though CareFirst
15
devotes only limited space in its brief to this point, the company
argues that the plaintiffs “do not allege that the thief is or was
in any way affiliated with CareFirst.” Appellees’ Br. 7. The
company thus seems to contend that the plaintiffs’ injury is
“fairly traceable” only to the data thief. It is of course true that
the thief would be the most immediate cause of plaintiffs’
injuries, should they occur, and that CareFirst’s failure to
secure its customers’ data would be one step removed in the
causal chain. But Article III standing does not require that the
defendant be the most immediate cause, or even a proximate
cause, of the plaintiffs’ injuries; it requires only that those
injuries be “fairly traceable” to the defendant. See Lexmark
Int’l, Inc. v. Static Control Components, Inc., 

,
1391 n.6 (2014); Orangeburg v. FERC, No. 15-1274, 

, at *6 (D.C. Cir. July 14, 2017). Because we assume,
for purposes of the standing analysis, that plaintiffs will prevail
on the merits of their claim that CareFirst failed to properly
secure their data and thereby subjected them to a substantial
risk of identity theft, see, e.g., Public 

,
we have little difficulty concluding that their injury in fact is
fairly traceable to CareFirst.
Finally, the plaintiffs’ injury must be “likely to be
redressed by a favorable judicial decision.” 

. Clapper recognized that where there is “a ‘substantial
risk’ that a harm will occur, [this risk] may prompt plaintiffs to
reasonably incur costs to mitigate or avoid that harm,” and a
court can award damages to recoup those costs. 

n.5. Plaintiffs allege that they have incurred such costs:
“the cost of responding to the data breach, the cost of acquiring
identity theft protection and monitoring, [the] cost of
conducting a damage assessment, [and] mitigation costs.” J.A.
5-6. To be sure, such self-imposed risk-mitigation costs, when
“incurred in response to a speculative threat,” do not fulfill the
16
injury-in-fact requirement. 

. But
they can satisfy the redressability requirement, when combined
with a risk of future harm that is substantial enough to qualify
as an injury in fact. The fact that plaintiffs have reasonably
spent money to protect themselves against a substantial risk
creates the potential for them to be made whole by monetary
damages.
IV
CareFirst urges us, in the alternative, to hold that the
plaintiffs’ complaint fails to state a claim for which relief can
be granted. See FED. R. CIV. P. 12(b)(6). However, an
antecedent question remains: whether the plaintiffs properly
invoked the district court’s diversity jurisdiction under 28
U.S.C. § 1332. The district court expressly reserved judgment
on that issue, and on the record before us, we cannot answer it
ourselves. It would thus be inappropriate for us to reach beyond
the standing question.
Accordingly, the district court’s order dismissing this
action for lack of standing is reversed, and the case is remanded
for further proceedings consistent with this opinion.
So ordered.