When a data breach occurs at a company, do data breach victims have the right to sue? How is “harm” defined in data breach cases? And how much harm resulting from a data breach is needed to support a consumer lawsuit? The high-profile case CareFirst v. Attias has been dealing with these issues.
In June 2014, Maryland-based CareFirst Blue Cross Blue Shield was hit with a data breach that exposed more than 1.1 million records on current and former patients. Personal information, including names, birth dates, email addresses, and subscriber identification numbers, was exposed in the breach.
Victims filed a class-action lawsuit against CareFirst, claiming the increased risk of identity theft they suffered constituted “injury-in-fact,” triggering Article III standing. But CareFirst wanted consumers to have to prove actual harm, rather than bringing lawsuits on the potential for damage.
After the U.S. Court of Appeals for the District of Columbia ruled that the customers had the right to pursue its class-action lawsuit against CareFirst, CareFirst filed a petition with the U.S. Supreme Court in November 2017, asking for a review of its case.
“Without guidance, courts, litigants, cybersecurity insurers and corporate America will remain uncertain as to when a federal court can hear such claims,” CareFirst’s attorneys argued in the petition. “This case presents an ideal vehicle for the court to clarify that to satisfy the substantial risk standard, an alleged future injury must be imminent.”
But in February 2018, the Supreme Court “denied certiorari” to review CareFirst’s appeal, which would have been the first of its kind to be reviewed by the high court. Some thought the case would provide the Court with the opportunity to clarify whether the possibility of harm from a data breach is enough for victims to bring legal action. The class-action lawsuit against CareFirst is now headed back to the Washington federal trial court, where the suit will likely proceed.
Christopher Nace, an attorney with Paulson and Nace in Washington, D.C., representing the plaintiffs in the CareFirst case, said the D.C. appeals court decision and the Supreme Court’s denial “simply indicates that our courts will provide citizens a venue to hold corporations accountable when they fail to take reasonable precautions to protect our data.”
“When you consider all of the Americans who have had their data exposed, it is important that corporate America understands that if they do not take reasonable steps to protect citizens’ data, they will be held responsible in our courts,” he said.
While the Supreme Court may eventually have to address some of the questions presented in CareFirst’s petition, for now, the high court is it to the the lower courts to decide the definition of harm of breach victims.
“While in many cases it comes down the particular issues in a breach, the federal circuit courts have taken decidedly different perspectives on the question,” said Craig A. Newman, a litigation partner at Patterson Belknap Webb & Tyler LLP. “Without guidance from the Supreme Court, we’ll continue to see much of the same.”