Tag Archives: court ruling

CareFirst Breach Lawsuit Achieves Standing Under Spokeo

It’s common for companies to assume that data breach lawsuits will be dismissed at the earliest stages of litigation. We’ve seen this happen when consumers are unable to prove standing to sue.

In short, you must actually have injuries that can be redressed by a court order in order for a lawsuit to hold up in court. And in the context of data breaches, many have tried but few have succeeded in overcoming this hurdle.

This may soon change. Enter the CareFirst breach suit.

CareFirst Plaintiffs Had Standing- Why?

In Attias v. CareFirst, a group of consumers sued health insurance company CareFirst after hackers breached its systems and stole their personal information. Information stolen during the attack: names, birthdates, email addresses, social security numbers, credit card information, and subscriber ID numbers.

According to the lawsuit, CareFirst stored the information on its servers without the use of encryption. As a result, consumers affected by the breach brought suit against CareFirst for negligence and violations of consumer protection laws.

Following dismissal by the district court for lack of standing, the D.C. Circuit Court reversed and found that the consumers had standing. The court held that the consumers could demonstrate a substantial risk of future harm (identity theft) sufficient to meet standing requirements. This comes without any evidence of an attempt to steal their identities, but instead because their social security and credit card numbers had been obtained by the hackers.

Based on “experience and common sense,” the court determined the theft of this information placed the consumers at substantial risk of financial fraud. As another court previously put it, “why else would hackers break into…a database and steal consumers’ private information? Presumably…the purpose is to make fraudulent charges and assume those consumers’ identities.” (See Remijas v. Neiman).

The court also found that the consumers had standing as a result of the theft of their health insurance subscriber ID numbers. A thief could use this information to impersonate the consumer and obtain medical services in his or her name. This could result in inaccurate entries in the victim’s medical records and could potentially result in the victim receiving improper medical treatment, losing insurance coverage, and even becoming disqualified from certain jobs.

Therefore, the court found, even if the consumers’ credit card and social security numbers had not been obtained, the loss of their subscriber ID numbers alone would have created substantial risk of future harm and given them standing to sue.

Key Takeaways from the CareFirst Ruling

The CareFirst ruling means companies collecting credit card and social security numbers should ensure their data security practices align with industry standards and applicable laws – e.g. use of encryption and access controls to protect sensitive information.

Given the frequent nature of these data collection practices (such as collection of employee social security numbers as part of the hiring process), this creates significant risk for companies in general.

Health insurance companies and healthcare providers are especially at risk. They control sensitive patient information subject to more stringent data security/privacy laws (HIPAA). Consumers or patients are more likely to be granted standing to sue in the event of a breach, even where credit card and/or social security information was not involved.

CareFirst may also mark the beginning of a new era for consumer lawsuits following data breaches. It joins what appears to be a growing number of cases where courts have found standing when sensitive information was targeted by hackers. This places emphasis on breaches where a hacker gained unauthorized access to a data base to steal information, as opposed to a case where a laptop is stolen containing sensitive information.

Courts tend to view the targeting of consumer information as evidence of harm to consumers, giving them standing to sue. As a result of this changing tide, early dismissal of these lawsuits may no longer be a forgone conclusion.

FCRA Violations Provide Standing in Data Breach Lawsuit

Another data breach lawsuit is making news with regards to Article III standing. This time, the Third Circuit found violations of the Fair Credit Reporting Act (FCRA) alone were sufficient to establish Article III standing and allow a data breach class action to proceed.

Re: Horizon Healthcare Services, Inc. Data Breach Litigation

The case involves Horizon Healthcare Services, Inc., a provider of health insurance products and services. As a part of normal business operations, Horizon collects and maintains personally identifiable information of consumers. Their information collection practices are a key component to the plaintiffs’ case. The allegations in the lawsuit call out Horizon as a consumer reporting agency under FCRA, and therefore subject to its requirements.

FCRA was initially passed by Congress to “ensure fair and accurate credit reporting, promote efficiency in the banking system, and protect consumer privacy.” A private right of action is provided against consumer reporting agencies for their willful or negligent failure to comply with FCRA’s requirements.

Data Breach Details

The data breach occurred in November 2013 when two laptops were stolen from Horizon’s headquarters. Allegedly, the laptops contained unencrypted personal information of 839,000+ of Horizon’s insurance plan members.

