[BreachExchange] Could CareFirst Data Breach Case Be Headed to Supreme Court?

Fri Sep 8 19:55:57 EDT 2017

https://www.databreachtoday.com/could-carefirst-data-
breach-case-be-headed-to-supreme-court-a-10279

Could the class action lawsuit filed against CareFirst Blue Cross Blue
Shield after a 2014 cyberattack impacting 1.1 million individuals be the
first data breach case headed to the Supreme Court? A recent ruling by a
federal court makes that a possibility.

The U.S. Court of Appeals for the District of Columbia on Sept. 6 granted
CareFirst's request for a "stay" in the same court's ruling last month that
revived a class action suit against the health insurer. The "stay" allows
CareFirst to file an appeal, asking the Supreme Court to review the case.

In its petition seeking the stay, ClearFirst argued that its case being
heard by the Supreme Court is also important for other data breach
litigation cases.

"The Supreme Court should ... guide courts in sorting out the claims of
truly injured victims of data breaches from those who file class actions
without being able to allege that any harm is real or immediate," the
CareFirst petition notes.

"The Supreme Court needs to address this area of the law to provide more
guidance to federal district and appellate courts, especially given that
federal courts have struggled to reach consensus as to when the prospect of
future injury resulting from stolen information truly presents a
'substantial risk' of actual harm."

CareFirst did not immediately respond to an Information Security Media
Group request for comment on when it plans to file an appeal to the Supreme
Court.

A Longshot?

Privacy attorney Adam Greene of the law firm David Wright Tremaine is among
the legal experts who are skeptical that the Supreme Court will agree to
hear the case.

"This case definitely has the potential to make it to the Supreme Court,
since there is not consensus on this issue among the circuit courts," says
Greene, who is not involved in the case. "But it still may be a longshot
because of the limited number of cases that the Supreme Court can accept."

Last year, the Spokeo case addressed standing to bring a claim based on
whether potential harm is "concrete and particularized," Greene notes. "It
did not involve an information security breach, but was closely watched for
its impact on information security breach litigation. But the court did not
definitively resolve the issue of what constitutes sufficient harm to have
standing to sue, so the question in CareFirst and other security breach
cases remains."

The stay puts on hold an Aug.1 ruling by the appellate court that allows
plaintiffs in the CareFirst case to proceed with their punitive class
action lawsuit against the insurer, which had been dismissed in 2016 by the
U.S. District Court for the District of Columbia (see Appeals Court Allow
CareFirst Breach Class Action Lawsuit to Proceed).

Attorney Steven Teppler of the Abbott Law Group, who is not involved in the
case, says CareFirst's effort to file an appeal to the Supreme Court "is a
procedural tactic to try and get this issue resolved as soon as possible."

Breaking the Log Jam

The recent Equifax data breach, which affected as many as 143 million
individuals, will likely end up in class action litigation, some legal
experts predict.

So sooner or later, Supreme Court justices will decide to review a major
data breach case "and the log jam will break," Teppler says. Companies
experiencing data breaches "can't keep dodging bullets and ruining people's
digital image."

The August decision by the appeals court to overturn the lower court's
dismissal of the CareFirst case was in itself a significant development in
breach cases, legal experts say.

That's because the lower court's dismissal of the lawsuit had followed a
common trend in data breach litigation where most courts do not find
standing to proceed without concrete, identifiable injury to plaintiffs.

The reversal was noteworthy because it could set precedent for other
pending and future data breach cases.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170908/765558a5/attachment.html>