It’s common for companies to assume that data breach lawsuits will be dismissed at the earliest stages of litigation. We’ve seen this happen when consumers are unable to prove standing to sue.
In short, you must actually have injuries that can be redressed by a court order in order for a lawsuit to hold up in court. And in the context of data breaches, many have tried but few have succeeded in overcoming this hurdle.
This may soon change. Enter the CareFirst breach suit.
CareFirst Plaintiffs Had Standing- Why?
In Attias v. CareFirst, a group of consumers sued health insurance company CareFirst after hackers breached its systems and stole their personal information. Information stolen during the attack: names, birthdates, email addresses, social security numbers, credit card information, and subscriber ID numbers.
According to the lawsuit, CareFirst stored the information on its servers without the use of encryption. As a result, consumers affected by the breach brought suit against CareFirst for negligence and violations of consumer protection laws.
Following dismissal by the district court for lack of standing, the D.C. Circuit Court reversed and found that the consumers had standing. The court held that the consumers could demonstrate a substantial risk of future harm (identity theft) sufficient to meet standing requirements. This comes without any evidence of an attempt to steal their identities, but instead because their social security and credit card numbers had been obtained by the hackers.
Based on “experience and common sense,” the court determined the theft of this information placed the consumers at substantial risk of financial fraud. As another court previously put it, “why else would hackers break into…a database and steal consumers’ private information? Presumably…the purpose is to make fraudulent charges and assume those consumers’ identities.” (See Remijas v. Neiman).
The court also found that the consumers had standing as a result of the theft of their health insurance subscriber ID numbers. A thief could use this information to impersonate the consumer and obtain medical services in his or her name. This could result in inaccurate entries in the victim’s medical records and could potentially result in the victim receiving improper medical treatment, losing insurance coverage, and even becoming disqualified from certain jobs.
Therefore, the court found, even if the consumers’ credit card and social security numbers had not been obtained, the loss of their subscriber ID numbers alone would have created substantial risk of future harm and given them standing to sue.
Key Takeaways from the CareFirst Ruling
The CareFirst ruling means companies collecting credit card and social security numbers should ensure their data security practices align with industry standards and applicable laws – e.g. use of encryption and access controls to protect sensitive information.
Given the frequent nature of these data collection practices (such as collection of employee social security numbers as part of the hiring process), this creates significant risk for companies in general.
Health insurance companies and healthcare providers are especially at risk. They control sensitive patient information subject to more stringent data security/privacy laws (HIPAA). Consumers or patients are more likely to be granted standing to sue in the event of a breach, even where credit card and/or social security information was not involved.
CareFirst may also mark the beginning of a new era for consumer lawsuits following data breaches. It joins what appears to be a growing number of cases where courts have found standing when sensitive information was targeted by hackers. This places emphasis on breaches where a hacker gained unauthorized access to a data base to steal information, as opposed to a case where a laptop is stolen containing sensitive information.
Courts tend to view the targeting of consumer information as evidence of harm to consumers, giving them standing to sue. As a result of this changing tide, early dismissal of these lawsuits may no longer be a forgone conclusion.