Horizon responded to the breach by notifying relevant authorities and alerting the affected members through a letter and press release. Horizon also offered affected members one year of credit monitoring and identity theft protection services.

Class Action Lawsuit

Four of the affected members filed a class action lawsuit in June 2014. The plaintiffs alleged both willful and negligent violations of FCRA as a result of Horizon’s unauthorized disclosure of their personal information.

The plaintiffs’ claims were based on the allegation that Horizon, as a consumer reporting agency, had furnished their information in an unauthorized manner through the theft of the two laptops. The plaintiffs alleged that Horizon did not meet their FCRA obligations to implement adequate practices and procedures to protect personal information – i.e. using encryption on the laptops.

Plaintiffs alleged that as a result of Horizon’s actions and inaction, they were placed “at an imminent, immediate and continuing increased risk of harm from identity theft, identity fraud, and medical fraud, requiring them to take the time and effort to mitigate the actual and potential impact of the Data Breach on their lives.” As a part of the lawsuit, one of the plaintiffs also claimed he suffered identity theft in the wake of the incident.

The district court dismissed the case finding that plaintiffs did not allege a concrete injury sufficient to meet Article III standing. The court decided that future risk of harm was too weak of a stance for Article III.

Third Circuit Decision

The Third Circuit reversed the district court’s decision. The Third Circuit decided that the allegations of unauthorized disclosure of personal information in violation of FCRA was indeed sufficient to establish standing.

The court cited two prior cases in making its ruling.

Re: Google Inc. Cookie Placement Consumer Privacy Litigation

In this case, plaintiffs did not suffer a monetary loss. However, the Third Circuit still found that allegations of cookie placement violating federal and state laws – Stored Communications Act – was enough to qualify as a concrete injury.

Re: Nickelodeon Consumer Privacy Litigation

In this case, plaintiffs alleged that Viacom and Google collected personal information in violation of federal and state laws – Wiretap Act and Video Privacy Protection Act. The Third Circuit found the plaintiffs had standing because the unauthorized disclosure of personal information in violation of these laws was again enough to qualify as concrete injury.

FCRA Violation Equals Concrete Harm

The Third Circuit found a cognizable injury for Article III standing purposes stating:

Congress established that the unauthorized dissemination of personal information by a consumer reporting agency causes injury in and of itself– whether or not the disclosure of that information increased the risk of identity theft or some other future harm. They created a private right of action to enforce the provisions of FCRA, and even allowed for statutory damages for willful violations- which clearly illustrate Congress believed that the violation of FCRA causes a concrete harm to consumers.

According to the Third Circuit, Congress intended to confer standing upon consumers whose credit information was disclosed in violation of FCRA… even when no tangible harm resulted.

Key Takeaway

This case could potentially have substantial implications for future data breach litigation involving consumer reporting agencies under FCRA.

Other related data breach cases outside the scope of FCRA – P.F. Chang’s and Nationwide – required plaintiffs to demonstrate an increased risk of identity theft to qualify as concrete injury to satisfy Article III standing.

The Horizon case raises the bar for dismissal for consumer reporting agencies under FCRA. Going forward, plaintiffs may only need to find a data breach in violation of FCRA to create Article III standing in lawsuits brought against credit reporting agencies.

Barnes and Noble Gets Caught in Data Breach Lawsuit

The U.S. District Court for the Northern District of Illinois took its turn in the ongoing legal saga surrounding Article III standing in data breach lawsuits. The District Court found standing under Article III, yet still dismissed the class action lawsuit against Barnes and Noble.

Data Breach Background

The incident in question occurred in 2012 when criminals tampered with payment card PIN pads at several Barnes and Noble retail locations. The PIN pads were altered to steal payment card information from the store’s customers.

As a result of the breach, plaintiffs claimed to find fraudulent charges. They also alleged Barnes and Noble didn’t notify affected customers about the breach until six weeks after discovery. The plaintiffs proceeded to file a class action suit against the retailer.

The trial court dismissed the plaintiffs’ original complaint back in 2013. The plaintiffs submitted an amended complaint, which Barnes and Noble moved for dismissal over lack of standing.

Article III Standing

As noted by other data breach lawsuits, Article III standing is based on evidence of an “injury-in-fact.” The precedent used this time relied on the Seventh Circuit’s case with Neiman Marcus. The court found standing because the retailer was targeted to steal customers’ payment card information, which was reasonable to assume a substantial risk of harm.

