CSR Readiness Privacy Assessment

The CareFirst Ruling Means Increased Risk

If your business does not adequately protect personally identifiable information (PII)

your risk of being sued after a data breach or security event just went up significantly.

Facts of the Case: Attias v. CareFirst

CareFirst Ruling: DC Circuit Court ReinstatementChantal Attias et al. v. CareFirst Inc. et al.
Case # 16-7108
U.S. Court of Appeals
District of Columbia Circuit.

CareFirst (Blue Cross Blue Shield) of Boston was the victim of a cyber attack in June of 2014. Eleven months later in May of 2015, CareFirst publicly announced that a major breach had occurred and the records of nearly 1.1 million customers had been compromised. Hackers penetrated 22 computers and accessed the personally identifiable information (PII) of customers. CareFirst maintains that SSN and Credit Card data was not compromised, though this fact is disputed.

In 2016, the district court dismissed the complaint over "lack of standing," saying that the risk of future injury was too speculative. Essentially, the district court was saying that the plaintiffs could not prove they had been harmed.

The class action suit was reinstated August 1st, 2017 upon appeal to the D.C. Circuit Court. This reinstatement made waves because of the nature of the decision and its potential to set a major precedent. 

In its decision the court wrote:
"The plaintiffs here alleged that the data breach at CareFirst exposed them to a heightened risk of identity theft. The principal question, then, is whether the plaintiffs have plausibly alleged a risk of future injury that is substantial enough to create Article III standing. We conclude that they have."

"Here, by contrast, an unauthorized party has already accessed personally identifying data on CareFirst’s servers, and it is much less speculative — at the very least, it is plausible — to infer that this party has both the intent and the ability to use that data for ill."

Download the DC Circuit Court Decision

Download the EPIC Amicus Brief

Download the Original District Court Ruling that was Vacated

Steven Teppler of the Abbott Law Group:
"This ruling is significant because now the D.C. circuit, along with some other courts, have taken a more modern stand on the kind of damage you can expect in data breaches."

Marianne Kolbasuk McGee, Appeals Court Allows CareFirst Breach Class Action Lawsuit to Proceed, HealthcareInfoSercurity.com, August 2, 2017

Ed McAndrew, co-practice leader of Ballard Spahr LLP's privacy and data security group:
"Initially, courts seemed reluctant to allow these types of consumer privacy class actions based on data breaches to move forward beyond the pleading stages, but that seems to be shifting pretty dramatically."

Allison Grande, Data Breach Suits Find Easier Path With DC Circ. Ruling, Law360, Aug 3, 2017

Dr. Ross Federgreen, CEO of data privacy authority CSR Professional Services
"With the CareFirst ruling, 250 million Americans were just given permission to sue your business over a data breach, even if no harm such as identity theft or fraud has yet occurred. The risk to any business from losing data, whether accidental or malicious, just went from bad to catastrophic. This court decision is a major step in establishing the right of consumers to bring actions for a data breach at any business or institution. Organizations large and small are going to be in court more often. It’s going to be financially painful. More companies are going to fail because of data breaches."

Joint ERI - CSR Press Release, August 9, 2017

Privacy attorney Adam Greene of Davis Wright Tremaine:
"The more cases like this that are successful, the higher the costs of a data breach become. This is because a successful class action lawsuit can far surpass the cost of regulatory fines. Unfortunately, there is not much that entities can do after the breach, other than offering identity theft services to reduce any potential injury to affected individuals. Rather, the most important steps are putting in place reasonable safeguards before a breach, to prevent a breach or strengthen any case that a breach did not occur due to the entity's negligence."

Marianne Kolbasuk McGee, Appeals Court Allows CareFirst Breach Class Action Lawsuit to Proceed, HealthcareInfoSercurity.com, August 2, 2017

John Tomaszewski, senior counsel at Seyfarth Shaw LLP:
"Both the bench and the plaintiffs bar have evolved in their understanding of data breaches and the harms they potentially cause. You can see the evolution in the thinking of the court in its view that people don't just steal data for laughs, the reason they do it is to perpetuate fraud. The ability to stick your head in the sand and say there's no probability of future harm because no harm has been demonstrated since the breach happened more than two years ago doesn't seem to work anymore."

