Supreme Court Could Decide Question of “Harm” in Data Breaches
A case related to breaches at the firm CareFirst could see the U.S.’s top court weighing in on the legal question of whether having your data stolen constitutes “harm” to individuals.
The U.S. Supreme Court could soon take up a case that centers on the question of what constitutes “harm” to consumers when their data is stolen, allowing them to sue in a court of law.
As reported by HealthITSecurity.com, CareFirst has filed a petition for a Writ of Certiorari with the U.S. Supreme Court, essentially asking the nation’s top court to review a lower court ruling by the U.S. Court of Appeals for the District of Columbia. That ruling (PDF), in August, reversed a prior court ruling regarding two data breaches in 2014 and 2015 that exposed information on 1.1 million current and former CareFirst members.
At issue is whether individuals whose data is stolen have “standing” under Article Three of the US Constitution to sue the organization responsible for the loss of that data in court.
A Maryland District Court initially found in July, 2016 that a class action lawsuit filed by individuals whose information was exposed by CareFirst did not have standing to sue the company because they could not prove that they had experienced harm resulting from the breaches.
The plaintiffs, acting on behalf of all individuals affected by the CareFirst breach said the healthcare firm “knew or should have known earlier of both breaches, as the information stolen is allegedly ‘highly coveted by and a frequent target of hackers.’”
CareFirst customers had a reasonable expectation that the company would protect their confidential personal information. The loss of that data, they argued, exposed them to the risk of losing “money and property.” But the Maryland district court disagreed: saying the plaintiffs couldn’t prove they suffered any concrete injury as a result of the theft, nor how the stolen data might be used to cause harm.
In reviewing that ruling, however, the US Court of Appeals for the District of Columbia disagreed, finding that “an unauthorized party has already accessed personally identifying data on CareFirst’s servers,” and that it is “plausible...to infer that this party has both the intent and the ability to use that data for ill.”
Following that turn of events, CareFirst has asked the US Supreme Court to review the DC Appeals Court ruling, meaning that the nation’s High Court could soon decide - once and for all - whether the theft of data belonging to an individual constitutes “harm” that entitles the affected individual to seek redress in court under Article Three of the Constitution.
A series of massive breaches as well as individual and class action lawsuits stemming from them have found U.S. courts struggling with the question of what standing breach victims have in the absence of concrete evidence tying the theft of data to financial harm or other loss of property.
CareFirst is asking the Supreme Court to decide “whether a plaintiff has Article III standing based on a “substantial risk of harm that is not imminent and where the alleged future harm requires speculation about the choices of third-party actors not before the court.”
For example, consumers whose data was stolen in an attack on the craft store Michaels had their class action case dismissed in September, 2016 when a federal judge in U.S. District Court for the Eastern District of New York dismissed a class action suit by citing a legal precedent set by the recent Supreme Court ruling in “Clapper v. Amnesty International,” a case that centered on a challenge to US government surveillance of overseas communications.
But the Maryland Appeals Court found important differences between the Clapper v. Amnesty case and the case brought forth by the CareFirst customers. “ In Clapper, the plaintiffs feared the interception of their overseas communications by the government, but that harm could only occur through the happening of a series of contingent events, none of which was alleged to have occurred by the time of the lawsuit.” The chance of crimes or harm resulting from the theft of valuable data by criminals intent on using it was much less contingent, the Appeals Court concluded.
Citing a Seventh Circuit case, the D.C. Appeals court asked, “Why else would hackers break into a . . . database and steal consumers’ private information? Presumably, the purpose of the hack is, sooner or later, to make fraudulent charges or assume those consumers’ identities.”
The Supreme Court is set to decide on whether to consider the case on December 1st. Given the vast gaps between two lower court rulings, and the increasing prevalence of data breaches and cases arising from them, it is likely the Supreme Court will take up the case.
Paul Roberts is the Editor in Chief at The Security Ledger and Founder of The Security of Things Forum.