Login Register Subscribe
Current Issue

Fear of data breach consequences splits appeals courts

Reprints

A recent federal appeals court ruling in a putative class action lawsuit that says plaintiffs can sue even if there is only fear of, but no actual, damage from a data breach further deepens an appeals court split on the issue and enhances its chances of being considered by the U.S. Supreme Court, experts say.

The litigation in Chantal Attias et. al. v. CareFirst Inc. et al. resulted from a June 2014 incident in which an unknown intruder breached 22 of Baltimore-based CareFirst Inc.’s computers and accessed a database containing its customers’ personal information, according to the Aug. 1 ruling by the U.S. Court of Appeals for the District of Columbia Circuit.

The District Court in Washington, D. C. had dismissed the case on the grounds the plaintiffs had not alleged either a present injury “nor a high enough likelihood of future injury.”

In reinstating the case, a unanimous three-judge panel, quoting an earlier case, said medical identity theft leads to inaccurate entries in victims’ medical records and can cause them “to receive improper medical care, have their insurance depleted, become ineligible for health or life insurance or become disqualified for some jobs.” 

“These portions of the complaint would make up, at the very least, a plausible allegation that plaintiffs face a substantial risk of identity fraud even if their Social Security numbers were never exposed to the data thief,” said the ruling, in reinstating the case.

Experts point out other appeal court rulings have agreed with the Attias decision that plaintiffs can pursue litigation even where there is no evidence customers’ private information was improperly used.

In 2015, for instance, the 7th U.S. Circuit Court of Appeals in Chicago ruled consumer data breach victims could pursue their putative class action litigation in Hilary Remijas et al. v. Neiman Marcus Group L.L.C.

But other courts have continued to hold there must be evidence of concrete injury.  In its May 2, ruling in Mary Jane Whalen v. Michaels Stores Inc., for instance, the 2nd U.S. Circuit Court of Appeals in New York dismissed Ms. Whalen’s claims against the Irving, Texas-based chain on the basis she had not alleged “a cognizable injury” from her credit card information’s exposure to a data breach at a Michaels store.

Experts, however, say the Neiman Marcus ruling is key. Until that ruling, plaintiff attorneys seeking to file litigation in connection with the potential injury a data breach had caused kept hitting the preliminary obstacle that they had not proved a sufficiently concrete injury to establish they had standing to sue, said Kevin LaCroix, executive vice president of RT ProExec, a division of R-T Specialty L.L.C., in Beachwood, Ohio.

Pointing to the Attias decision, Jason M. Beach, counsel at Hunton & Williams L.L.P. in Atlanta, said: “Increasingly, as the years march on, courts have been more receptive to finding standing in certain types of data breach cases.”

Circuit splits encourage forum shopping, said Roberta D. Anderson, director at Cohen & Grigsby P.C. in Pittsburgh. “Plaintiffs are inclined to file suits in forums, including now the D.C. Circuit,” that are likely to rule they have standing to sue. This will also drive up settlement values and lead to increased defense costs, she said.

The chance of the Supreme Court hearing the issue “is getting better because the circuit split is certainly growing here, and I think the court will ultimately probably hear this issue,” although it may not hear the Attias case in particular because it is still only in the pleading stage, said James C. Dugan, a partner with Wilkie Farr & Gallagher L.L.P. in New York.

Mr. LaCroix said the “surest guidepost” to how the Supreme Court would rule is the high court’s May 2016 ruling in Spokeo Inc. v. Robins, a ruling involving not a data breach but the Fair Credit Reporting Act, in which it held that a plaintiff must allege an injury that was both “concrete and particularized” to have standing to sue.

Mr. Dugan noted although the CareFirst incident occurred several years ago, in this case, as in many others, there has not been any subsequent criminal use of the stolen data. He said he believes many people try to hack into sites “just to prove it can be done.”

The further away you get from a breach “then the stronger a defendant’s case will be,” if the stolen data has not been misused, as to whether plaintiffs have standing to sue, Mr. Beach said.

Experts note also the nature of the data stolen could be a factor in any particular case and subsequent ruling. They point out, for instance, that credit cards are easily re-issued, but more serious difficulties could arise if social security numbers are stolen.

Meanwhile, the current momentum of decisions holding plaintiffs can sue on the basis of fear of future injury “underscores the importance of proactive and effective enterprising risk management, including through risk transfer such as insurance,” Ms. Anderson said.