Back to the Barnes and Noble case, the District Court determined the plaintiffs had shown injury to warrant Article III standing. As with Neiman Marcus, injury-in-fact did not rely on fraudulent charges, but instead was demonstrated by the plaintiffs’ actions to protect themselves from a substantial risk caused by the breach.

District Court Decision

Even though the court found Article III standing in the Barnes and Noble case, the lawsuit was dismissed on the failure to allege recoverable economic damages. Specifically, the court dismissed the plaintiffs’ claims of the following damages:

  • Overpayment for Barnes and Noble products as the retailer prices information security into its products,
  • Devaluation of personal information affected,
  • Costs related to identity theft protection services renewed after the breach,
  • Time challenging fraudulent charges, and
  • Unnecessary anxiety resulting from the breach.

Plaintiffs also claimed the retailer violated the California Security Breach Notification Act. The court dismissed that claim because the injuries were not caused by failures or delays in the notification process.

Key Takeaway

The Barnes and Noble decision adds to the growing list of data breach cases to analyze. The emphasis here is on the difference between injury-in-fact to apply Article III standing and damages to maintain a cause of action. In this case, the plaintiffs succeeded in demonstrating injury to establish Article III standing, but those same claims fell short on qualifying as damages.

For purposes of data breach litigation, this distinction is important. Even though plaintiffs might be awarded Article III standing, the motion to dismiss might ultimately be granted.

Sixth Circuit Finds Breach Victims’ Heightened Risk of Harm Establishes Standing

The Sixth Circuit has made it easier for victims of a data breach to proceed in court. In a case involving alleged victims of a data breach at Nationwide Mutual Insurance Company, the appellate court ruled that fear of future harm following a data breach is sufficient to establish Article III standing.

Nationwide Data Breach

Nationwide Mutual Insurance Company suffered a data breach on October 3, 2012. Hackers gained access to Nationwide’s computer network and stole personal information of 1.1 million customers. The stolen information included the following: name, date of birth, Social Security number, driver’s license number, gender, marital status, occupation, and employer.

Victims learned of the breach when they received a notification letter from Nationwide. Due to requirements in breach notification laws, Nationwide’s letter offered suggestions for victims to mitigate any potential harm. Suggestions included monitoring bank account statements and credit reports, along with placing a security freeze on credit reports. Nationwide also offered one year of free credit monitoring and identity theft protection services in the notification letter.

Lawsuit

The data breach victims pulled together a lawsuit against Nationwide asserting claims for negligence, bailment, and violation of the Fair Credit Reporting Act. Victims claimed the data breach presented an “imminent, immediate, and continuing increased risk” of identity fraud. There is a widely recognized market for stolen data, and victims allege that creates a reasonable risk of identity theft as a result of the data breach. The data breach victims also claimed they incurred financial costs as they purchased mitigation services to protect against the risks of identity fraud.

District Court Decision

The district court granted Nationwide’s motion to dismiss concluding that the victims did not allege a cognizable injury and didn’t have Article III standing to proceed. Additionally, the court ruled that there was no statutory standing under FCRA and they lacked jurisdiction over the claim. Unsurprisingly, the breach victims appealed the ruling.

Just to recap, parties looking to sue under Article III standing must be able to show they have suffered actual or threatened injury, the injury can be fairly traced back to the action of the defendant, and that it’s likely to be redressed by a favorable court decision.

Sixth Circuit Decision

The Sixth Circuit reversed the district’s decision and remanded the case to the district court. The Sixth Circuit held that victims did suffer an injury in fact, the injury is fairly traceable to Nationwide’s actions, and it’s likely to be redressed by a favorable court decision.

According to the Sixth Circuit, the victims’ allegations of “a substantial risk of harm, coupled with reasonably incurred mitigation costs, are sufficient to establish a cognizable Article III injury.” Basically, when a data breach targets personal information, it’s reasonable to infer the information will be used for fraudulent purposes. Further, the costs incurred to victims for mitigating the risk of harm represent a sufficient concrete injury itself.

This conclusion is consistent with two recent decisions from the Seventh Circuit in the cases against Neiman Marcus and P.F. Chang’s.

