Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

D.C. Circuit Reverses Dismissal of Case over Cyberattack, Finding Possible Harm in Data Loss

By Amanda Bronstad
September 02, 2017

Calling for a broader view of standing, a federal appeals court in Washington, DC, has reversed the dismissal of a case brought over the 2014 cyberattack of health insurer CareFirst. The D.C. Circuit decision comes in one of the first data breach cases to address standing under the U.S. Supreme Court's holding in Spokeo v. Robins, 136 S.Ct. 1540 (May 16, 2016).

The U.S. Court of Appeals for the District of Columbia ruled on August 1 that the district judge had “given the complaint an unduly narrow reading” in finding that the plaintiffs' claims of increased risk of identity theft were speculative. U.S. District Judge Christopher Cooper of the District of Columbia based much of his ruling on the fact that the plaintiffs couldn't allege identity theft risks if their Social Security or credit card numbers hadn't been stolen.

“But that conclusion rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach,” wrote Circuit Judge Thomas Griffith. “In fact, the complaint did.”

Neither plaintiffs' attorney Christopher Nace, an attorney at Paulson & Nace, nor CareFirst's lawyer, Matt Gatewood of Eversheds Sutherland, both in Washington, DC, responded to requests for comment.

The ruling comes one day after another health insurer, Anthem Inc., which agreed in June to pay $115 million to resolve lawsuits over a 2015 cyberattack that affected 78.8 million customers, announced a new data breach that may have exposed more than 18,000 Medicare enrollees.

CareFirst, based in Baltimore, was hit with a cyberattack in 2014 that compromised nearly 1.1 million customers. In addition to the DC case, federal judges in Illinois and Maryland also have dismissed class actions over the CareFirst breach on standing grounds.

The DC case was brought on behalf of customers in the District of Columbia, Virginia and Maryland. CareFirst insisted that while names and addresses had been hacked, Social Security and credit card numbers had not. Cooper, in his 2016 dismissal order, appeared to have found those facts persuasive, and also pointed to the earlier dismissal in the Maryland case. But the appeals panel said the complaint actually alleged that CareFirst collected personal identification information that included credit card and Social Security numbers.

The panel also sided with the plaintiffs in finding the harm was far from speculative, relying on the U.S. Court of Appeals for the Seventh Circuit's seminal 2015 decision in Remijas v. Neiman Marcus Group, 794 F.3d 688 (7th Cir. 2015), that said: “Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers' identities.”

The panel also appeared influenced by Spokeo, in which the Supreme Court found that a plaintiff suing in federal court must allege an injury that is “particularized” and “concrete,” rather than speculative.

“This case is a prime example of the type of no-injury lawsuit that the Supreme Court held in Spokeo cannot proceed in federal court,” wrote Andrew Pincus, a partner at Mayer Brown's Washington office, in a brief he filed for the U.S. Chamber of Commerce.

Pincus had argued the Supreme Court case for Spokeo Inc. “The Supreme Court has made clear that a no-injury lawsuit based at most on anxiety about speculative future harm cannot go forward.”

But two other groups, the Electronic Privacy Information Center and the National Consumers League, filed amicus briefs highlighting a changing world in which corporate America is increasingly storing personal information in digital databases. Spokeo actually proved that plaintiffs had established standing, wrote Marc Rotenberg, president and executive director of EPIC, a privacy rights group in Washington, DC.

“The claims are concrete, particularized and actual violations of their legally protected interests, which they allege were caused by the defendants, and are redressable by a favorable court ruling,” he wrote.

The appeals panel agreed.

Under Spokeo, Griffith wrote, the harm was “fairly traceable” to the defendant's actions, noting CareFirst's failure to protect its insured customers. It also was “likely to be redressed” through the claims alleged, citing incurred costs such as identity theft protection that could be reimbursed through monetary damages.

“The plaintiffs here alleged that the data breach at CareFirst exposed them to a heightened risk of identity theft,” Griffith wrote. “The principal question, then, is whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create Article III standing. We conclude that they have.”

*****
Amanda Bronstad writes for The National Law Journal, an ALM sibling of Cybersecurity Law & Strategy. She can be reached at [email protected]. On Twitter: @abronstadlaw.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
How Secure Is the AI System Your Law Firm Is Using? Image

In a profession where confidentiality is paramount, failing to address AI security concerns could have disastrous consequences. It is vital that law firms and those in related industries ask the right questions about AI security to protect their clients and their reputation.

COVID-19 and Lease Negotiations: Early Termination Provisions Image

During the COVID-19 pandemic, some tenants were able to negotiate termination agreements with their landlords. But even though a landlord may agree to terminate a lease to regain control of a defaulting tenant's space without costly and lengthy litigation, typically a defaulting tenant that otherwise has no contractual right to terminate its lease will be in a much weaker bargaining position with respect to the conditions for termination.

Pleading Importation: ITC Decisions Highlight Need for Adequate Evidentiary Support Image

The International Trade Commission is empowered to block the importation into the United States of products that infringe U.S. intellectual property rights, In the past, the ITC generally instituted investigations without questioning the importation allegations in the complaint, however in several recent cases, the ITC declined to institute an investigation as to certain proposed respondents due to inadequate pleading of importation.

The Power of Your Inner Circle: Turning Friends and Social Contacts Into Business Allies Image

Practical strategies to explore doing business with friends and social contacts in a way that respects relationships and maximizes opportunities.

Authentic Communications Today Increase Success for Value-Driven Clients Image

As the relationship between in-house and outside counsel continues to evolve, lawyers must continue to foster a client-first mindset, offer business-focused solutions, and embrace technology that helps deliver work faster and more efficiently.