- A petition for writ of certiorari was recently filed with the US Supreme Court, pushing the CareFirst data breach case forward. CareFirst wants its case reviewed, which could potentially reignite the debate over how plaintiffs need to establish that injuries took place from a data breach.
In August 2017, the US Court of Appeals for the District of Columbia Circuit reversed a previous ruling in the CareFirst case. The appeals court said “the district court gave the complaint an unduly narrow reading,” and that the plaintiffs “cleared the low bar to establish their standing at the pleading stage.”
“Their theory of harm relies solely on the actions of an unknown independent third party,” the decision read, maintaining it was not proven that the plaintiffs suffered any injury from the reported data breach. “It is thus not clear ‘whether future harm from a data security breach will materialize,’ but also uncertain ‘when such harm will occur.’”
CareFirst was involved in two reported data breaches, one of which occurred in June 2014 and another near May 2015. The organization said it was conducting a risk assessment on April 21, 2015 when it discovered that “a sophisticated cyberattack occurred.” There was also “limited unauthorized access to a database on June 19, 2014.”
Potentially exposed information included member-created user names created by individuals to access CareFirst’s website, members’ names, dates of birth, email addresses and subscriber identification numbers. However, Social Security Numbers, medical claims information and financial information were not involved.
The Appellate Court determined that should one of the plaintiffs suffer from identity theft, it “would constitute a concrete and particularized injury.” It was still necessary though to review “whether the complaint plausibly alleges that the plaintiffs now face a substantial risk of identity theft as a result of CareFirst’s alleged negligence in the data breach.”
Furthermore, Article III Standing requires only that those injuries be “fairly traceable” to the defendant, according to the Appellate Court.
“Because we assume, for purposes of the standing analysis, that plaintiffs will prevail on the merits of their claim that CareFirst failed to properly secure their data and thereby subjected them to a substantial risk of identity theft…we have little difficulty concluding that their injury in fact is fairly traceable to CareFirst,” the ruling stated.
The recent petition wants the US Supreme Court to decide “whether a plaintiff has Article III standing based on a substantial risk of harm that is not imminent and where the alleged future harm requires speculation about the choices of third-party actors not before the court.”
CareFirst maintains that the appeals court definition of “substantial risk” does not meet the Article III requirement that an injury must be actual or imminent.
Furthermore, the substantial risk standard cannot be reduced to one of plausibility, the petition added. Citing another case, reducing the substantial risk standard in that way is “a far less stringent test than even the objectively reasonable likelihood standard that the Court found inadequate.”
“The rising tide of data hacks and the class action lawsuits they inevitably spur increasingly test the boundaries of federal court jurisdiction. But lower courts have struggled to consistently apply Article III standing principles to future injuries allegedly caused by data theft, including the increased risk of future identity theft. Without guidance, courts, litigants, cybersecurity insurers, and corporate America will remain uncertain as to when a federal court can hear such claims.”
The CareFirst data breach case is “ideal” way for the US Supreme Court to clarify that “an alleged future injury must be imminent” to satisfy the substantial risk standard.
The case was docketed on November 1, 2017, with a Court response due on December 1, 2017.