Key Takeaway

This decision by the Sixth Circuit is the latest in a series of key decisions concluding that data breach victims have Article III standing without having alleged actual fraud or identity theft.

This case is also interesting because of how the notification letter was used against Nationwide in the decision. The notification letter offered victims credit monitoring and identity theft services. The Sixth Circuit cited this as an action showing Nationwide’s recognition of the risk of harm presented by the data breach.

There’s growing concern that these types of mitigation services could be held and used against companies in future lawsuits. Many companies offer these types of services in the wake of a data breach. Some state breach notification laws actually require companies to offer victims mitigation services. This presents a tough situation because companies might be forced to rethink their steps in responding to a data breach.

Recent Court Ruling Delivers a Victory for Data Privacy

A recent case against Microsoft ended in a victory for data privacy. The U.S. Court of Appeals for the Second Circuit held that Microsoft cannot be compelled to hand over customer emails stored abroad to U.S. law enforcement.

Background

The U.S. government obtained a warrant under the 30-year-old Stored Communications Act (SCA) to access contents of emails and information of a Microsoft user.  Microsoft declined to hand over the emails stored on a server in Ireland. They argued that search warrants under the SCA only apply to data within the U.S.

The government held the belief that the location of stored electronic files is irrelevant. Simply put, the files are under Microsoft’s control and they are required to produce them. Subsequently, in April 2014, a judge ruled that Microsoft must adhere to a search warrant and turn over user data to U.S. law enforcement, even if the data sits outside the U.S.

Appeal Ruling

The ruling was overturned by the Second Circuit based on a narrow interpretation of the SCA. Specifically, the Second Circuit found that the SCA’s warrant provisions were not intended to apply outside the U.S.

Based on this decision, internet service providers subject to the SCA have a good argument for refusing to disclose client information held outside of the U.S. in response to a government warrant. Judge Gerard E. Lynch’s opinion mentioned the original intent, “there is no evidence that Congress has ever weighed the costs and benefits of authorizing court orders of the sort at issue in this case.”

Key Takeaway

In the ongoing battle between the concerns of privacy and law enforcement duties, this seems to be a leg up for the privacy side. Going forward, this decision could give law enforcement and investigators some trouble when dealing with foreign suspects.

Companies can disperse email or communication files throughout the world and provide users a level of protection against U.S. law enforcement. Even domestic cases could be affected if data on U.S. citizens is moved across borders and outside U.S. jurisdiction.

The call to action is for Congress to take the next step and revise the SCA to more accurately reflect the dynamic age of technology and information we’re in.

Impact of the Advocate Health Ruling

advocate health logoThe appellate court upheld the dismissal of two lawsuits filed against Advocate Health and Hospitals Corp. Quick recap: In 2013 the company had four unencrypted desktop computers stolen, impacting 4 million individuals.

The appellate court noted that the allegations of harm caused to the plaintiffs were only speculative and allegations of possible future injury were insufficient to award standing.

Plaintiffs alleged that Advocate violated the Fair Credit Reporting Act by failing to protect consumer data – leading to personal and financial damages. However, the lawsuit was dismissed under the premise that Advocate does not meet the definition of consumer reporting agency and is not covered under FCRA.

The decision is consistent with the majority of other decisions related to security breaches, as plaintiffs must demonstrate some kind of specific harm suffered. This also shows the courts’ hesitation to expand the applicability of statutes, like FCRA, to a well-defined breach scenario.

State Court Invokes HIPAA as Benchmark in Walgreens Case

The Indiana Court of Appeals has upheld the Walgreens’ $1.4 million penalty after one of its pharmacists shared confidential medical information about a client. According to the plaintiff’s attorney Neal Eggeson, the ruling is significant because it is the first to uphold damages for violating the Health Insurance Portability and Accountability Act (HIPAA) through negligence.

“In this case, a pharmacist breached one of her most sacred duties by viewing the prescription records of a customer and divulging the information she learned from those records to the client’s ex-boyfriend,” says the court of appeals in its decision.

HIPAA does not allow individuals to sue for violations of the federal law, but this case works around that by alleging negligence under state statues for failing to meet HIPAA requirements. This workaround was preceded earlier this month by a court case in Connecticut over a negligence case in which patient information was released without consent.

Key Takeaway: Legal experts are predicting this order might create a significant legal precedent for covered entities and business associates that could be cited in future lawsuits concerning HIPAA violations of their employees.