The U.S. Supreme Court cleared the path for cyber breach plaintiffs to establish standing in their lawsuit against CareFirst. The Supreme Court’s refusal to review the lower appeal court’s decision to grant standing for the plaintiffs allows the case to proceed.
CareFirst is a health insurance company with customers in the District of Columbia, Maryland, and Virginia. In May 2015, CareFirst notified its customers that an unknown hacker breached its network in 2014. Once inside, the intruder reached a database that contained the personal information of CareFirst’s customers. The information included names, social security numbers, birth dates, credit cards, and email addresses.
Shortly after being notified, the victims of the breach filed a federal lawsuit in the District of Columbia. As plaintiffs, the victims alleged that CareFirst failed to properly encrypt its data.
Lower Court Decisions
In 2016, the federal district court dismissed the plaintiff’s case for lacking Article III standing. The district court explained that the risk of future harm was” too speculative” to establish the plaintiff’s injury. Also, the district court found the plaintiffs were missing the requirement that there be an “actual or imminent” injury. As a result of the ruling, the plaintiffs appealed the district court’s decision.
In 2017, the federal appeals court examined whether the plaintiffs had “plausibly alleged a risk of future injury.” The appeals court weighed if the future injury was “substantial enough to create Article III standing.” After reviewing the appeal, the appeals court reversed the lower district court’s decision. The appeals court held that the plaintiff’s standing only required injuries that are “fairly traceable” to CareFirst. The standing analysis viewed the plaintiffs as prevailing if CareFirst failed to properly secure it customers’ data. As a result, the failure to secure data would expose the plaintiffs to a substantial risk of identity theft.
On February 16, 2018, the Supreme Court denied CareFirst’s appeal to review the case. Advocates for CareFirst declared their disappointment with the Supreme Court for not breaking a circuit split. The Third, Fourth, and Eighth Circuits said that a threat of harm or an increased risk was insufficient to establish standing. Meanwhile, the Sixth, Seventh, and Ninth Circuits, along with the District of Columbia, granted standing based on an increased risk of future identity theft.
Corporate Accountability
CareFirst’s inability to get the lawsuit dismissed shows a more favorable view of standing for cyber breach plaintiffs. In Data Breach Today, Attorney Jonathan Nance, representing the plaintiffs, points out that “data breaches are happening all of the time.” Nance further added, “The D.C. Circuit’s opinion and the Supreme Court’s decision to deny cert simply indicate that our courts will permit citizens to hold corporations accountable when they fail to take reasonable precautions to protect our data.”
Alice M. Porch, Esq., CIPP/US, C|EH, Security+
Alice is a member of the Florida Bar, and she focuses on data privacy and cybersecurity compliance in her law practice. She attended the Warrington College of Business at the University of Florida and earned a Bachelor of Science in Business Administration. After graduating, she earned a Juris Doctor at the Stetson University College of Law. During law school, she served as an Assistant Executive Editor for Stetson Law Review and also as a Staff Editor for Stetson Journal of Advocacy and the Law. She currently serves as Chair of The Florida Bar Journal/News Editorial Board.
