While we have seen defendants in data breach cases argue that plaintiffs were not injured and therefore lack standing to bring suit, litigants in a recent data breach case have directly addressed issues some litigants have previously danced around.
On August 6, 2015, Pamela Chambliss and Scott Adamson (Plaintiffs) filed a class action complaint in a Maryland District Court against Carefirst, Inc. (which operates under the tradename Carefirst Blue Cross Blue Shield) related to a data breach at Carefirst in 2014. The Plaintiffs claim they have health insurance through Carefirst and, therefore, were required to furnish private information to Carefirst. The class action complaint seeks damages based on allegations that Carefirst failed to adequately secure its computer hardware that stored the Plaintiffs’ personal information. Carefirst discovered this breach on May 20, 2015. The breach released the names, birthdates, email addresses and “subscriber information” of 1.1 million individuals. The class action complaint indicates Carefirst did not encrypt the stored data and was viewed as a “soft target” by hackers.
The first cause of action was based on allegations that Carefirst was negligent by failing to safely store personal information and “potentially confidential health information” of its members. The class action Plaintiffs further claimed this breach “proximately caused an unauthorized disclosure” of Plaintiffs’ information. The second cause of action was based on allegations that Plaintiffs’ relied on Carefirst’s representations concerning its privacy and security before they purchased health insurance. The third cause of action alleged Carefirst was unjustly enriched when it did not pay for the security and protection promised to the Plaintiffs. Finally, the Plaintiffs alleged Carefirst’s conduct constitutes a violation of the Maryland Personal Information Protection Act.
On September 24, 2015, Carefirst filed its motion to dismiss the class action complaint, asserting Plaintiffs’ action is defective because “Plaintiffs have not alleged that they suffered an injury cognizable under Article III of the Constitution.” That is, Carefirst claims the Plaintiffs lacked standing to bring the action because the Plaintiffs’ data was not alleged to be misused in any manner. In its supporting brief, Carefirst points out the difficulty class action plaintiffs are having surviving motions to dismiss:
Data theft is an unfortunate and increasingly common occurrence in contemporary life, victimizing literally millions of Americans. Fortunately, data loss does not always produce actual harm. Just as companies are learning how to harden their defenses against cyber theft, our Nation’s courts are learning to sort out the claims of truly injured victims from those who launch class actions without having suffered any real harm. This action falls into the latter category.
On November 5, 2015, the Plaintiffs filed their opposition to Carefirst’s motion to dismiss. The Plaintiffs wasted no time addressing what appeared to be the current trend of plaintiffs having difficulties showing damage from a data breach. The opening paragraphs take aim at Carefirst’s argument as follows:
Defendants, in their Motion, assert that data theft is a “common occurrence” as if that somehow excuses them from culpability for failing to take the reasonable, necessary steps to protect the plethora of sensitive, highly confidential personal and medical information in their possession and the harms that their insureds suffer as a result of that failure. Brief at 1.1 Defendants cannot get off so easily. In fact, the commonness of such breaches actually makes each subsequent breach all the more egregious. Just as the landlord in a high-crime area can be held liable when he fails to install a secure lock on a tenant’s door and a criminal breaks into a tenant’s apartment and harms her as a result, see e.g. Lay v. Dworman, 732 P.2d 455 (Okla. 1987), so, too, can a health insurer, who knows of the risk of cyberattack, be liable when it fails to secure its insureds’ confidential personal information.
Of course, the current dispute in the Carefirst case is based on what is becoming a substantial body of law concerning standing for data breach cases. In just the last year, we have seen the following developments on the standing issue:
- 7th U.S. Circuit Court of Appeals: On July 20, 2015, the 7th Circuit issued its decision in Remijas v. Neiman Marcus Group, LLC, directly addressing Article III of the U.S. Constitution, the standing for data breach plaintiffs. In reversing the District Court, the 7th Circuit held that “[a]llegations of future harm can establish Article III standing if that harm is ‘certainly impending,’ but ‘allegations of possible future injury are not sufficient.’” In short, the 7th Circuit found the plaintiffs met the requirement under Clapper “that injury either already [has] occurred or [was] ‘certainly impending.’”
- District Court for Southern District of Texas: In Peters v. St. Joseph Serv., Corp., the District Court dismissed plaintiff’s claims on a 12(b)(1) Motion after finding that allegations of an increased risk of future harm were not sufficient to confer standing.
- District Court for Northern District of Georgia: Home Depot filed a motion to dismiss asserting the Class Action Plaintiffs lacked standing to bring suit for its data breach.
- District Court for Minnesota: In the Target litigation, the District Court held the Financial Institutions’ action survived Target’s Motion to Dismiss.
All of these cases trace their origins back to the Supreme Court’s 2013 opinion in Clapper v. Amnesty Int’l finding that the mere increased risk of future harm does not confer Article III standing.
The briefs in the Carefirst case demonstrate that litigants are starting to directly address the difficult questions related to data breach cases as courts gain a better understanding of these cases. While plaintiffs have hit a number of hurdles in establishing damages, defendants’ argument that everyone is suffering a data breach may lose credibility with courts.