[BreachExchange] Courts: We Hear No Suit Based on Cyber Crime Before its Time

Tue Jul 5 19:22:13 EDT 2016

http://www.jdsupra.com/legalnews/courts-we-hear-no-suit-based-on-cyber-24604/

Two recent decisions out of the U.S. District Court for the District of
Maryland illustrate the difficulty that cyber breach victims can have in
establishing standing to sue. In both cases, the court dismissed the cyber
breach suits for lack of standing because the plaintiffs had not yet
sustained actual damages. The decisions reflect that whether a cyber breach
victim has suffered cognizable damages is extremely fact intensive.
Notably, the cases were dismissed or remanded for lack of subject matter
jurisdiction under Federal Rule of Civil Procedure 12(b)(1), which can be
raised at any point and is never waived.

Chambliss v. CareFirst, Inc., 1:15-cv-02288, involved a well-publicized
data breach at CareFirst, a health insurance provider. Data breaches of
confidential personal information of CareFirst’s subscribers occurred in
2014 and 2015. The personal information included the names, birthdays,
e-mail addresses, and subscriber identification numbers of 1.1 million
people. Plaintiffs sought to bring a putative class action alleging that
CareFirst should have known earlier that the breaches could occur, as the
stolen information was “highly coveted by and a frequent target of hackers.”

Plaintiffs further claimed that they had a reasonable expectation that
their confidential personal information would remain private and
confidential. Due to CareFirst’s failure to secure the personal
information, plaintiffs claimed that they “have lost or are subject to
losing money and property.” However, as the Court noted, the plaintiffs did
not allege that they had yet suffered any actual injury, and thus there was
not yet a ripe controversy under Article III of the Constitution.

The facts in Khan v. Children’s National Health System, 8:15-cv-02125, were
substantially similar. Mr. Khan filed a putative class action against
Children’s National Health System, asserting that hackers had obtained
access to certain employee e-mail accounts that contained subscriber
personal data.

Judge Chuang considered the increased risk of identity theft to be
plaintiff’s most promising argument that she had an injury that could
support Article III standing. Judge Chuang noted that district courts and
even circuit courts have differed on whether identity theft is a cognizable
injury that can support standing. However, he noted that rather than
applying a different legal standard, the difference in the courts’
treatment of these cases is largely determined by their unique facts.

Both courts noted that the plaintiffs had not alleged that their data had
yet been misused in any way. In Chambliss, the court also observed that the
breach compromised names, birth dates, email addresses and subscribed
identification numbers, not their social security numbers, credit card
information or any other similarly sensitive data that could heighten the
risk of harm.  (The Court may have been overly optimistic about whether
names, birth dates and subscriber identification numbers can be used in a
nefarious way.)

Both judges also rejected the claim that the plaintiffs had suffered harm
in the way of mitigation costs, such as expenses incurred from obtaining
credit monitoring services. The Chambliss Court reasoned that a plaintiff
cannot manufacture standing by inflicting harm on himself, and the
KhanCourt stated that incurring costs as a reaction to a mere risk of harm
does not establish a standing if the harm to be avoided is not itself
“certainly pending.” Both judges also disregarded claims for decreased
value of personal information, especially since plaintiffs had not yet
alleged that they attempted to sell their personal information and/or that
they were forced to accept a decreased price for that information.

The Maryland District Court in these two cases joined other courts across
the nation in holding that there is no standing to sue, and thus no subject
matter jurisdiction, until there has been actual misuse of data. In
layman’s terms, the message to those affected by cyber breaches is, “Come
back when you have a real problem.”

The judges in Chambliss and Kahn probably got this right. Still, it seems
like only a matter of time before the hackers in those cases misuse the
stolen data and, unwittingly, convey standing on their victims.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160705/8689e7c9/attachment.html>