[BreachExchange] Data Breach Plaintiffs Continue to Face Article III Standing Challenges

Fri Aug 19 16:00:39 EDT 2016

http://www.lexology.com/library/detail.aspx?g=f2a39487-3216-4a11-a1fa-
7bd63cb9bca9

Standing remains a high hurdle for individuals whose personal information
is compromised as a result of a data breach but who cannot establish that
the stolen information was actually used improperly. Class action claims
against CareFirst Blue Cross Blue Shield related to a 2014 breach were
dismissed by D.C. District Court Judge Christopher R. Cooper last week
after finding that they failed to meet Article III’s standing requirement.
This ruling comes two months after a similar ruling by a Maryland district
court judge in class actions claims related to the same CareFirst breach.

Judge Cooper’s decision does underscore the need to show harmful misuse of
data to establish standing, but his opinion also raises the possibility
that the type of information stolen may be important to determining the
plausibility of alleged harm.

In the CareFirst breach, customers’ names, birthdates, email addresses, and
subscriber numbers were compromised, but no social security numbers or
credit card information. In his rejection of plaintiffs’ claims of injury,
Judge Cooper specifically referenced the type of information that had been
stolen in several instances. It is fair to ask: had either the social
security numbers or credit card information of this plaintiff group been
implicated, might the judge have seen a more plausible imminent harm?

Broadly speaking, Article III standing requires a plaintiff to show
injury-in-fact, causation and redressability, and the alleged injury must
be particularized, concrete or imminent. In the context of a class action,
each named plaintiff must establish that he or she was personally injured.

The CareFirst plaintiffs’ class action complaint alleged various violations
of state laws and breach of legal duties associated with protecting
personal information. The claimed injuries included, inter alia, (1) an
increased risk of identity theft; (2) identity theft in the form of a tax
fraud; (3) economic harm through having to purchase credit-monitoring
services; (4) economic harm through overpayment for insurance coverage; and
(5) loss of intrinsic value of their personal information.

The district court found each claim without merit. Plaintiffs could not
show how a hacker could steal their identities without their social
security numbers or credit card numbers; could not claim the purchase of
credit card monitoring services as an injury since that constitutes a
“self-inflicted” harm; could not substantiate their claim that some portion
of their insurance premiums are now allocated to paying for security
measures; and could not show their personal information had been “devalued.”

With respect to the tax fraud claim, two named plaintiffs alleged that they
suffered injury-in-fact because they had not yet received an expected tax
refund. The court, however, found that the plaintiffs failed to show that
their alleged injury was “fairly traceable” to the breach or how such tax
refund fraud could have been carried out without their social security
numbers and credit card information.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160819/e7e31e2e/attachment.html>