Calling for a broader view of standing, a federal appeals court in Washington, D.C., has reversed dismissal of a case brought over the 2014 cyberattack of health insurer CareFirst. The D.C. Circuit decision comes in one of the first data breach cases to address standing under the U.S. Supreme Court’s holding in Spokeo v. Robins,
The U.S. Court of Appeals for the District of Columbia ruled on Tuesday that the district judge had “given the complaint an unduly narrow reading” in finding that the plaintiffs’ claims of increased risk of identity theft were speculative. U.S. District Judge Christopher Cooper of the District of Columbia based much of his ruling on the fact that the plaintiffs couldn’t allege identity theft risks if their Social Security or credit card numbers hadn’t been stolen.
“But that conclusion rested on an incorrect premise: that the complaint did not allege the theft of Social Security or credit card numbers in the data breach,” wrote Circuit Judge Thomas Griffith. “In fact, the complaint did.”
Neither plaintiffs’ attorney Christopher Nace, an attorney at Paulson & Nace, nor CareFirst’s lawyer, Matt Gatewood of Eversheds Sutherland, both in Washington, D.C., responded to requests for comment.
The ruling comes one day after another health insurer, Anthem Inc., which agreed last month to pay $115 million to resolve lawsuits over a 2015 cyberattack that affected 78.8 million customers, announced a new data breach that may have exposed more than 18,000 Medicare enrollees.
CareFirst, based in Baltimore, was hit with a cyberattack in 2014 that compromised nearly 1.1 million customers. In addition to the D.C. case, federal judges in Illinois and Maryland also have dismissed class actions over the CareFirst breach on standing grounds.
The D.C. case was brought on behalf of customers in the District of Columbia, Virginia and Maryland. CareFirst insisted that while names and addresses had been hacked, Social Security and credit card numbers had not. Cooper, in his 2016 dismissal order, appeared to have found those facts persuasive, and also pointed to the earlier dismissal in the Maryland case. But the appeals panel said the complaint actually alleged that CareFirst collected personal identification information that included credit card and Social Security numbers.
The panel also sided with the plaintiffs in finding the harm was far from speculative, relying on the U.S. Court of Appeals for the Seventh Circuit’s seminal 2015 decision in Remijas v. Neiman Marcus Group that said: “Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
The panel also appeared influenced by Spokeo, in which the Supreme Court found that a plaintiff suing in federal court must allege an injury that is “particularized” and “concrete,” rather than speculative.
“This case is a prime example of the type of no-injury lawsuit that the Supreme Court held in Spokeo cannot proceed in federal court,” wrote Andrew Pincus, a partner at Mayer Brown’s Washington office, in a brief he filed for the U.S. Chamber of Commerce.
Pincus had argued the Supreme Court case for Spokeo Inc. “The Supreme Court has made clear that a no-injury lawsuit based at most on anxiety about speculative future harm cannot go forward.”
But two other groups, the Electronic Privacy Information Center and the National Consumers League, filed amicus briefs highlighting a changing world in which corporate America is increasingly storing personal information in digital databases. Spokeo actually proved that plaintiffs had established standing, wrote Marc Rotenberg, president and executive director of EPIC, a privacy rights group in Washington, D.C.
“The claims are concrete, particularized and actual violations of their legally protected interests, which they allege were caused by the defendants, and are redressable by a favorable court ruling,” he wrote.
The appeals panel agreed.
Under Spokeo, Griffith wrote, the harm was “fairly traceable” to the defendant’s actions, noting CareFirst’s failure to protect its insured customers. It also was “likely to be redressed” through the claims alleged, citing incurred costs such as identity theft protection that could be reimbursed through monetary damages.
“The plaintiffs here alleged that the data breach at CareFirst exposed them to a heightened risk of identity theft,” Griffith wrote. “The principal question, then, is whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create Article III standing. We conclude that they have.”