[BreachExchange] Appeals Court Allows CareFirst Breach Class Action Lawsuit to Proceed

[Destry Winant]

http://www.databreachtoday.com/appeals-court-allows-carefirst-breach-class-action-lawsuit-to-proceed-a-10164

A class action lawsuit filed against health insurer CareFirst Blue
Cross Blue Shield in the wake of a 2014 cyberattack impacting the
personal data of 1.1 million individuals is being revived: A federal
appeals court ruling has overturned a lower court's decision last year
to dismiss the case.

Some legal experts say the Aug. 1 ruling by the U.S. Court of Appeals
for District of Columbia Circuit is noteworthy because it could set
precedent for other pending and future data breach cases.

The ruling by a three-judge appellate panel means that plaintiffs in
the CareFirst case can proceed with their punitive class action
lawsuit against the insurer, which had been dismissed in 2016 by the
U.S. District Court for the District of Columbia.

"This ruling is significant because now the D.C. circuit, along with
some other courts, have taken a more modern stand on the kind of
damage you can expect in data breaches," says attorney Steven Teppler
of the Abbott Law Group.

Privacy attorney Adam Greene, of the law firm Davis Wright Tremaine
agrees the ruling is important.

"The court held that the theft of personally identifiable
information/protected health information/sensitive information, if
true, creates enough of a risk of identity theft that could be
traceable to CareFirst's negligence in not securing the data," he
says.

"This does not mean that the plaintiffs will win, but it significantly
increases the risk to CareFirst and the costs of defending the case,
and sets precedent for other cases to similarly proceed. "

Shifting Tide?

The dismissal of the CareFirst lawsuit last year by the lower court
had followed a common trend in data breach litigation where most
courts do not find standing to proceed without concrete, identifiable
injury to plaintiffs, some experts note.

However, while many data breach lawsuits previously have ended in
dismissals, courts appear to be "turning a little more
plaintiff-friendly," Teppler says. "The winds are-a-changing. Not a
total 180 [degree turn], but slowly there's a strong shift in the
attitude of courts."

In its ruling, the appellate court notes that a group of CareFirst
health plan members "attributed the breach to the company's
carelessness." The lower district court dismissed the case for lack of
standing, finding the risk of future injury to the plaintiffs too
speculative to establish injury in fact.

However, the appellate court appears to disagree with that reasoning.
"We conclude that the district court gave the complaint an unduly
narrow reading. Plaintiffs have cleared the low bar to establish their
standing at the pleading stage. We accordingly reverse."

But not everyone agrees that CareFirst ruling foreshadows a dramatic
change of course in breach related lawsuits.

"It remains extremely challenging for individuals whose information
was disclosed in a breach to bring a legal action seeking damages that
will survive a motion to dismiss," says attorney David Holtzman, vice
president of compliance at security consultancy CynergisTek.

"Most courts have adopted a standard that the individual must show
that they have suffered actual harm in order to bring the case to
trial."

He adds: "It would be difficult to look at this ruling as a bellwether
for future litigation brought by consumers alleging they suffered harm
as a result of a data breach."

Still, the "plaintiffs cleared the low bar" to allow for their
complaint to move past first base," he notes.

Case Details

CareFirst disclosed in May 2015 that an "unauthorized intrusion" into
a database dating back to June 2014 resulted in a breach affecting 1.1
million individuals.

As is often the case in the wake of large data breaches, a class
action lawsuit was filed on behalf of individuals whose data was
impacted by the breach.

However, a federal court judge ruled in 2016 that the plaintiffs had
not shown incidents of harm or data misuse resulting from the security
breach, "even though a significant amount of time has passed" since
the data breach.

In dismissing the case last year, the lower court said it "found
missing the requirement that the plaintiffs' injury [stemming from the
data breach] be 'actual or imminent.'"

However, the appellate court noted in its ruling this week that the
plaintiffs in the CareFirst lawsuit alleged that the CareFirst data
breach exposed them to a heightened risk of identity theft.

"The principal question, then, is whether the plaintiffs have
plausibly alleged a risk of future injury that is substantial enough
to create ... standing. We conclude that they have."

Pending Cases

Teppler says the ruling by the federal appellate court could also have
potential impact on future and pending class action lawsuits involving
data breaches.

That includes the case filed against the Office of Personnel
Management related to a cyberattack that resulted in a breach
impacting the data of 4.2 million federal worker and retirees, and
background-check records for more than 20 million individuals.

"There is a pending motion to dismiss the OPM lawsuit. And so now this
[appellate court] decision likely changes the reasoning metrics of the
district court considering that motion," Teppler says.

Nonetheless, "it's also possible that the court will say, 'that
[CareFirst] decision is not this [OPM] case - but it's going to be
hard to see how that happens," Teppler adds.

Higher Breach Costs?

Greene says the CareFirst case also sets a precedent that could result
in higher settlement amounts or more costly litigation defense.

However, he says not all breach cases are alike. "Note that this case
involved a theft of data, rather than a theft of hardware that
included data on it. Courts hearing cases involving lost or stolen
unencrypted laptops might not follow this precedent because it is less
clear in such other cases whether the data itself was accessed in a
manner that creates an increased risk of identity theft."

However, there are some lessons that other breached entities can learn
from the CareFirst case so far, Greene says.

"The more cases like this that are successful, the higher the costs of
a data breach become. This is because a successful class action
lawsuit can far surpass the cost of regulatory fines," he notes.

"Unfortunately, there is not much that entities can do after the
breach, other than offering identity theft services to reduce any
potential injury to affected individuals. Rather, the most important
steps are putting in place reasonable safeguards before a breach, to
prevent a breach or strengthen any case that a breach did not occur
due to the entity's negligence."

Parties Respond

In a statement to Information Security Media Group, attorney Jonathan
Nace of Nidel & Nace, PLLC, one of the law firms representing
plaintiffs in the CareFirst litigation, says his clients are "pleased"
with the appellate court ruling.

Nace says the appellate court's opinion is significant for several
reasons, including his clients' ability to now pursue their case "on
the merits in the U.S. District Court for the District of Columbia,
pending a potential petition to the Supreme Court."

Nace notes, "the law is always trying to keep up with the fast-pace of
technology, and we have hope that this opinion will persuade other
circuits confronted with this question too. More specifically, the
Court found that the risk of future harm that flows from a data breach
such as this one is not a 'speculative harm,' but a real, concrete
harm that the law recognizes."

CareFirst declined ISMG's request for comment on the ruling.