D.C. Circuit Reverses Dismissal of Case over Cyberattack, Finding Possible Harm in Data Loss

Neither plaintiffs' attorney Christopher Nace, an attorney at Paulson & Nace, nor CareFirst's lawyer, Matt Gatewood of Eversheds Sutherland, both in Washington, DC, responded to requests for comment.

The ruling comes one day after another health insurer, Anthem Inc., which agreed in June to pay $115 million to resolve lawsuits over a 2015 cyberattack that affected 78.8 million customers, announced a new data breach that may have exposed more than 18,000 Medicare enrollees.

CareFirst, based in Baltimore, was hit with a cyberattack in 2014 that compromised nearly 1.1 million customers. In addition to the DC case, federal judges in Illinois and Maryland also have dismissed class actions over the CareFirst breach on standing grounds.

The DC case was brought on behalf of customers in the District of Columbia, Virginia and Maryland. CareFirst insisted that while names and addresses had been hacked, Social Security and credit card numbers had not. Cooper, in his 2016 dismissal order, appeared to have found those facts persuasive, and also pointed to the earlier dismissal in the Maryland case. But the appeals panel said the complaint actually alleged that CareFirst collected personal identification information that included credit card and Social Security numbers.

The panel also sided with the plaintiffs in finding the harm was far from speculative, relying on the U.S. Court of Appeals for the Seventh Circuit's seminal 2015 decision in Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015), that said: “Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities.”

The panel also appeared influenced by Spokeo, in which the Supreme Court found that a plaintiff suing in federal court must allege an injury that is “particularized” and “concrete,” rather than speculative.

“This case is a prime example of the type of no-injury lawsuit that the Supreme Court held in Spokeo cannot proceed in federal court,” wrote Andrew Pincus, a partner at Mayer Brown's Washington office, in a brief he filed for the U.S. Chamber of Commerce.

Pincus had argued the Supreme Court case for Spokeo Inc. “The Supreme Court has made clear that a no-injury lawsuit based at most on anxiety about speculative future harm cannot go forward.”

But two other groups, the Electronic Privacy Information Center and the National Consumers League, filed amicus briefs highlighting a changing world in which corporate America is increasingly storing personal information in digital databases. Spokeo actually proved that plaintiffs had established standing, wrote Marc Rotenberg, president and executive director of EPIC, a privacy rights group in Washington, DC.

“The claims are concrete, particularized and actual violations of their legally protected interests, which they allege were caused by the defendants, and are redressable by a favorable court ruling,” he wrote.

The appeals panel agreed.

Under Spokeo, Griffith wrote, the harm was “fairly traceable” to the defendant's actions, noting CareFirst's failure to protect its insured customers. It also was “likely to be redressed” through the claims alleged, citing incurred costs such as identity theft protection that could be reimbursed through monetary damages.

“The plaintiffs here alleged that the data breach at CareFirst exposed them to a heightened risk of identity theft,” Griffith wrote. “The principal question, then, is whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create Article III standing. We conclude that they have.”

*****
Amanda Bronstad writes for The National Law Journal, an ALM sibling of Cybersecurity Law & Strategy. She can be reached at [email protected]. On Twitter: @abronstadlaw.