- In February 2018, the US Supreme Court denied certiorari in the CareFirst data breach case. CareFirst had requested the Court review the class action lawsuit against it that came from two separate incidents.
The first occurred in June 2014, followed by another near May 2015. CareFirst was reportedly conducting a risk assessment on April 21, 2015 when it discovered that “a sophisticated cyberattack occurred.” There was also “limited unauthorized access to a database on June 19, 2014.”
The writ of certiorari had been filed in January 2018, with CareFirst claiming that the flood gates could be opened for “no-injury class actions arising from virtually every data breach.” The US Court of Appeals for the District of Columbia Circuit previously reversed a circuit court’s ruling, stating that it had been a very narrow reading of future harm.
The Appeals Court eliminated “the need for a plaintiff to plead that a threatened injury is imminent to bring a federal case,” according to CareFirst.
“Respondents downplay the significance of the D.C. Circuit’s conclusion despite a rising tide of data breach class actions,” CareFirst said. “Should the Court leave the D.C. Circuit’s opinion undisturbed, any individual who pleads that her data was exposed in a breach will be able to maintain a lawsuit against the company that held that data, even if the plaintiff suffered no harm whatsoever.”
Following the Supreme Court’s decision, plaintiffs are likely moving forward with discovery and hoping for settlement, according to Axinn Associate Patricia Carreiro.
The Supreme Court denied cert without an explanation, which leaves everyone to wonder about the reason Carreiro explained in an email to HealthITSecurity.com. It could be that the Supreme Court thinks differing circuit courts of appeal decisions were based on factual, rather than legal differences, she suggested.
“Second, it could be that the Court believes there is a true circuit split, but doesn’t think that CareFirst is the right case to address the issue – either because it believes that appellate courts would all agree on the standing question given the facts in CareFirst, or because CareFirst’s facts are too messy for the Supreme Court to want to base such an important decision on,” she said.
The Supreme Court may just have other, more important questions filling its docket, Carreiro added. The Court could feel like it has already addressed the injury-in-fact element of standing in recent decisions, like in Spokeo, Inc. v. Robins in 2016.
Ultimately, the Court denying cert without explanation just means that the Supreme Court chose not to get involved in the CareFirst case, she explained.
The decision itself is unlikely to have any significant impact on future data breach cases because it left the same case law that was in place before the petition for cert.
“Some may attempt to argue that this denial of cert is somehow an effective endorsement of the appellate court’s finding of standing, but those opposing standing can correctly point out that this decision in effectively a ‘pass,’ not an affirmation,” Carreiro stated. “The Supreme Court simply chose not to get involved – a decision that could be based on any number of facts and not necessarily that the Supreme Court agreed with the appellate court’s decision.”
The case is now heading back to district court and CareFirst is looking at a jump in the value of its case, she continued.
“Surviving the motion to dismiss is often a watershed moment in data breach litigation, and often triggers settlement,” Carreiro posited. “Additionally, the stay on the case is now lifted, so the district court can take up the plaintiff’s motion for class certification and discovery can commence.”
It is often difficult to prove fault in data breach cases because of the expenses of those cases getting that far in the litigation process, she explained.
“Thus far, data breach litigation has largely struggled with the question of standing, and cases have only barely dipped their toe into the question of causation,” Carreiro said. “Given the many different cybersecurity standards floating around, it’s easy for plaintiffs to point to some standard that a defendant has failed to comply with, thus creating issues of fact that allow claims to survive a motion to dismiss.”
Healthcare organizations should understand that this decision does not change anything, and that covered entities must continue to invest in cybersecurity measures. Avoiding data breaches, avoiding the collection of unnecessary information, destroying information no longer needed, documenting which cybersecurity decisions have been made and why, and insuring appropriately should all still be key considerations.
“If they are hacked, companies should, just as before, contact counsel and notify their insurers immediately,” Carreiro stated. “Companies should allow their outside counsel to retain their forensic investigators, ensure that all notifications are sent out on time, etc.”
“On the litigation-front, the takeaway remains that some circuits (like the District of Columbia, Sixth, Seventh, and Ninth Circuits) are still better for plaintiffs, while others (like the Third, Fourth, and Eighth Circuits) are still better for companies,” she continued.
Other leading appellate court cases on standing remain important for healthcare organizations. This includes but is not limited to Whalen v. Michaels Stores, Inc. in the Second Circuit, Reilly v. Ceridian Corp. in the Third Circuit, and Beck v. McDonald in the Fourth Circuit, Carreiro said.
“Until the Supreme Court gives us more guidance, those cases will continue to carry the day,” she concluded. “As far as the next case that could lead to a petition for cert regarding standing in data breach cases, I’m keeping my eye on Storm v. Paytime, Inc., currently on partial remand to the Middle District of Pennsylvania. If the court does not approve the parties’ settlement, the Third Circuit appeal will resume and could lead to a petition for cert.”