Data breach litigation against optometry board revivedReprints
A federal appeals court has overturned a lower court ruling and reinstated putative class action data breach litigation against the National Board of Examiners in Optometry Inc.
The 4th U.S. Circuit Court of Appeals in Richmond, Virginia, said in Tuesday’s ruling in Rhonda L. Hutton et al. v. National Board of Examiners in Optometry Inc. that plaintiffs had sufficiently established they had suffered injuries as a result of an alleged data breach of the Charlotte, North Carolina-based board.
According to the ruling, optometrists across the United States in July 2016 noticed that Chase Amazon Visa credit card accounts had been fraudulently opened in their names. Opening these accounts required the use of an applicant’s correct Social Security number and date of birth.
Facebook discussions led the plaintiffs to conclude the information had come from a data breach at the optometry board, which has never acknowledged it was the target of a data breach.
Three plaintiffs filed two complaints that were later consolidated in U.S. District Court in Baltimore on charges including negligence, breach of contract, breach of implied contract and unjust enrichment.
The District Court dismissed the case, stating the complainants “simply alleged speculative harms that could only occur in the future,” according to the ruling. It said also that any alleged injury “was not traceable” to the board.
A three-judge appeals court panel unanimously reinstated the litigation.
“The plaintiffs in these cases … allege that they have already suffered actual harm in the form of identity theft and credit card fraud,” said the ruling.
“The Plaintiffs have been concretely injured by the data breach because the fraudsters used — and attempted to use — the Plaintiffs’ personal information to open Chase Amazon Visa credit card accounts without their knowledge or approval. Accordingly, there is no need to speculate on whether substantial harm will befall the Plaintiffs.”
The ruling states also that “the complaints contained sufficient allegations that (the board) was a plausible source of the Plaintiffs’ personal information.”
The case was remanded for further proceedings.
A federal appeals court ruling last year in a putative class action lawsuit that says plaintiffs can sue even if there is only fear of, but no actual damage from, a data breach further deepens an appeals court split on the issue and enhances its chances of it being considered by the U.S. Supreme Court, experts say.