Allison Grande, Data Breach Suits Find Easier Path With DC Circ. Ruling, Law360, August 3, 2017

Privacy attorney Adam Greene of Davis Wright Tremaine:
"The court held that the theft of personally identifiable information/protected health information/sensitive information, if true, creates enough of a risk of identity theft that could be traceable to CareFirst's negligence in not securing the data. This does not mean that the plaintiffs will win, but it significantly increases the risk to CareFirst and the costs of defending the case, and sets precedent for other cases to similarly proceed."

Marianne Kolbasuk McGee, Appeals Court Allows CareFirst Breach Class Action Lawsuit to Proceed, HealthcareInfoSercurity.com, August 2, 2017

John Shegerian, Founder and Executive Chairman of ERI, the nation’s leading recycler of electronic waste:
"Every business in the US – large or small – is going to need to pay very close attention to the new playing field that has been created by this landmark ruling. We’re about to witness a paradigm shift in data privacy in both the digital and physical realm, and to what lengths businesses are responsible for it. To avoid being sued in what is sure to be a feeding frenzy of litigation over compromised data, the best thing businesses can do now is to make sure they perform their due diligence protecting the data of their constituent customers, vendors, and employees. Properly destroying hardware using a certified organization that permanently eliminates all digital data is crucial."

Joint ERI - CSR Press Release, August 9, 2017

Ballard Spahr:
"These decisions [CareFirst and others] significantly expand the circumstances under which consumers may pursue class actions against companies victimized by hackers who access highly sensitive personal information, such as Social Security and credit card numbers, as well as health insurance subscriber information. Companies that collect, process, or store such sensitive information should anticipate and prepare for litigation as soon as they discover any cyber incident involving these types of information."

Ballard Spahr, D.C. Circuit Reverses Data Breach Class Action Dismissal on Standing Grounds, JDSupra, August 3, 2017

David Anthony, partner at Troutman Sanders LLP
"The CareFirst decision reflects a more generous interpretation of the degree of harm required to satisfy Article III standing requirements."

Allison Grande, Data Breach Suits Find Easier Path With DC Circ. Ruling, Law360, Aug 3, 2017

Tedrick A. Housh, III of Lathrop Gage
"The net effect of this opinion is more risk for business. ... Rather than obtain a dismissal at the outset of expensive class action litigation, companies will be forced to engage in discovery and seek summary judgment on the facts established. In the end, this opinion is another reminder to companies that they must inventory and take reasonable measures to protect personally identifiable information (PII) and protected health information (PHI) that they own or maintain."

Lathrop Gage Newsletter, August 2, 2017

Read the joint Press Release from CSR and ERI about the impact of the CareFirst decision here. ERI is the nation’s leading recycler of electronic waste and the world's largest cybersecurity-focused hardware destruction company.
Does CareFirst Mean Consumers are More Likely to Win Data Breach Cases?

No. The CareFirst decision is about establishing "standing," or in simpler terms, the right to sue.


Do All Courts Agree with the CareFirst Decision?

No. While several Circuit Courts are now leaning in this in this direction; this ruling was unique in a few ways. Some other Circuit Courts have so far ruled differently. Where you bring suit at the federal level might at this point affect the ruling.

Ballard Spahr:
"The D.C. Circuit now joins the growing circuit split over whether individuals whose personal information is stolen by hackers can satisfy the standing doctrine based solely on allegations of a substantial risk of future injury. In addition to the Seventh Circuit’s Remijas decision, the Third Circuit recently reinstated a data breach class action against Horizon Healthcare Services, Inc., in the wake of the 2013 theft of two laptop computers containing unencrypted personal information of Horizon Healthcare plan members. The Ninth Circuit also has upheld standing allegations in similar data breach class actions."

