[BreachExchange] Courts raising bar for data breach class actions

Mon Aug 29 19:57:40 EDT 2016

http://legalnewsline.com/stories/511001143-courts-
raising-bar-for-data-breach-class-actions

Reports of data breaches have become commonplace, prompting U.S. courts to
raise the bar on associated class action lawsuits.

The U.S. District Court for the District of Columbia in early August
declined to grant standing to a class action filed in the wake of a data
breach at CareFirst BlueCross BlueShield. Hackers compromised health
insurer CareFirst's IT systems in June 2014 and obtained personal data for
more than a million BlueCross BlueShield policyholders.

In dismissing the class action, Judge Christopher Cooper concluded that the
plaintiffs failed to show that the private personal data allegedly obtained
by hackers had caused any injury to plaintiffs or was sufficient in and of
itself to do so. Significantly for the court, plaintiffs failed to provide
evidence that the perpetrators of the data breach had obtained Social
Security or credit card numbers.

Merely establishing that private personal information had been illegally
acquired via a data breach is no longer sufficient to warrant standing in a
class action, Ballard Spahr attorney Edward McAndrew said.

"In and of itself the CareFirst data breach is just another development in
the establishment of precedent regarding standing in data breach cases," he
told Legal Newsline.

"What's new here is that courts are saying they're going to look at the
particular types of data allegedly acquired in security breaches and
determine if there's a high risk of stolen data to be used for criminal
purposes. In CareFirst the court concluded that factual allegations
regarding the data stolen provided by plaintiffs did not reveal any actual
or impending injury, or demonstrate a substantial likelihood that personal
injury could occur."

The CareFirst decision reinforces and adds to a May U.S. Supreme Court
ruling on a technical legal issue raised in Robins v. Spokeo, a class
action in which a plaintiff asserted he had been harmed by false personal
information sold by data broker Spokeo that had been published on the
Internet. Reversing an appellate court ruling, the high court justices
voted 6-2 in concluding that plaintiff failed to show he had suffered
concrete harm.

In that case, the court disagreed with plaintiffs attorneys' argument that
even without demonstrating personal injury, violation of a statute - in
this case the D.C. Consumer Protection Procedures Act (DCPPA) - was
sufficient grounds for granting class action status.

“We have made it clear time and time again that an injury, in fact, must be
both concrete and particularized,” Justice Samuel Alito wrote in the
majority opinion. He added that certain types of mistakes wouldn’t qualify
as evidence of injury.

“An example that comes readily to mind is an incorrect ZIP code. It is
difficult to imagine how the dissemination of an incorrect ZIP code,
without more, could work any concrete harm.”

More broadly in CareFirst, the court's conclusion that private personal
data allegedly acquired in a data breach is not likely to result in the
misuse of that information is highly debatable, McAndrew said.

"Other courts have reached the opposite conclusion," he said. "In Remigas
class action, the Seventh U.S. Court of Appeals decided that class action
plaintiffs had sufficient standing based solely on the alleged theft of
personal data from the P.F. Chang restaurant chain."

In that 2014 civil lawsuit, two Illinois men did show that the personal
debit card data obtained in the breach was subsequently used to make
fraudulent charges, he pointed out.

"Some 350,000 credit card numbers allegedly were stolen, and plaintiff
attorneys showed that over 9,000 of those actually had been used to commit
credit card fraud, or ID theft," McAndrew said.

In addition, in CareFirst, the court did not address the potential for
hackers to obtain sufficient personal data to perpetrate fraud/ID theft or
other criminal acts by assembling digital dossiers on consumers from
multiple sources, McAndrew continued.

''They wind up combining all the data they can acquire to create a much
more comprehensive dossier that could be sold on the 'dark web.'''

Email addresses were stolen in the CareFirst case, and plaintiffs did
submit evidence that SSNs had been acquired subsequent to a court briefing
on the issue. The court ruled that such evidence would not be considered as
plaintiffs did not mention that in their complaint, however.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160829/ce62b121/attachment.html>