Plaintiffs Cannot Bring Data Breach Lawsuits Without Evidence That Information Will Be Used To Harm

[Richard Forno <rforno () infowarrior org>]

http://www.jdsupra.com/legalnews/plaintiffs-cannot-bring-data-breach-15526/

Plaintiffs Cannot Bring Data Breach Lawsuits Without Evidence That Information Will Be Used To Harm

The latest development in how American courts will handle the standing question for data breach class actions came last 
week when the U.S. District Court for the District of Columbia dismissed for lack of standing a putative class action 
related to the CareFirst BlueCross BlueShield data breach.

The court's reasoning in dismissing the claims is yet another step in defining which data breaches are actionable—a 
significant question in an environment where every major breach seems to give rise to a class action lawsuit. In 
keeping with the current trend among federal courts, the court in CareFirst found that data breach plaintiffs cannot 
bring lawsuits without evidence that sensitive data has been—or will be—misused in a harmful manner.

Simply having your personal information stolen in a data breach isn’t enough.

The case arose out of a June 2014 data breach in which hackers compromised the personal information of more than a 
million policyholders of the health insurer CareFirst. The information included policyholders' names, birth dates, 
email addresses, and subscriber identification numbers. But what’s notable is the data the breach did not include: more 
sensitive information such as Social Security and credit card numbers.

Seven people brought a class action alleging that CareFirst violated various state laws and common law duties by 
failing to safeguard the information. Two of the plaintiffs claimed to be victims of identity theft. The other five did 
not. CareFirst moved to dismiss for lack of standing on the grounds that the complaint did not adequately allege injury.

The court granted CareFirst's motion and dismissed the complaint without prejudice.

In deciding whether the validity of the case brought by the five people who did not claim identity theft, the court 
applied the standard articulated by the U.S. Supreme Court in Clapper v. Amnesty Int'l USA, under which a threatened 
injury must be "certainly impending" for a suit to have merit. It rejected the plaintiffs’ argument that the "certainly 
impending" standard had been met simply because the hackers breached CareFirst's server in order to access data and 
misuse it. It also held that the argument was too speculative to satisfy Clapper because it required the court to 
assume that the hackers had the ability to read and understand plaintiffs' personal information, the intent to commit 
future crimes by misusing it, and the ability to do so. Most important, the alleged injury was particularly speculative 
because the plaintiffs had not suggested—let alone demonstrated—how the hackers could steal their identities without 
access to their Social Security or credit card numbers.

In dismissing the cases of the two plaintiffs who did claim identity theft, the court held that their alleged injury 
was not "fairly traceable" to the CareFirst breach. The two plaintiffs claimed to be victims of tax-refund fraud 
because they had not yet received their expected tax refunds. The court found that it was unlikely that the tax-refund 
fraud could have been conducted without the plaintiffs' Social Security numbers and was therefore not "fairly 
traceable." The court also rejected the plaintiffs' arguments that they had suffered economic harm because they had to 
purchase credit-monitoring services and overpay for insurance coverage.

Finally, the court rejected plaintiffs' argument that the D.C. Consumer Protection Procedures Act could confer standing 
on its own. In doing so, the court relied on the recent Supreme Court decision in Spokeo, Inc. v. Robins, which held 
that Congress cannot erase Article III's standing requirements by statutorily granting the right to sue to a plaintiff 
who would not otherwise have standing. In applying this holding, the court held that—even if plaintiffs' rights under 
the D.C. Consumer Protection Procedures Acts had been violated—they did not have standing to press their claims because 
they had not adequately alleged a concrete harm.

Cases like CareFirst help define the landscape for data breach lawsuits. The requirement that plaintiffs must show that 
actual harm could have arisen from the theft of information is a significant development—and one that should bring some 
measure of relief to companies tasked with storing vast quantities of consumer data.



--
It's better to burn out than fade away.



_______________________________________________
BreachExchange mailing list sponsored by Risk Based Security
BreachExchange () lists riskbasedsecurity com

If you wish to Edit your membership or Unsubscribe you can do so at the following link:
https://lists.riskbasedsecurity.com/listinfo/breachexchange