Ballard Spahr, D.C. Circuit Reverses Data Breach Class Action Dismissal on Standing Grounds, JDSupra, August 3, 2017

Coming down on the side of at least five other circuits, the D.C. Circuit held that a group of CareFirst policyholders had “cleared the low bar to establish their standing at the pleading stage” by asserting that there was a substantial risk that their stolen personal information could be used “for ill” — identity theft or medical harm — even though it had yet to be misused.

Allison Grande, Data Breach Suits Find Easier Path With DC Circ. Ruling, Law360, Aug 3, 2017

Related Case: Spokeo

Spokeo, Inc. v. Robins: Supreme Court, May 16, 2016:

Kevin M. McGinty & George Patterson of Mintz Levin:
"...the Supreme Court in Spokeo, Inc. v. Robins held that a plaintiff does not have Article III standing to sue in federal court under the Fair Credit Reporting Act (FCRA) and other federal statutes absent a sufficient allegation of the existence of a concrete injury. The Supreme Court was clear that alleging a bare procedural violation absent any concrete injury to the plaintiff was insufficient to move a case forward."

Mintz Levin, Supreme Court’s Spokeo Decision Strengthens Standing Defense For Employers In FCRA And Other Statutory Class Actions, June 3, 2016

Mintz Levin Article

SCOTUSBlog Coverage

EPIC.org Coverage

Harvard Law Review

Slate.com Opinion

Related Case: Neiman Marcus

Remijas v. Neiman Marcus: Seventh Circuit Court, July 20, 2015:

Judge Wood:
"Why else would hackers break into a store’s database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities."

Seventh Circuit Court Ruling, July 20, 2015

Download Full Court Ruling

Neiman Marcus to Pay $1.6M to End Credit Card Breach Case

EPIC.org Coverage

Related Case: OPM Hack

Class action suits brought by unions within the OPM are pending.They face the same question of standing that was at issue in the CareFirst case:

A federal employee union is fighting the federal government’s attempt to dismiss the group’s lawsuit seeking further remedies after a hack of data maintained by the Office of Personnel Management exposed the personal information of millions of current and former civil servants.

Eric Katz, Union Argues Court Should Not Grant OPM’s Motion to Dismiss Hack Lawsuit, GovExec.com, November 11, 2016

LawFare: Why the OPM Hack Is Far Worse Than You Imagine

Wired: Inside The Cyberattack That Shocked The Us Government

Wikipedia Coverage

Will CareFirst Go to the Supreme Court?

CareFirst will appeal this ruling. The question is, will SCOTUS accept the case? While the Circuit courts are split but shifting toward the rights of the consumer, it seems possible the Supreme Court will want to settle this issue.

John Tomaszewski, senior counsel at Seyfarth Shaw LLP:
"This is one of those fundamental, philosophical, jurisprudential questions that the Supreme Court was designed to resolve."

Allison Grande, Data Breach Suits Find Easier Path With DC Circ. Ruling, Law360, August 3, 2017

Breaches and Small Businesses

Malicious Software Hits Parking App Maker

parkbytext is an app that allows users to pay for parking at location in the the US and UK. They were hit with malicious software in July of 2017 that forced them to change servers and notify customers of a potential breach. The breach may have compromised phone numbers, email addresses, home addresses and vehicle registrations. The company says "we cannot say this with 100% certainty at this stage." While SSN and credit card data were apparently not lost, any kind of PII loss can promote identity theft. The forensic investigation is ongoing.

As for parkbytext, the ultimate impact on the company is of course unknown. But this kind of event is the last thing that a small business trying to gain traction needs.

Invest in Your Company’s Future

CSR translates complicated regulations on data security and confidentiality into practical business rules.

Protect your business by assessing your privacy risk, identifying the weaknesses, and taking steps to remedy privacy and security deficiencies. For more information or to order CSR Readiness® Privacy Assessment, contact us today and speak to an authorized reseller.

Privacy Prime
  • 22 Jan 2018

    Meticulous Equifax Timeline

    Data Breach timeline for Equifax's 2017 Data Breach. One of the most significant data breaches to date.

  • 22 Jan 2018

    2017 Year End Review

    Every year breaches are becoming more prevalent and have a much higher impact then years prior. Take a look at some of the breach reports that it made it on our list.