WASHINGTON (Legal Newsline) -- Reports of data breaches have become commonplace, prompting U.S. courts to raise the bar on associated class action lawsuits.
The U.S. District Court for the District of Columbia in early August declined to grant standing to a class action filed in the wake of a data breach at CareFirst BlueCross BlueShield. Hackers compromised health insurer CareFirst's IT systems in June 2014 and obtained personal data for more than a million BlueCross BlueShield policyholders.
In dismissing the class action, Judge Christopher Cooper concluded that the plaintiffs failed to show that the private personal data allegedly obtained by hackers had caused any injury to plaintiffs or was sufficient in and of itself to do so. Significantly for the court, plaintiffs failed to provide evidence that the perpetrators of the data breach had obtained Social Security or credit card numbers.
Merely establishing that private personal information had been illegally acquired via a data breach is no longer sufficient to warrant standing in a class action, Ballard Spahr attorney Edward McAndrew said.
"In and of itself the CareFirst data breach is just another development in the establishment of precedent regarding standing in data breach cases," he told Legal Newsline.
"What's new here is that courts are saying they're going to look at the particular types of data allegedly acquired in security breaches and determine if there's a high risk of stolen data to be used for criminal purposes. In CareFirst the court concluded that factual allegations regarding the data stolen provided by plaintiffs did not reveal any actual or impending injury, or demonstrate a substantial likelihood that personal injury could occur."
The CareFirst decision reinforces and adds to a May U.S. Supreme Court ruling on a technical legal issue raised in Robins v. Spokeo, a class action in which a plaintiff asserted he had been harmed by false personal information sold by data broker Spokeo that had been published on the Internet. Reversing an appellate court ruling, the high court justices voted 6-2 in concluding that plaintiff failed to show he had suffered concrete harm.
In that case, the court disagreed with plaintiffs attorneys' argument that even without demonstrating personal injury, violation of a statute - in this case the D.C. Consumer Protection Procedures Act (DCPPA) - was sufficient grounds for granting class action status.
“We have made it clear time and time again that an injury, in fact, must be both concrete and particularized,” Justice Samuel Alito wrote in the majority opinion. He added that certain types of mistakes wouldn’t qualify as evidence of injury.
“An example that comes readily to mind is an incorrect ZIP code. It is difficult to imagine how the dissemination of an incorrect ZIP code, without more, could work any concrete harm.”
More broadly in CareFirst, the court's conclusion that private personal data allegedly acquired in a data breach is not likely to result in the misuse of that information is highly debatable, McAndrew said.
"Other courts have reached the opposite conclusion," he said. "In Remigas class action, the Seventh U.S. Court of Appeals decided that class action plaintiffs had sufficient standing based solely on the alleged theft of personal data from the P.F. Chang restaurant chain."
In that 2014 civil lawsuit, two Illinois men did show that the personal debit card data obtained in the breach was subsequently used to make fraudulent charges, he pointed out.
"Some 350,000 credit card numbers allegedly were stolen, and plaintiff attorneys showed that over 9,000 of those actually had been used to commit credit card fraud, or ID theft," McAndrew said.
In addition, in CareFirst, the court did not address the potential for hackers to obtain sufficient personal data to perpetrate fraud/ID theft or other criminal acts by assembling digital dossiers on consumers from multiple sources, McAndrew continued.
''They wind up combining all the data they can acquire to create a much more comprehensive dossier that could be sold on the 'dark web.'''
Email addresses were stolen in the CareFirst case, and plaintiffs did submit evidence that SSNs had been acquired subsequent to a court briefing on the issue. The court ruled that such evidence would not be considered as plaintiffs did not mention that in their complaint, however.