A Deep Dive into CareFirst and What it Means for Breach Litigation in the US

This post is authored by Robert Rubenstein, a third-year law student at the Thomas R. Kline School of Law at Drexel University. 

The Supreme Court has shed some light on whether plaintiffs in a class action suit have standing to sue a healthcare insurer in federal court based upon a breach into that healthcare insurer’s protected network. On February 20, 2018, the Supreme Court denied CareFirst’s petition for certiorari and will leave the holding in place from the United States Court of Appeals, District of Columbia Circuit. This case resulted from a June 2014 cyberattack into the protected server of the health insurer, CareFirst. The hacker breached twenty-two CareFirst computers and accessed a database of approximately one million customers containing its customers’ personal information as a result of allegedly failing to properly encrypt some of the data entrusted to its care. Attias v. CareFirst, Inc., 865 F.3d 620, 623 (D.C. Cir. 2017). CareFirst stored personal information of its customers on their servers, which included their names, birthdates, email addresses, social security numbers, credit card information, and subscriber identification numbers. Id. at 622-23.

In the United States District Court, District of Columbia, the parties had conflicting views about whether the plaintiffs have standing based upon the breach into CareFirst’s protected server, or if the plaintiffs needed to allege misuse of personal information traceable to the breach to establish standing. The plaintiffs argued that the breach itself is sufficient to establish standing because of the increased likelihood of identity theft from a breach and the costs that the plaintiffs have incurred to mitigate the harm. Attias v. CareFirst, Inc., 199 F. Supp. 3d 193, 197 (D.D.C. 2016). In response, CareFirst argued that the plaintiffs do not have standing until their personal information has been misused in an adverse manner or if the information could readily be used to assume their identities — i.e., until they can prove actual damage. Id. at 197. The plaintiffs argued that the hackers demonstrated their intent to misuse the information because the only reason a hacker would break into a protected server is for the purpose of stealing personal information and using it in an adverse manner. Id. at 200.

In resolving the dispute, the District Court did not agree with the plaintiffs argument that “merely having one’s personal information stolen in a data breach” is sufficient to establish standing. Id. The court sided with CareFirst, holding that the plaintiffs did not have standing to sue because they needed to “demonstrat[e] a substantial risk that stolen data has been or will be misused in a harmful manner.” Id.

The United States Court of Appeals, District of Columbia Circuit reversed the District Court’s decision. The Court of Appeals expanded the District Court’s view of the extent of harm that could result from having one’s personal information stolen in a data breach. The Court of Appeals placed a focus on the potential severity of the harm that could flow from inaccurate entries in victims medical records, such as “potentially caus[ing] victims to receive improper medical care, have their insurance depleted, become ineligible for health or life insurance, or become disqualified from some jobs.” 865 F.3d at 628. Adopting a more expansive view of potential injury to the plaintiffs, the Court of Appeals held that, at a minimum, the risk of harm would make up a “plausible allegation that plaintiffs face a substantial risk of identity fraud, even if their social security numbers were never exposed to the data thiefs.” Id.

CareFirst filed a petition for a Writ of Certiorari to the US Supreme Court. The question presented was determining “what constitutes standing for alleged threatened injury, particularly in the context of lawsuits brought by victims of data breaches against the companies that held the accessed data?” Petition for Writ of Certiorari at 1, CareFirst, Inc. v. Attias, No. 17-641 (U.S. Jan. 2018). CareFirst argued that the D.C. Circuit erroneously lowered the substantial risk standard because the court “creat[ed] implausible scenarios of possible future harm.” Id. at 8. CareFirst articulated that there was not even a reasonable likelihood that future harm will occur, much less than a substantial risk of harm, because “the threat of future harm to the [plaintiffs] rests in the hands of unidentified third-party actors who have taken no adverse action against the [plaintiffs] in the nearly four years since the theft.” Id. at 7. CareFirst also argued that leaving the Court of Appeals holding untouched “will eviscerate any workable standard for evaluating when a threat of a future harm is sufficiently imminent to satisfy Article III standing,” and as a result it “will open the door to a flood of no-injury class actions arising from virtually every data breach.” Id.

In the plaintiff’s  brief in Opposition to the Writ of Certiorari, the plaintiffs reiterated the reasoning from the Court of Appeals opinion, stating is that there is a substantial risk of harm because the plaintiffs could plausibly “allege the information was obtained and understood by ‘data thiefs;’ that the purpose of the hack was to commit crimes against plaintiffs; and that the information could be used to commit identity theft and/or medical identity theft.” Brief in Opposition for Petition for Writ of Certiorari at 15-16, CareFirst, Inc. v. Attias, No. 17-641 (U.S. Jan. 2, 2018).

Now that the Supreme Court has decided not to hear this case, there are two important implications to keep in mind moving forward. First, despite the fact that the District of Columbia Circuit has granted the plaintiffs standing to sue in this particular suit, there is still a circuit split among other federal circuits around the country. The Sixth, Seventh, Ninth, and now the D.C Circuit have held that the alleged increased risk of future fraud and identity theft can be sufficient for standing at the pleading stage. The holdings from these Circuits have all determined standing based on the sufficiency of the risk of misusing unauthorized personal information. On the other hand, the First, Second, Third, Fourth, and Eighth Circuit’s hold otherwise. These Circuits hold that in cases where there is no misuse of personal information following a breach, plaintiffs must allege more than merely possessing unauthorized personal information. The reasoning behind these Circuits’ holding is that the possibility of future misuse is insufficient to satisfy the imminence requirement for an injury in fact.

In addition, the plaintiffs must be able to allege facts demonstrating that the breach was intentional and carried out for the purpose of misusing personal information, such as committing identity theft or fraud. Even though hackers may intend to access personal information for reasons unrelated to its misuse, such as with sponsored nation-state hackers or hacktavists, plaintiffs have satisfied the standing requirement where they have demonstrated that the attack was for commercial gain. Without guidance from the Supreme Court on how to approach data breach cases, the various circuits will have to continue to infer the purpose of the breach on a case-by-case basis; and companies will need to be prepared to defend against breaches in varying manners throughout the country.

* * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.